DHS QHSR document assesses prevailing threats and challenges, as more work needs to be done
The U.S. Department of Homeland Security (DHS) released the latest version of its Quadrennial Homeland Security Review (QHSR) document, which is updated every four years as required by law. The document comes at a time when cyber threats have evolved and increased since the founding of the department. It also informs existing departmental processes for translating priorities into resources, including the DHS Strategic Plan and the annual budget development process.
“Nation-state threat actors are becoming increasingly sophisticated, targeting federal, state, and local government agencies, critical infrastructure companies, and others,” the QHSR document identified. “Likewise, cybercriminals have increased their malicious activities motivated by the significant profits they can make from using relatively accessible and affordable ransomware and malware tools. Today, almost anyone can become a hacker.”
The 92-page DHS QHSR document identifies that whether motivated by profit or ideology, cyber adversaries are willing to harm the American people by targeting businesses, schools, hospitals, police departments, state and local governments, and critical infrastructure. “There are also actors who have used ransomware during an unprecedented and ongoing global pandemic, disrupting hospitals dealing with surges of COVID-19 patients. We need only look at recent events, such as the SolarWinds supply chain compromise or the ransomware attacks affecting Colonial Pipeline, to see the impacts,” it added.
As commercial network technologies are woven increasingly into our businesses, personal lives, and federal as well as SLTT government functions to provide the most critical services upon which we depend, there remain cyber risks and vulnerabilities that leave networks and systems at risk of exploitation and disruption, the QHSR document said.
The ransomware attack on Colonial Pipeline illustrated that the real-world impacts of software vulnerabilities are not hypothetical. The attack undermined confidence in and availability of fuel for thousands of Americans. These consequences are significant in their rights, but future disruptions could be more harmful, widespread, and long-lasting. The cascading effects mean cyber risks are becoming more complex and difficult to assess.
The intersection of these variables has placed the nation in a state of untenably high cybersecurity risk, with cyber incidents regularly disrupting our way of life. This heightened risk requires moving beyond individual actions and toward coordinated defensive actions and cybersecurity measures that are commensurate with national security, economic security, and public health and safety.
The DHS QHSR document said that in furtherance of the National Cybersecurity Strategy released in March, DHS—through CISA, as the nation’s cyber defense agency and national coordinator for critical infrastructure security and resilience, as well as other components that include I&A, ICE, TSA, USCG, and USSS, and in tandem with the private sector and SLTT partners, as well as the Intelligence Community, the interagency, and law enforcement as part of a whole-of-government approach—must manage national cyber risk.
“DHS will protect the American people by preventing and mitigating active threats. CISA collaborates with federal agencies and private industry to gain greater visibility into vulnerabilities and adversary activity occurring across government and critical infrastructure networks,” the DHS QHSR document added.
CISA works to achieve visibility at scale by supporting the broader deployment of endpoint detection capabilities across federal agencies. CISA also works with private sector critical infrastructure entities through SRMA partnerships and partnerships like the Joint Cyber Defense Collaborative (JCDC) to share information about ongoing malicious campaigns and coordinate defensive efforts. This includes increasing threat-hunting and incident response capabilities, as well as the capacity for coordinating vulnerability disclosures and responses.
It also added that CISA further conducts outreach in coordination with SRMAs to private sector critical infrastructure entities and establishes relationships to enhance an organization’s ability to respond to cyber incidents. “CISA provides products on insider threat mitigation, pathways to violence, and soft skills like employee vigilance to help build a proactive culture to identify and disrupt threats before they cause damage.”
The DHS QHSR document said that the CISA and FBI, through the Joint Ransomware Task Force (JRTF), will work with interagency, SLTT, and private sector partners to coordinate campaigns against transnational ransomware criminal groups. This will include providing support to private sector entities and SLTT communities to better protect themselves from ransomware.
The JRTF will also collect, share, and analyze ransomware trends to inform federal actions while facilitating coordination and collaboration between federal entities and the private sector to improve actions against the ransomware threat posed by transnational cybercriminal groups.
“DHS is using innovative and novel approaches to strengthen our nation’s resilience across critical infrastructure systems, including those that support National Critical Functions, with the goal that even if a natural disaster, physical security breach, or cyber incident occurs, the critical services remain functional,” according to the DHS QHSR document. “As the majority of the nation’s critical infrastructure is owned by the private sector, effective responses to threats demand close coordination between the public and private sectors.”
The Administration has established new cybersecurity requirements in certain critical sectors, while in other sectors, new authorities will be required to set regulations that can drive better cybersecurity practices at scale. This Administration has conducted sector-specific engagement with industry to construct consistent, predictable regulatory frameworks for cybersecurity that focus on achieving security outcomes and enabling continuity of operations and functions while promoting collaboration and innovation.
To build out cyber resilience more effectively across critical infrastructure and other stakeholders, DHS is investing in initiatives to enhance public-private collaboration. These innovative efforts include the Cybersecurity Advisory Committee for pre-event strategic planning, the JCDC for planning and real-time event coordination, and the Cyber Safety Review Board (CSRB) for after-action analysis.
CISA will continue advancing national efforts to secure and protect against critical infrastructure risks, including implementing a national plan that recognizes both the expanding scale of terrorism and other threats and the emerging cybersecurity challenge of increasingly networked and internet-enabled infrastructure systems. The Department, in close partnership with SRMAs, has amplified its role as the coordinator of the national effort for critical infrastructure security and resilience.
CISA is also developing a list of systemically important entities to focus on the most essential critical infrastructure, as well as reinvigorating the Federal Senior Leadership Council to further optimize this unified effort. These efforts will support security and resilience to all threats and hazards, not just cyber threats.
As directed by the President’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, CISA has developed, in coordination with the National Institute of Standards and Technology (NIST), cross-sector Cybersecurity Performance Goals—voluntary best practices that outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber risks—to ensure the security of critical infrastructure and reduce escalating national cyber risk.
DHS also leverages TSA’s authorities for the issuance of security directives to the pipeline and surface sectors, as well as security program amendments for the aviation sector, and USCG regulatory authorities for the marine transportation system.
For example, TSA security directives now require pipeline entities to take several mitigating measures, including having contingency plans in the event of an intrusion and conducting robust vulnerability testing that will lay foundations for more secure and resilient systems. These regulatory authorities, together with voluntary measures such as the July 2021 voluntary industrial control system cybersecurity performance goals developed in a partnership between CISA and NIST, are critical to enhancing security.
In many cases, other departments and agencies have the authority, expertise, and capabilities to manage risks to key critical infrastructure sectors and certain National Critical Functions. DHS will redouble its efforts to deepen coordination, synchronization, harmonization, deconfliction, and coordination across the Federal Government.
This also includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enacting CIRCIA marks an important milestone in improving America’s cybersecurity. Among other improvements, CIRCIA authorized CISA to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.
The DHS QHSR document added that to build a secure and resilient future, “we must place responsibility on those within the digital ecosystem that are best positioned to reduce risk. This includes driving the manufacturers of technology to build their products secure by design and secure by default. This will take a whole-of-government and whole-of-economy approach.”
At DHS, “we will reduce risk across the cyberspace ecosystem by supporting the development of secure software and technologies, driving cybersecurity innovations, cultivating a national cyber workforce, and supporting international partnerships and norms. Software vulnerabilities are at the heart of the national cybersecurity crisis,” the document added.
The DHS QHSR document also disclosed that the agency is committed to developing a cybersecurity workforce with the size, skills, diversity, and training necessary to meet its mission, protect businesses and families, defend critical infrastructure, and forge a more secure future. This will not be easy –a 2021 study revealed that there was a 2.7 million cyber worker shortage worldwide in 2021, with over 700,000 of those open positions residing in the U.S.
At DHS, “we have been focused on recruiting, training, educating, and retaining top cyber talent across-the-board in the public, private, academic, and non-profit sectors. We are placing diversity, equity, inclusion, and accessibility at the center of our efforts because this is a challenge that affects all of us, and we need every perspective at the table,” the document added.
In its conclusion, the DHS QHSR document said that over the next 20 years, the DHS missions are going to grow more complex as new threats emerge with increasing speed and even greater potential for harm. “Foreign adversaries are waging new kinds of war. They do so through trade and investment flows and through the rapidly evolving technologies that connect us. In our increasingly interconnected world, our work to reinforce our homeland security has never been more important to our national security,” it added.
Related
