On April 17, 2018, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen delivered a keynote address at the RSA Conference.  A copy of her prepared remarks is available here.  Secretary Nielsen’s remarks highlighted efforts by DHS to address the evolving cybersecurity threats to our country’s critical infrastructure.

Secretary Nielsen set the stage by describing the realities of the cyber threat landscape:  2017 was a landmark year in terms of cyberattack volume, with nearly half of all Americans having their sensitive personal information exposed online and ransomware attacks spreading to more than 150 countries.  The Secretary stated that cybercrime damages are estimated to reach $6 trillion annually^[1] by 2021, and suggested that the emergence of internet-connected devices could make us even more vulnerable to cyberattacks.

To address evolving cyber threats and more sophisticated threat actors, Secretary Nielsen posited a five part approach that DHS is taking to support a “more forward-leaning posture” in the cybersecurity area.  Those five approaches are summarized below:

Systemic Risk.  Secretary Nielsen stressed that “single points of failure, concentrated dependencies and cross-cutting underlying functions” can have cascading and unintended consequences across an entire sector.  Although she did not offer much detail, the Secretary noted that DHS is working with users, buyers, and tech manufacturers to identify and resolve unseen security gaps, including identifying companies in the supply chain whose risks may go unnoticed.  She also suggested that government contractors and technology companies have an active role to play in this process, such as helping to identify systemic risks and flagging unseen or newer ones.

Collective Defense.  Due to the hyper-connectivity of systems and assets throughout the country, the Secretary stated that industry plays an important role in securing cyberspace.  Secretary Nielsen highlighted DHS’ Automated Indicator Sharing (AIS) initiative, through which companies share cyber threat indicators (CTIs) with DHS (such as a malicious IP address), which then anonymizes the CTIs and shares them with other participants to the AIS initiative.  She also encouraged the creation of industry-specific initiatives, like the Financial Systemic Analysis and Resilience Center (FSARC).  FSARC is an Information Sharing and Analysis Center, which was started by multiple banks in 2016 as a way for industry stakeholders to work together to fight emerging cybersecurity threats.

Rethink the Federal Role.  Secretary Nielsen suggested that the federal government has a greater role to play in correcting cyber market failures through empowerment, rather than through regulation.  The Secretary described “empowerment” as a two-fold approach, one for each side of the market curve:  first, helping programmers and technologists build better defenses into their product designs to enable better supply-side security; second, educating consumers to be more security conscious in their preferences, so as to help drive demand-side security.  As the Secretary noted, “[w]hy sell a $30 cyber-secure pedometer for marathon runners when you can sell a basic version for $5?  And who wants to buy the $30 version?”  Secretary Nielsen believes that DHS has a role to play on both sides of the curve, specifically by raising public awareness of these very real cyber risks and by convincing consumers that the added costs for cyber protection are necessary.

Advanced Persistent Resilience.  Secretary Nielsen recognized that cyberattacks will continue to impact systems no matter the amount of preventative measures taken.  Thus, she explained the need for “advanced persistent resilience,” or the ability for systems and assets to continue to deliver intended outcomes even in the face of continued cyberattacks.  She cited the recent ransomware attack on the City of Atlanta as an example of what happens when governmental systems lack built-in redundancies—public services are either slowed or fully stopped.  She also highlighted the need to protect election infrastructure, and pointed to DHS’ efforts to build redundancies into the state, local, and private sector levels.

Cyber Deterrence.  Finally, Secretary Nielsen stressed the need to better deter illicit cyber behavior.  Equating cybersecurity with national security, she advocated that the United States cannot stand on the sidelines whenever networks are compromised or assets are modified or stolen by bad actors.  She stated that the United States will increasingly utilize its response options to call out, punish, and deter future cyber hostility.

In concluding her remarks, Secretary Nielsen appealed to the RSA conference attendees to work together with DHS in policing cyberspace to stay ahead of threats while not stifling innovation.  Her keynote address demonstrates the increasing need for government contractors to plan for cyberattacks, and the growing role they can play in assisting governmental actors in combating and responding to cyber threats.

_{[1] Secretary Nielsen’s prepared remarks cite to the following source here.}