By Joseph Marks
Department of Homeland Security Secretary Kirstjen Nielsen testifies before a House Homeland Security Committee hearing. Joshua Roberts/Reuters
She said industry should follow government’s lead in not building products with technology from companies that might pose cybersecurity risks, such as Russia's Kaspersky and China's Huawei. Companies should also alert DHS about digital vulnerabilities, including those that would allow hackers to compromise public safety or steal vast amounts of computing power.
And most importantly, businesses should actively strategize with DHS about how to collectively respond to cyberattacks before they happen, Nielsen said during her annual State of Homeland Security address.
That’s a stark contrast to the past few years when government has saved its most intense contacts with industry for after digital assaults -- not before one actually happens.
“We’ve been through the ‘let’s partner.’ We’ve been through the ‘let’s share information,’ ” Nielsen said. “Now we need to operationalize those partnerships … to stand shoulder to shoulder and not just in response [to a cyberattack] … but on the front end.”
The picture Nielsen painted was of a far more active relationship between government and industry on cybersecurity threats than what exists today. But it’s a model government has been trying to build during the past year, including with a mammoth public-private effort to map and protect the nation’s most vital digital assets.
Nielsen described the shift as moving beyond the “whole-of-government approach” to cybersecurity protections — the mantra top government officials have touted the past several years as they seek to coordinate among digital defenders, law enforcement, policy officials to combat cybersecurity threats.
“The idea that we can prevail with so-called ‘Whole of Government’ efforts is now an outdated concept. It’s not enough,” Nielsen said. “We need a ‘Whole of Society’ approach to overcome today’s threats.”
That society-wide effort is necessary, she said, because the threat posed by cyberattacks is greater than the threat of terrorism — and neither government nor industry is prepared to face the threat alone.
“Today, I am more worried about the ability of bad guys to hijack our networks than their ability to hijack our flights,” Nielsen said. “America is not prepared for this. Your average private citizen or company is no match against a nation-state such as China, Iran, North Korea or Russia. It is not a fair fight. And until now our government has done far too little to back them up.”
Government has increasingly contacted private companies in the past year to brief them on new digital threats — including a comprehensive webinar in February on the shifting tactics of Chinese hackers. And the U.S. will increasingly urge companies to cut ties with foreign companies suspected of spying on behalf of their governments -- even beyond China’s Huawei and the Russian anti-virus company Kaspersky.
“Our adversaries are using state-owned companies as a ‘forward-deployed’ force to attack us from within our supply chain,” she said. “So, we are working with industry partners to identify and delete these bugs and defects from our systems.”
DHS issued a directive in 2017 requiring federal agencies to remove Kaspersky from their computer networks. If the department determines that other companies pose a similar spying threat, it won’t hesitate to issue a similar directive banning them — and the department will also “do all we can to encourage the private sector to do the same,” Nielsen said.
Her ultimate message: This is an assault that touches every aspect of society and we’ll have to be unified in our response.
“It’s not just U.S. troops and government agents on the front lines anymore,” Nielsen said. “It’s U.S. companies … It’s ordinary Americans. Threat actors are mercilessly targeting everyone’s devices and networks. They are compromising, co-opting, and controlling them. And they are weaponizing our own innovation against us.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Senate Democratic Leader Chuck Schumer (D-N.Y.) criticizes President Trump's budget proposals. (J. Scott Applewhite/AP)
The biggest boost would go to the Defense Department, which would see its funding surge 10 percent from about $8.7 billion to about $9.6 billion, while DHS funding would stay basically flat at $1.9 billion. The DHS division responsible for helping other government agencies and some industry sectors secure their computer networks would get a 3 percent boost to about $1 billion.
The budget request is just that — a request for how much money the administration would like congressional appropriators to give to particular priorities. Final funding numbers are usually far different after they’ve gone through the congressional appropriation process.
The budget request also includes $11.4 million for new cybersecurity positions at DHS, FCW’s Derek B. Johnson reports.
Here’s a full breakdown from Nextgov’s Jack Corrigan.
JPMorgan Chase CEO Jamie Dimon testifies before the Senate Banking Committee. (J. Scott Applewhite/AP)
Gery Shalon, who was extradited and charged with those crimes four years ago, could be sharing information related to the vast network of Russian hacking groups, Bloomberg reported.
“An Israeli citizen, [Shalon] allegedly teamed up with a Russian hacker who is now also in U.S. custody, raising the prospect that Shalon could provide U.S. prosecutors with a road map to Russian cyber crimes, how criminal hackers interact with that country’s intelligence services, or both,” the story notes.
The Pentagon. (AFP/Getty Images)
The scammers “obtained fraudulent lines of credit to buy expensive technical equipment in the organizations’ names,” CyberScoop reported, and “spoofed email addresses of the target organizations, convincing suppliers to process payments with fake purchase orders and credit documents.”
The bureau did not name victims of the scam, which was aimed at stealing money, not classified or sensitive information, Cyberscoop reported. The scams took place in early 2018, the story says.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: