A new U.S. cybersecurity strategy calls on government agencies to work more closely with private sector companies to reduce risks. At the same time, the Trump Administration eliminated the chief cybersecurity coordinator post.
“Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself,” said Department of Homeland Security Secretary Kirstjen Nielsen, in a statement announcing the strategy.
But apparently not enough of a threat to keep a post that’s central to defending against such attacks.
DHS released its report the same day that the White House cut its top cybersecurity role. First reported by Politico, a National Security Council spokesperson said the post is no longer necessary and that “streamlining management will improve efficiency, reduce bureaucracy, and increase accountability.”
In other political security news, Moscow-based Kaspersky Lab said it will move most of its infrastructure to Zurich. This includes its software assembly line and servers that store and process Kaspersky Security Network data.
Late last year President Donald Trump banned the use of Kaspersky Lab software within the U.S. government following allegations that the company had ties with state-sponsored espionage programs in Russia.
Less than a month ago Twitter banned Kaspersky ads on its platform, citing the vendor’s alleged ties to Russian intelligence agencies.
Moving its assembly line and security network data to Switzerland are part of the company’s “global transparency initiative,” according to a Kaspersky blog post. “Storing it [data processed by Kaspersky Security Network] in Switzerland under the supervision of an independent organization means that any access to this data is meticulously logged — and the logs can be reviewed at any moment should any concerns arise,” it said.
U.S. Cybersecurity Strategy
Getting back to the DHS report: it outlines the national cyberrisk management strategy over the next five years. The strategy calls for better risk identification and pledges to reduce vulnerabilities across government networks and critical infrastructure. It also acknowledges that achieving these security goals will require information sharing and public-private partnerships.
“The growth and development of the Internet has been primarily driven by the private sector and the security of cyberspace is an inherently cross-cutting challenge,” the report says. “To accomplish our cybersecurity goals, we must work in a collaborative manner across our components and with other federal and nonfederal partners.”
What this collaboration specifically means for the tech sector, however, remains unclear. DHS says it will publish an “implementation plan” at a later date.
What Role Will the Tech Sector Play?
“Overall, I think the strategy is a good one,” said Cyber Threat Alliance (CTA) President and CEO Michael Daniel, adding that it’s too soon to tell what it will mean for private companies.
The CTA is a group of 17 top security vendors including Cisco, McAfee, Fortinet, Palo Alto Networks, and Symantec that share threat information daily. Prior to joining the CTA, Daniel served as special assistant to President Obama and cybersecurity coordinator on the National Security Council.
“One of the dangers of writing these documents is that you end up saying cybersecurity is good and we should have more of it,” Daniel said. “The core policy question that we’re really trying to wrestle with is what does it mean for the government to interact with the private sector in this area? It’s a relationship we don’t quite have in other areas — it’s not a contractual relationship, it’s not a regulatory relationship. It’s much more of a collaborative relationship where both sides are brining something to the table. That is one of the areas where there is going to be a lot more work on the private-sector side and the government side. I think you’ll see some work coming out of the private-sector side trying to move the ball forward on this.”
No Hack Back
Something that’s not mentioned in the cybersecurity strategy is any mention of retaliatory hacking measures, or what will happen if an adversary launches a cyberattack against the government or a U.S.-based company. Earlier reports suggested this was a key sticking point for some National Security Council staffers and responsible for delaying the publication of the cybersecurity strategy.
“I can’t speak to the veracity of that assertion,” Daniel said. “But on the hack-back issue … I am certain that the career staff take a pretty dim view of that, and I would imagine policy leadership does as well. I think we would be very foolish as a nation to even encourage that in the private sector.”
The report also doesn’t say anything about the U.S. government launching an offensive cyberattack against an adversary — and what role, if any, tech companies should play in this.
More than 30 companies led by Microsoft vowed not to help governments launch cyberattacks at last month’s RSA security conference. By signing the Cybersecurity Tech Accord, these companies also pledged to protect their customers from attacks by cybercriminals and nation states.
At press time, however, Microsoft and other Tech Accord members didn’t respond to requests for comment on the federal government’s new cybersecurity strategy.