The U.S. government can’t manage cybersecurity threats from Russia and China on its own and it needs private businesses to help, Homeland Security Secretary Kirstjen Nielsen said Monday.
She said industry should follow government’s lead in not building products with technology from companies that might pose cybersecurity risks, such as Russia's Kaspersky and China's Huawei. Companies should also alert DHS about digital vulnerabilities, including those that would allow hackers to compromise public safety or steal vast amounts of computing power.
And most importantly, businesses should actively strategize with DHS about how to collectively respond to cyberattacks before they happen, Nielsen said during her annual State of Homeland Security address.
That’s a stark contrast to the past few years when government has saved its most intense contacts with industry for after digital assaults -- not before one actually happens.
“We’ve been through the ‘let’s partner.’ We’ve been through the ‘let’s share information,’ ” Nielsen said. “Now we need to operationalize those partnerships … to stand shoulder to shoulder and not just in response [to a cyberattack] … but on the front end.”
The picture Nielsen painted was of a far more active relationship between government and industry on cybersecurity threats than what exists today. But it’s a model government has been trying to build during the past year, including with a mammoth public-private effort to map and protect the nation’s most vital digital assets.
Nielsen described the shift as moving beyond the “whole-of-government approach” to cybersecurity protections — the mantra top government officials have touted the past several years as they seek to coordinate among digital defenders, law enforcement, policy officials to combat cybersecurity threats.
“The idea that we can prevail with so-called ‘Whole of Government’ efforts is now an outdated concept. It’s not enough,” Nielsen said. “We need a ‘Whole of Society’ approach to overcome today’s threats.”
That society-wide effort is necessary, she said, because the threat posed by cyberattacks is greater than the threat of terrorism — and neither government nor industry is prepared to face the threat alone.
“Today, I am more worried about the ability of bad guys to hijack our networks than their ability to hijack our flights,” Nielsen said. “America is not prepared for this. Your average private citizen or company is no match against a nation-state such as China, Iran, North Korea or Russia. It is not a fair fight. And until now our government has done far too little to back them up.”
Government has increasingly contacted private companies in the past year to brief them on new digital threats — including a comprehensive webinar in February on the shifting tactics of Chinese hackers. And the U.S. will increasingly urge companies to cut ties with foreign companies suspected of spying on behalf of their governments -- even beyond China’s Huawei and the Russian anti-virus company Kaspersky.
“Our adversaries are using state-owned companies as a ‘forward-deployed’ force to attack us from within our supply chain,” she said. “So, we are working with industry partners to identify and delete these bugs and defects from our systems.”
DHS issued a directive in 2017 requiring federal agencies to remove Kaspersky from their computer networks. If the department determines that other companies pose a similar spying threat, it won’t hesitate to issue a similar directive banning them — and the department will also “do all we can to encourage the private sector to do the same,” Nielsen said.
Her ultimate message: This is an assault that touches every aspect of society and we’ll have to be unified in our response.
“It’s not just U.S. troops and government agents on the front lines anymore,” Nielsen said. “It’s U.S. companies … It’s ordinary Americans. Threat actors are mercilessly targeting everyone’s devices and networks. They are compromising, co-opting, and controlling them. And they are weaponizing our own innovation against us.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Trump administration wants Congress to boost government-wide cybersecurity spending about 5 percent, from about $16.6 billion during the 2019 fiscal year to $17.4 billion during the 2020 fiscal year, according to a budget document released Monday.
The biggest boost would go to the Defense Department, which would see its funding surge 10 percent from about $8.7 billion to about $9.6 billion, while DHS funding would stay basically flat at $1.9 billion. The DHS division responsible for helping other government agencies and some industry sectors secure their computer networks would get a 3 percent boost to about $1 billion.
The budget request is just that — a request for how much money the administration would like congressional appropriators to give to particular priorities. Final funding numbers are usually far different after they’ve gone through the congressional appropriation process.
The budget request also includes $11.4 million for new cybersecurity positions at DHS, FCW’s Derek B. Johnson reports.
Here’s a full breakdown from Nextgov’s Jack Corrigan.
PATCHED: The Israeli hacker who allegedly masterminded the 2014 hack of JP Morgan, which compromised data on more than 80 million bank customers, appears to be cooperating with U.S. law enforcement, Bloomberg News’s Helena Bedwell, Christian Berthelsen and Michael Riley reported.
Gery Shalon, who was extradited and charged with those crimes four years ago, could be sharing information related to the vast network of Russian hacking groups, Bloomberg reported.
“An Israeli citizen, [Shalon] allegedly teamed up with a Russian hacker who is now also in U.S. custody, raising the prospect that Shalon could provide U.S. prosecutors with a road map to Russian cyber crimes, how criminal hackers interact with that country’s intelligence services, or both,” the story notes.
PWNED: Hackers defrauded defense contractors with security clearances and a university out of $150,000 through email scams last year, according to an FBI advisory to industry obtained by CyberScoop’s Sean Lyngaas.
The scammers “obtained fraudulent lines of credit to buy expensive technical equipment in the organizations’ names,” CyberScoop reported, and “spoofed email addresses of the target organizations, convincing suppliers to process payments with fake purchase orders and credit documents.”
The bureau did not name victims of the scam, which was aimed at stealing money, not classified or sensitive information, Cyberscoop reported. The scams took place in early 2018, the story says.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: