By 2020, more than 20 billion devices will be connected through a network of ping-ponging texts, bank transfers, and personal data. At the same time the world grows more connected, nefarious nation-states and transnational criminal organizations only have more targets for crippling cyber attacks. Cut the cord, and the institutions the world relies on could grind to a paper-only halt.
In February, Director of National Intelligence Dan Coats called cyber-attacks the United States’ greatest national security risk. The new frontlines of warfare won’t be drawn in windswept desserts or hacked through far-flung jungles; they’ll be written in lines of code.
Attempting to counter this evolving reality, the Department of Homeland Security (DHS) released its cybersecurity strategy in May to protect government networks and critical infrastructure. To protect the people who will rely on the 20 billion connected devices that DHS predicts, the strategy hinges on five pillars: Risk Identification, Vulnerability Reduction, Threat Reduction, Consequence Mitigation, and Enabl[ing] Cybersecurity Outcomes.
Two of the main gaps the strategy tries to address through its goals and pillars are improvements to the workforce and cross-agency cooperation. The strategy points to a need for both and for having cybersecurity be a top priority, but it is short on details of how it will accomplish its goals. DHS will release a separate implementation plan by mid-August.
“We almost never put out a strategy, a doctrine, any sort of dogmatic overview that is disagreeable on its face—it doesn’t happen. Rep. Tom Garrett (R-Va.) told Homeland411, “It is the implementation where things go awry.”
Chronic under staffing, insufficient resources, and a lack of cyber-prioritization has left government systems and critical infrastructure vulnerable to attacks and has placed DHS’s cyber goals far from reach, according to former top cyber officials, members of Congress, and cybersecurity experts Homeland411 spoke with.
Currently, DHS has 2,500 civilian vacancies, a DHS official said. Lawmakers have shown bipartisan disappointment in DHS’s pace of recruitment, retention, and attrition. Issues are not unique to workforce shortages. Deadlines have been missed, progress inflated, and cross-agency cyber assessments have not been completed, according to multiple Government Accountability Office (GAO) reports. The strategy itself came in behind schedule, released more than a year past its federally mandated deadline.
Abundant Cybersecurity Gaps
In 2014 the Office of Personnel Management (OPM) was hemorrhaging data. Alleged Chinese hackers had broken into what was essentially the government’s human resource department. In the first wave of attacks, 4.1 million people’s records, including social security numbers, address, and contact info were thought to be obtained in the breach. By the time the dust settled, more than 21 million people’s personal data had been stolen.
The breach drew significant attention to gaps in the government’s cybersecurity and led to the eventual resignation of OPM Director Katherine Archuleta in 2015.
Since the attack, the government has given more attention to cybersecurity, but it still struggles to match the speed at which adversaries have developed their cyber capabilities.
While DHS is in the process of recruiting “hundreds” to fill its 2,500 vacancies with “many candidates selected and in the process of onboarding,” a DHS official said, it and many other agencies remain under resourced and under staffed.
With a projected 3.1 million open cybersecurity jobs industry wide by 2021, the government’s low pay scale will not likely keep pace with the demands and salaries in the private sector.
The double-headed challenge of difficult recruitment and attrition in the highly competitive market is leaving DHS and other government agencies in the shallow end of the talent pool.
“We are inherently and perpetually behind timeline on any number of things, recruitment of cybersecurity specialists is only one of many symptoms,” Garrett said.
DHS has piloted “work arounds,” such as letting cyber specialists jump in and out the private sector and government agencies, but a permanent solution remains elusive.
“We have to turn around and recruit, hire, and retain people on a first-part-of-the-20th century system,” said DHS Chief Human Capital Officer Angela Bailey during a congressional hearing in March. That system—the government’s pay scale and hiring process—is one of the greatest barriers to attracting top talent to the department, she said.
Another problem is a gap in cyber specialists’ skill levels when entering the industry. Bailey and Garrett both indicated that universities have not met the rapidly growing sector’s demands. To counter this, DHS launched several education and outreach programs to help educators better prepare the next generation of cyber specialists.
“We need to start this in elementary school,” Bailey said. “The public school system is actually begging us to establish what the curriculum is.”
Until recently there has not been a uniform language for the few new recruits that end up entering government cyber ranks. Congress mandated DHS to assign three-digit codes to cyber positions as a part of a new cybersecurity framework developed by the National Institute of Standards and Technology, but the government was behind from the start.
A GAO report published in February found that DHS inflated its reported progress on assigning the codes and failed to meet key deadlines. DHS reported that 95 percent of positions had been coded, but GAO found that only 79 percent were. As of April, however, all 10,000 federal cybersecurity positions had been coded, the DHS official told Homeland411.
Fractured Oversight
Vacancies in the workforce is only one of several problems complicating meeting the strategy’s goals. While DHS has general oversight of many cybersecurity issues, each of the roughly 100 federal agencies is tasked with managing its own cyber risk. The decentralization of cybersecurity means fixes can be tailor-made, but it also exposes agencies with limited cyber resources to more risk, according to a report by Katherine Charlet, director of the Carnegie Institute for Peace’s Technology and International Affairs Program.
Many agencies still work on antiquated systems, need to prioritize cybersecurity, and operate with limited resources, said Chris Painter, a former top cyber diplomat for the State Department. “The weakest point could be an entry point for a malicious actor.”
In May, a White House report indicated that only 25 percent of agencies appropriately manage their cyber risk.
A core component of the strategy is to strengthen cross-agency, industry, and international coordination to help those with fewer resources be more resilient. “DHS must expand outreach to other law enforcement entities at the federal, state, local, territorial, and tribal levels,” the strategy states.
But coordination faces staffing challenges as well. In May, the White House eliminated a key cyber coordination position on the National Security Council, to the dismay of many in and out of government.
“We’ve been thrown back to 1990s at the top. Can we just at least get a White House cybersecurity coordinator?” Peter Singer, a strategist and senior fellow on security issues at New America, said in an e-mail.
Painter agreed that cross-agency coordination should be a top goal, and that achieving it will be difficult without the NSC’s cyber coordinator. Other high-level cybersecurity officials are pulling double duty, wearing multiple high-level cyber hats.
“It can’t be done by just one agency; it has to be a unified response,” Painter said.
Beyond interagency partnerships, DHS and other agencies coordinate with private industries that keep the country running—known as critical infrastructure—to identify threats and reduce risks.
Critical Infrastructure Concerns
In 2017, an ominous message flashed on the 300,000 computer screens.
“Oops, your files have been encrypted! Send $300 worth of bitcoin to this address,” read the message.
WannaCry, a global ransomware attack, had locked computers in more than 150 countries, holding their data electronically hostage. Among many other large networks, the attack hit Britain’s National Health Service.
Hospitals and health care networks are frequent targets of ransomware and other types of attacks. Operating on thin margins, often hospitals will prioritize upgrading health care equipment before cybersecurity, said American Hospital Association Senior Cybersecurity Advisor John Riggi.
“The healthcare sector really is in a tremendously challenging position when it comes to cybersecurity threats,” Riggi said.
Part of DHS’s overall strategy is a “collective defense” approach, collaborating with other governments, industries, local law enforcement, and agencies, to help secure critical infrastructure.
That defense and private-public partnerships are critical in sharing threats and information with private industries. Sector-specific agencies like Health and Human Services and the Department of Energy often are the first point of contact for their respective industry’s cybersecurity. DHS, and many other agencies also offer assistance in identifying threats and mitigating risks, creating both layers of support and potential bureaucratic overlap.
One of the United States’ most critical infrastructures—the election system—will likely remain center stage running up to the midterm elections, with concern over Russian interference during the 2016 election season and lack of deterrence.
“Cyber deterrence is in utter collapse,” Singer said by e-mail. “By failing to respond to Russia’s attacks on the U.S. and allied democracies, as well as a range of public and private organizations, we have sent the signal that these attacks are low cost, high gain.”
Russia has been honing its cyber skills in the Baltics and Ukraine for years. Flickering the Ukrainian electric grid, Russia has turned the eastern European ally into a cyber attack lab rat.
“The Russians, to date, have been toying with the Ukrainians simply to let them know that they can turn the lights off anytime they wanted for as long as they wanted,” Garrett added.
The strategy will be tested as threats from cyber-attacks are only expected to grow in the coming years. Nation-states like Russia, Iran, North Korea, and China will continue to try and penetrate U.S. cyber space through covert operations and proxies, said many who spoke with Homeland411.
“I don’t think [the strategy] is anything shockingly new,” Painter said, “it is always important to have a strategy.”
Jackson Barnett is a staff writer for Homeland411.
© 2018 Homeland411
Subscribe to our free weekly electronic newsletter here.