The recent release of the Department of Defense (DoD) cyber strategy essentially announced the department’s ambitions to resume the role of the 800-pound gorilla in cyber. The offensively focused plan is a sharp redirect from the strategies of late and unreturned crush on Silicon Valley, both of which made it challenging to recognize the DoD as the same tech savvy organization that invented the Internet.
While the DoD’s cyber strategy received praise from industry and government, the Administration’s national cyber strategy, which was released the same week, faced subpar reviews. This is because the ideas outlined in the Administration’s recently released national cyber strategy are regularly discussed in cyber security circles and in implementation today by civilian agencies.
On the other hand, the differences between the 2018 and 2015 DoD cyber strategy are vast, ranging from the tone of the document, to a major shift in mission priorities to facilitate the emergence of an offensive positioning that for years, was de-emphasized to the public. However, since no other department possesses the broad operational parameters as the DoD, the only option for civilian agencies is to re-arrange the way current efforts are presented to the public.
It is more appropriate to consider the DHS’s recent cyber announcements as a rebranding effort rather than redirection in policy. While this may seem superficial, when viewed in this broader cyber strategy context ,the polishing and reorganization of worn tactics carries concrete benefits.
These are particularly evident when one focuses on current efforts to repackage the medley of efforts at the Department of Homeland Security (DHS) into a tidy offering of risk management, which is one of the more strategic changes to the federal cyber practice. Altering the name of DHS’s National Protection and Programs Directorate (NPPD) to the Cybersecurity and Infrastructure Security Agency (CISA) and creating the National Risk Management Center (NRMC) within the organization does not change policy, but these modifications could redirect the government’s cyber focus and culture for the better.
On the surface, these changes are essentially a rebranding effort for DHS’s cyber engagement with stakeholders. As DHS leadership has mentioned, for NPPD to be effective, stakeholders outside the beltway need to quickly recognize the directorate’s role, which will be accomplished by the name change to CISA. The creation of the NRMC also signals to critical sectors in industry that the government is serious in its approach to collective defense. While we do not yet know all the details of the framework, we do know the NCCIC's operational mission and relationship with industry will remain intact; NRMC will gather more industry partners and the NCCIC will handle incident response.
The increased publicity about NPPD’s mission and cybersecurity is alone an asset for cyber warriors. By raising awareness and generating attention for the government’s practice, more people are becoming aware of the necessity for cybersecurity. This may cause individuals to be more cognizant of their own behaviors in cyberspace and take actions they otherwise may have overlooked. Because the ultimate goal is for cybersecurity to be second nature for everyone – akin to looking both ways before crossing the street– awareness is the first step and move to change is the next step. As long as people see the value added, the business case to view cybersecurity from a risk management posture is a win.
Rebranding the federal cyber war as risk management also combats cyber fatigue. Cybersecurity is a never-ending, and oftentimes, thankless battle with an ever-changing foe. Especially with the commoditization of hacking, the number of threats and adversaries are increasing and no end is near. Cyber warriors are rarely praised when something goes right, instead they receive an overwhelming amount of attention when things go sideways. This inability to announce mission accomplished can be demoralizing. However, by changing the finish line from creating an impenetrable fortress on the hill (impossible) to mitigating and monitoring cyber risks (realistic), operators have concrete successes that can be celebrated and serve as encouragement to continue.
Framing the DHS cyber mission as risk management also encourages a critical thinking approach to cybersecurity rather than task-oriented tactics. Because in risk mitigation, analysts are consistently hunting for risks, they are forced to consider the second and third level consequences for their actions. This thinking about the chain reaction of events results in risk management practitioners creating a more complete security ecosystem that considers seemingly unconnected components. Critical thinking cyber analysts cannot just say, “no, this is not a risk,” they must ask what that “no” means.
A critical thinking culture will not be limited to analysts and operators, but throughout CISA these questions will need to be asked:
Are we even willing to accept risk?
Just as every person has a different tolerance for risk, so does every government department and company. The concept of risk management recognizes it is impossible to completely secure a network, but we must not let our goals of perfection get in the way of good enough.
Do we think about intended and unintended consequences of our cyber decisions?
The key component of risk management is not making things worse. It can be challenging to identify all the possible outcomes of an action in cyberspace. Thinking critically about actions and their repercussions is continuous and criteria needs to be established for the tipping point where cyber professionals push the button.
What are the important components in good decision-making?
With risk management, no decision is completely right. Each of the 16 critical infrastructures and their subcomponents also have different appetites for risk that could impact decision-making. Having a standard for decision-making would give structure to an otherwise organic process of risk management and following the question of “what if.”
When is cost more important than mitigating a risk?
Whether it costs money, time or resources, mitigating cyber risks is expensive. The other side of mitigating risks is taking risks, which can be even more expensive. Working closely with key players in the interagency circle, DHS should be able to identify protocol to determine when mitigating or taking risks will be too expensive.
Managing cyber risk is not a new concept in the cyber industry, but making it a focal point of DHS’s cyber strategy will strengthen our nation’s cyber posture. While these changes may still be viewed as superficial to skeptics, branding efforts under the verified cybersecurity method of risk management recognizes and seeks to leverage the human components of cross-sector collaboration, which alone is a valiant mission. Stakeholders need to realize policies are not changing; the deck is just being reshuffled to ensure the most valuable cards are presented on top.
