The Department of Homeland Security is readying a new cyber security strategy focused on pushing the private sector to improve coordination on eliminating known risks and more aggressively responding to malicious actors.
DHS Secretary Kirstjen Nielsen detailed the new security approach at a cyber conference Tuesday, which focuses on getting companies to share risk information faster and building a crowd-sourced approach to responding to cyber threats with the tech industry.
“The concept here is partnering. The threats today are just too big, too widespread for any one entity to have all the capabilities, authorities and resources to fight it alone,” Nielsen said at the RSA Conference in San Francisco.
Nielsen said the new strategy would focus on a forward-leaning approach with the aim of having the private sector share information that would allow DHS to more rapidly address future cyber threats before networks can be attacked.
“We are working with users, buyers, tech manufacturers and others, many in this audience, to hunt down unseen security gaps and to share actionable information that will help close them,” Nielsen said. “This includes identifying companies in the supply chain whose risks might go unnoticed otherwise. And we do need your help. We ask you to work with us to identify systemic risks, to flag emerging ones and to work with us to fix them.”
This collective approach may involve bringing in private sector partners to coordinate the response to adversaries’ cyber threats. DHS’ goal is to eventually help with the effort to dismantle major illicit cyber networks in minutes and not months, according to Nielsen.
“The bad guys are crowd-sourcing their attacks, so we need to crowd-source our response. Unfortunately, we’re not quite there yet,” Nielsen said. “Much like the pre-9/11 period, we have the data points to stop the attacks, and yet we still aren’t sharing quickly and widely enough to connect those dots.”
Part of the effort will look to expand information sharing initiatives, such as the department’s Automated Indicator Sharing Program, and the build on models like the Financial Systemic Analysis & Resilience Center, according to Nielsen.
Nielsen’s keynote came on the same day that 34 major technology companies signed a new cyber security accord. The new deal includes a promise to not assist any government in perpetrating cyber attacks, but affirming that they would help those that are targets of a cyber incident.
Companies in agreement with the new accord include Facebook [FB], Cisco [CSCO], Dell [DVMT], Microsoft [MSFT] and Symantec [SYMC]. The moderator of a fireside chat with Nielsen following the keynote pointed address pointed to Amazon [AMZN], Apple [AAPL] and Google [GOOG] as notable names missing from the new deal.
Nielsen said the accord aligns “perfectly” with DHS’ forthcoming strategy, and may spur future conversations on a “Digital Geneva Convention” which may help establish international cyber norms.
“Our hyperconnectivity means that your risk is now my risk,” Nielsen said. “A company can no longer protect itself in a vacuum. I can no longer protect DHS in a vacuum. We have a weakest link problem, and the consequences affect us all.”
The DHS secretary affirmed that this new strategy aims at implementing a more aggressive approach to cyber deterrence that will build in consequences for malicious nation-state cyber actors, including Russia and North Korea.
“The United States possesses a full spectrum of response options, both seen and unseen, and we will use them to call out malign behavior, punish it, and deter future cyber hostility,” Nielsen said.
Nielsen did not give an indication of when the new DHS strategy may be released.