The Trump administration is pursuing a course of cyber deterrence that includes a range of options for adversaries, but the Department of Homeland Security is limited in its capabilities here due to a lack of authority to adequately pursue the mission, Homeland Security Secretary Kirstjen Nielsen said on Wednesday.
A “roadblock” in the path for DHS to more effectively confront cyber threats is the need for legislation that would authorize the National Protection and Programs Directorate (NPPD) into a “full-fledged operational agency,” Nielsen said. She asked Congress, which is considering legislation first proposed during the former Obama administration, to authorize the change in NPPD “immediately, and absolutely before the year ends.”
“DHS wasn’t built for a digital pandemic,” Nielsen said.
The bipartisan legislation would in name change NPPD to the Cybersecurity and Infrastructure Protection Agency, which Nielsen said that combined with the operating authorities would better align DHS for cyber missions and elevate its standing.
“Everyone agrees that DHS is on point for the civilian.gov domains, we’re on point for helping critical infrastructure and now we’re on point for helping state and locals protect their elections,” she told Frank Cilluffo, the outgoing director of the Center for Cyber & Homeland Security at George Washington University, who moderated a discussion with her on the threat landscape and how DHS is responding. “We have the mission space. We are not able to organize to meet that operational space. We need to be an operational component.”
Establishing an operating cyber agency also enhances its credibility, Nielsen said, “because having cyber security infrastructure in the name is not only an indication to our stakeholders of where to go but it puts us on par with other agencies that have other parts of the cyber puzzle. So, it gives us parity in the interagency, it helps us work with international partners but it really helps the private sector understand where to go and how they can interact with us.”
The Trump administration’s rhetoric around cyber deterrence has been similar to that of the Obama administration, and so far, the U.S. government hasn’t published a cyber deterrence doctrine or strategy.
Nielsen said that the nation’s “adversaries have been warned” and that “the United States has a full spectrum of options—some seen, others unseen—and we are already using them to call out cyber adversaries, to punish them, and to deter future digital hostility.” She added that, “We will no longer tolerate the theft of our data. We will no longer stand idly by as our networks are penetrated, exploited, or held hostage. We will respond. And we will respond decisively.”
Asked by Cilluffo what a “commensurate response” looks like to a hostile cyber attack that has been attributed, Nielsen replied that speaking for her, “I think it needs to be more than commensurate. By the time that a country is attacking civilian networks, civilian assets, again, it’s not a fair fight. That’s not how the international world has created norms and standards and I don’t think it should be commensurate I think it should be more.”
Attributing the source of cyber attacks still needs to happen faster, she said, and that “consequences have to go hand in hand with that attribution.”
Nielsen didn’t provide a lot of detail but said the administration is developing “toolsets” to deter and counter cyber attacks, including diplomatic relations, trade, and economic policy.
“It’s certainly any authority I have within the United States and bringing it all to bear,” she said. “Some of that will be seen, some of that will be unseen to make sure that that adversary knows there will be consequences.”