DHS outlines goals for nation's critical infrastructure

The Homeland Security Department has released a cybersecurity strategy outlining goals for government and industry for securing the nation’s critical infrastructure.

The strategy, developed as a result of the 2010 quadrennial DHS review, is called a blueprint but lays out broad objectives rather than technical instructions on achieving them. It focuses on protecting the existing critical infrastructure as well as on developing a stronger and more resilient future cyber ecosystem.

“DHS will work with stakeholders in the homeland security enterprise to develop an implementation plan to prioritize activities, set milestones, and track progress in building the capabilities identified in the strategy,” the strategy states. The department also will establish baselines for comparing performance of agencies in improving security.


Related coverage:

2 signs DHS is turning the corner on cybersecurity

Feds confirm prisons vulnerable to Stuxnet like attack


The strategy supports new legislation that would enable better coordination and information sharing between government and the private sector and clarify the department’s responsibilities and authority. The Obama administration proposed such legislation earlier this year, but it has not been acted on in Congress.

Securing cyberspace is one of five core DHS mission areas identified in the Quadrennial Homeland Security Review. Other core areas are preventing terrorism, securing national borders, enforcing immigration laws and disaster response. DHS has been identified as the lead agency for cybersecurity for civilian executive branch systems and for cooperating with industry to protect privately owned and operated critical infrastructure. It also works with state, local, tribal and territorial governments to secure their information systems.

“The strategy is designed to protect the critical systems and assets that are vital to the United States, and, over time, to foster stronger, more resilient information and communication technologies to enable government, business and individuals to be safer online,” the document states.

To achieve this, the strategy identifies four goals for protecting the current critical information infrastructure:

  • Reduce exposure to cyber risk.
  • Ensure priority response and recovery.
  • Maintain shared situational awareness.
  • Increase resilience.
And four goals for strengthening the cyber ecosystem in future systems:
  • Empower individuals and organizations to operate securely.
  • Make and use more trustworthy cyber protocols, products, services, configurations and architectures.
  • Build collaborative communities.
  • Establish transparent processes.

Each of the goals includes one or more specific objectives. The department lists actions it expects to take in helping agencies and private organizations meet them. These largely involve creation and implementation of policies and processes. Specifically, DHS will lead enterprisewide efforts to secure agency systems, including continuous monitoring, sharing best practices, assessing security, advocating for effective technology management, helping achieve savings for cybersecurity procurements, and developing enterprisewide operational architectures and guidance.

Although the blueprint is not technology specific it does include definitions for success in meeting the primary goals.

“Critical information infrastructure will be considered protected when outcome-based metrics demonstrate that owners and operators appropriately manage risks and the infrastructure is able to maintain adequate security, including confidentiality, integrity, and availability, in the face of the most consequential hazards,” it states.

The cyber ecosystem will be considered strong when:

  • Information and communication technology risk is well defined, understood and managed by users.
  • Organizations and individuals routinely apply security and privacy standards and best practices.
  • The identities of individuals, organizations, networks, services, and devices are appropriately validated.
  • Interoperable security capabilities are built into information and communication technologies.
  • Where appropriate, near real-time, machine-to-machine coordination provides indication, warning, and automated incident response.

The framework for public-private cooperation needed to ensure better cybersecurity needs to be clarified in law, DHS says in the strategy.

“DHS supports new legislation, developed as part of a broader administration effort, which would facilitate the voluntary sharing of legally obtained cybersecurity information between the government and the private sector,” the strategy states. “Additionally, the proposal would provide liability protections to private sector entities for sharing cybersecurity information under the established guidelines. A legal context must be provided that encourages the appropriate, timely sharing of cybersecurity information between the government and private-sector entities who are working toward a common goal.”


About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Sat, Dec 17, 2011 Don O'Neill

The DHS touched on resiliency but with little effect. A defined engineering challenge of adopting resilience throughout the nation's critical infrastructure is needed. Resilience is the ability to anticipate, avoid, withstands, mitigate, and recover from the effects of adversity whether natural or manmade under all circumstances of use. The recovery time objectives among industry sectors must be coordinated, interoperability of information sharing and platform operations must be assured, distributed supervisory control protocols must be in place, and operation sensing and monitoring must be embedded. These crosscutting capabilities cannot be expected to evolve in a loosely coupled environment. They must be holistically specified, architected, designed, implemented, and tested if they are to operate with resilience under stress. A management, process, and engineering maturity framework is necessary to advance the assurance of software security, business continuity, system survivability, and system of system resiliency capabilities.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above