Vision: By 2023, the Department of Homeland Security will have improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; de

Vision: By 2023, the Department of Homeland Security will have improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.

UNCLASSIFIED//FOR OFFICIAL USE ONLY

May 15, 2018

U.S. DEPARTMENT OF HOMELAND SECURITY

CYBERSECURITY STRATEGY

i

TABLE OF CONTENTS INTRODUCTION…………………………………………………………………………………………………………. 1

SCOPE ………………………………………………………………………………………………………………………… 1 THE CYBER THREAT …………………………………………………………………………………………………….. 2 MANAGING NATIONAL CYBERSECURITY RISK …………………………………………………………………. 3 GUIDING PRINCIPLES ……………………………………………………………………………………………………. 5 DEVELOPMENT AND IMPLEMENTATION …………………………………………………………………………… 6

PILLAR I – RISK IDENTIFICATION ………………………………………………………………………….. 7 GOAL 1: ASSESS EVOLVING CYBERSECURITY RISKS …………………………………………………………. 7

PILLAR II – VULNERABILITY REDUCTION ……………………………………………………………. 8

GOAL 2: PROTECT FEDERAL GOVERNMENT INFORMATION SYSTEMS …………………………………… 8 GOAL 3: PROTECT CRITICAL INFRASTRUCTURE ………………………………………………………………. 11

PILLAR III: THREAT REDUCTION …………………………………………………………………………. 15 GOAL 4: PREVENT AND DISRUPT CRIMINAL USE OF CYBERSPACE …………………………………….. 15

PILLAR IV – CONSEQUENCE MITIGATION ………………………………………………………….. 19 GOAL 5: RESPOND EFFECTIVELY TO CYBER INCIDENTS …………………………………………………… 19

PILLAR V – ENABLE CYBERSECURITY OUTCOMES …………………………………………… 22 GOAL 6: STRENGTHEN THE SECURITY AND RELIABILITY OF THE CYBER ECOSYSTEM …………… 22 GOAL 7: IMPROVE MANAGEMENT OF DHS CYBERSECURITY ACTIVITIES …………………………… 25

CONCLUSION …………………………………………………………………………………………………………… 27 APPENDIX: DHS CYBERSECURITY AUTHORITIES ……………………………………………. A-1

1

INTRODUCTION The American people are increasingly dependent upon the Internet for daily conveniences, critical services, and economic prosperity. Substantial growth in Internet access and networked devices has facilitated widespread opportunities and innovation. This extraordinary level of connectivity, however, has also introduced progressively greater cyber risks for the United States. Long-standing threats are evolving as nation-states, terrorists, individual criminals, transnational criminal organizations, and other malicious actors move their activities into the digital world. Enabling the delivery of essential services—such as electricity, finance, transportation, water, and health care—through cyberspace also introduces new vulnerabilities and opens the door to potentially catastrophic consequences from cyber incidents. The growing number of Internet-connected devices and reliance on global supply chains further complicates the national and international risk picture. More than ever, cybersecurity is a matter of homeland security and one of the core missions of the U.S. Department of Homeland Security (DHS). At DHS, we believe that cyberspace can be secure and resilient.1 We work every day across the Department and with key partners and stakeholders to identify and manage national cybersecurity risks. We do this by adopting a holistic risk management approach. Like every organization, no matter how big or small, we must minimize our organizational vulnerability to malicious cyber activity by protecting our own networks. DHS also has broader responsibilities to protect the larger federal enterprise and improve the security and resilience of other critical systems. At the same time, we seek to reduce cyber threats by preventing and disrupting cyber crimes, and to lessen the consequences of cyber incidents by ensuring an effective federal response when appropriate. Finally, we work to create conditions for more effective cyber risk management through efforts to make the cyber ecosystem more fundamentally secure and resilient. This strategy sets forth our goals, objectives, and priorities to successfully execute the full range of the Secretary of Homeland Security’s cybersecurity responsibilities. Scope This strategy provides the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient.

1 The term “cyberspace” in this strategy refers to the interdependent network of information technology infrastructure, including the Internet, telecommunications networks, computers, information and communications systems, and embedded processors and controllers.

2

The Cyber Threat During the last several decades, advances in technology have fundamentally changed the world. Substantial growth in Internet access, use of Internet-enabled devices, and the availability of high speed information technology systems and large datasets have facilitated productivity, efficiencies, and capabilities across all major industries. The proliferation of technology also presents new cybersecurity challenges and leads to significant national risks. More than 20 billion devices are expected to be connected to the Internet by 2020. The risks introduced by the growing number and variety of such devices are substantial. The United States faces threats from a growing set of sophisticated malicious actors who seek to exploit cyberspace. Motivations include espionage, political and ideological interests, and financial gain. Nation-states continue to present a considerable cyber threat. But non-state actors are emerging with capabilities that match those of sophisticated nation-states. Criminal actors are increasingly empowered by modern information and communications technologies that enable them to grow in sophistication and transnational reach. Transnational criminal organizations also increasingly collaborate through cyberspace. Complicating the threat picture, nation-states are increasingly using proxies and other techniques that blur the distinction between state and non-state cyber activities. In a number of cases, malicious actors engaged in significant criminal cyber activity appear to have both criminal and nation-state affiliations. These diverse threats can impact federal and nonfederal information systems. Attempted incursions into government networks occur on a daily basis; the number of cyber incidents on federal systems reported to DHS increased more than ten-fold between 2006 and 2015. In 2015, a high-profile intrusion into a single federal agency resulted in the compromise of personnel records of over 4 million federal employees and ultimately affected nearly 22 million people. The growing interconnection of cyber and physical systems within critical infrastructure also creates the potential risk for malicious cyber activity to result in direct physical consequences; for example, the December 2015 overriding of controls in the Ukrainian electric grid resulted in widespread loss of power. Ransomware incidents such as WannaCry and NotPetya demonstrate how the rapid growth of the internet-of-things further complicates the threat as everyday devices can be targeted by malicious cyber actors with potentially far-reaching consequences. The broad availability, relatively low cost, and increasing capabilities of cyber tools also affect trends in the threats we face. Ransomware, for example, has evolved to attack both frontline systems and backup drives. Malicious cyber actors have successfully used ransomware to compromise maritime, travel control, and healthcare systems. The Darkweb facilitates the easy sale of illicit goods and services, such as firearms, forged passports, and malware, which threat actors may acquire and use. Malware kits and instructions are also readily available on the Darkweb. Malicious cyber tools sold on the Internet can be adapted to intrude into systems and otherwise commit criminal acts related to financial fraud, money laundering, intellectual property theft, or other illicit activities. The growing popularity of cryptocurrencies also presents challenges to countering money laundering and the work of law enforcement.

3

Managing National Cybersecurity Risk DHS must find innovative ways to leverage our broad resources and capabilities across the Department and the homeland security enterprise to strategically manage national cybersecurity risks. We have accordingly identified five pillars of a DHS-wide risk management approach. Through our efforts to accomplish seven identified goals across these five pillars, we work to ensure the availability of critical national functions and to foster efficiency, innovation, trustworthy communication, and economic prosperity in ways consistent with our national values and that protect privacy and civil liberties.

DHS Cybersecurity Goals

Pillar I – Risk Identification  Goal 1: Assess Evolving Cybersecurity Risks. We will understand the evolving national

cybersecurity risk posture to inform and prioritize risk management activities. Pillar II – Vulnerability Reduction  Goal 2: Protect Federal Government Information Systems. We will reduce vulnerabilities of

federal agencies to ensure they achieve an adequate level of cybersecurity.

 Goal 3: Protect Critical Infrastructure. We will partner with ke