While most of us typically think of the Department of Homeland Security (DHS) as the federal government agency which protects our borders, we often do not realize the scope of responsibilities the department covers. From academic engagement to transportation security, the department covers critical topics such as election security, disaster assistance, disaster resilience as well as disaster response and recovery. Oh, I forgot to mention emergency communications, infrastructure security, civil rights, and civil liberties, human trafficking, and cybersecurity and about a half dozen more responsibilities have DHS’s oversight. For the sake of time and digital storage space, I would like to focus on cybersecurity.
In November of 2018, President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018, (CISA). The DHS then established a CISA division to focus on our nation’s ability to defend against cyber-attacks, combating cybercrime, cyber incident response, protecting critical infrastructure, providing cybersecurity governance, as well as promoting cyber safety and cybersecurity training and exercises.
I work with the DHS on defending against cyber-attacks and follow the binding directives they distribute. This involves establishing security controls based on best practices. While this sounds easy, trying to get your organization to implement changes can be challenging. After all, old habits are hard to break and legacy applications can be difficult and expensive to remediate. Assessing your cybersecurity posture can be time-consuming, even when you are using an established cybersecurity framework as a guide. Long term, it is well worth the effort. Having a starting point on any journey is critical and that is what you have when completing the first cybersecurity framework assessment. Now you can create a roadmap which will help you with developing both short-term and long-term budget estimates. While we would all like to make major improvements in our overall cybersecurity posture in one quantum jump, the reality is it’s typically a slow process.
Another cybersecurity effort that I have worked with DHS on is their Cyber Storm exercises. I have had the privilege of working on two of the projects and have been very impressed with the Cyber Storm initiative and how well organized they are. Cyber Storm provides an opportunity for the federal government, state and local organizations to address cyber incident response as a community. Each organization designs its own cyber incident to see how well they would respond to a major incident and then analyze whether it might have an impact on other organizations.
"The next time you have a few minutes and think of DHS protecting our borders, browse through their website. You may be surprised at the diversity of the agency and the information resources available on cybersecurity."
First, you get to practice a cyber incident response within your own organization to see how the incident is handled. Second, you have the opportunity to perform a deep dive into your processes to see how quickly you can respond and recover from an incident. For example, your application uses a self-service password reset. You have 10,000 users and you want to force a password at the next login as a precaution. It should be easy, right? You need to review your application logs to see if you can determine how many passwords reset occurred in the last 30 days. Then, review your helpdesk logs to see how many users needed helpdesk assistance to reset their passwords in the same timeframe. If the percentage that needed helpdesk assistance is 5% or more, you can only imagine how swamped your helpdesk might be if you forced a password reset. Users who have a frustrating experience with your support may not be your users for long as they look for someone else to provide similar services. As a result of a cybersecurity incident exercise, you may need to re-examine your self-service password reset process to determine if the high volume of helpdesk assistance is needed due to the process or if you need to improve user training to help resolve the issue.
Another common issue found in a cybersecurity exercise like Cyber Storm is having current contact information if you need to notify customers of a data breach or exposure. You may need to verify how often your application or website requires users to review and update their profiles, which should include contact information such as email, and physical address when impacted by a data breach to be notified in writing, as this is a requirement by many states.
If you have an opportunity to participate in a Cyber Storm exercise, you will find it well worth your time. After the Cyber Storm exercises I participated in, I started developing other cybersecurity exercises to conduct on my own. I am confident the experience my organization gains during an exercise will pay off should we have a major incident.
The Department of Homeland Security is also a wealth of information on the topic of cybersecurity and offers over 800 hours free training for federal, state, local, tribal, and territorial(SLTT) government personnel, veterans, and federal government contractors through their Federal Virtual Training Environment (FedVTE) online on-demand training system. The next time you have a few minutes and think of DHS protecting our borders, browse through their website. You may be surprised at the diversity of the agency and the information resources available on cybersecurity.