The U.S. government can’t manage cybersecurity threats from Russia and China on its own and it needs private businesses to help, Homeland Security Secretary Kirstjen Nielsen said Monday.
She said industry should follow government’s lead in not building products with technology from companies that might pose cybersecurity risks, such as Russia's Kaspersky and China's Huawei. Companies should also alert DHS about digital vulnerabilities, including those that would allow hackers to compromise public safety or steal vast amounts of computing power.
And most importantly, businesses should actively strategize with DHS about how to collectively respond to cyberattacks before they happen, Nielsen said during her annual State of Homeland Security address.
That’s a stark contrast to the past few years when government has saved its most intense contacts with industry for after digital assaults -- not before one actually happens.
The picture Nielsen painted was of a far more active relationship between government and industry on cybersecurity threats than what exists today. But it’s a model government has been trying to build during the past year, including with a mammoth public-private effort to map and protect the nation’s most vital digital assets.
Nielsen described the shift as moving beyond the “whole-of-government approach” to cybersecurity protections — the mantra top government officials have touted the past several years as they seek to coordinate among digital defenders, law enforcement, policy officials to combat cybersecurity threats.
“The idea that we can prevail with so-called ‘Whole of Government’ efforts is now an outdated concept. It’s not enough,” Nielsen said. “We need a ‘Whole of Society’ approach to overcome today’s threats.”
That society-wide effort is necessary, she said, because the threat posed by cyberattacks is greater than the threat of terrorism — and neither government nor industry is prepared to face the threat alone.
“Today, I am more worried about the ability of bad guys to hijack our networks than their ability to hijack our flights,” Nielsen said. “America is not prepared for this. Your average private citizen or company is no match against a nation-state such as China, Iran, North Korea or Russia. It is not a fair fight. And until now our government has done far too little to back them up.”
Government has increasingly contacted private companies in the past year to brief them on new digital threats — including a comprehensive webinar in February on the shifting tactics of Chinese hackers. And the U.S. will increasingly urge companies to cut ties with foreign companies suspected of spying on behalf of their governments -- even beyond China’s Huawei and the Russian anti-virus company Kaspersky.
“Our adversaries are using state-owned companies as a ‘forward-deployed’ force to attack us from within our supply chain,” she said. “So, we are working with industry partners to identify and delete these bugs and defects from our systems.”
DHS issued a directive in 2017 requiring federal agencies to remove Kaspersky from their computer networks. If the department determines that other companies pose a similar spying threat, it won’t hesitate to issue a similar directive banning them — and the department will also “do all we can to encourage the private sector to do the same,” Nielsen said.
Her ultimate message: This is an assault that touches every aspect of society and we’ll have to be unified in our response.
“It’s not just U.S. troops and government agents on the front lines anymore,” Nielsen said. “It’s U.S. companies … It’s ordinary Americans. Threat actors are mercilessly targeting everyone’s devices and networks. They are compromising, co-opting, and controlling them. And they are weaponizing our own innovation against us.”
Author: Joseph Marks
Article from: The Washington Post