The Homeland Security Department needs to do a better job anticipating cyber threats on the horizon on top of defending against yesterday’s attacks, according to Secretary Kirstjen Nielsen.
Both efforts will rely heavily on partnerships with industry and the cyber research community, she said.
“The rate at which the threats and risks are emerging is outpacing our ability to identify and assess and address them,” Nielsen said Tuesday at the agency’s cyber and innovation showcase. “The discipline of understanding what is emerging is where I find we are lacking. Failure to look at the future or limiting our thinking based on what we’ve observed in the past, those in and of themselves are risks.”
The remarks came a day after Nielsen highlighted cyberattacks as the biggest threat facing the country today. On Monday, the Trump administration also outlined plans to allocate some $17.4 billion to cybersecurity efforts across government in fiscal 2020.
As American society grows increasingly network-connected and digital adversaries look for new ways to damage critical infrastructure, Nielsen said her department’s success will hinge on its ability to “innovate while under attack.” And that’s something the agency isn’t necessarily used to doing, she said.
In the physical world, officials learn from prior incidents and strengthen defenses to prevent them from happening again, Nielsen said, but the high frequency and rapid evolution of cyber threats require them to both constantly recover from attacks and anticipate adversaries’ next moves. As the agency works to harden the rest of government against the latest threats, it will need industry to help predict where the next attack could come from.
“We’re truly in a situation where if we prepare individually we will fail collectively,” she said. “We have to work together.”
Chief among the department’s cyber priorities is fortifying the government’s digital infrastructure, Homeland Security officials said during the event.
Legacy systems create constant underlying threats for agencies, Nielsen said, citing IT modernization as the one thing she would do to make government more effective.
Chris Krebs, who leads the Cybersecurity and Infrastructure Security Agency, said the department’s Continuous Diagnostics and Mitigation program remains his “top priority from a pure budgetary-risk perspective.”