DHS Secretary Kelly: ‘No more muskets … federal cybersecurity needs heavy artillery’

S1VisionSpeechPhoto1.jpg

Homeland Security Secretary John Kelly speaking at George Washington University for his "Home and Away" speech on April 18, 2017. (Photo Credit: DHS)

Department of Homeland Security (DHS) Secretary Gen. John Kelly (ret.) gave a sweeping speech on Tuesday covering broad DHS initiatives, ranging from the prevention of domestic terrorism and international human smuggling to the security of physical borders and digital cyberspace.

Kelly surveyed a long list of threats to the U.S. homeland, which included the usual suspects but also some less frequently observed, including the “plodding pace of bureaucracy” and the danger of “going it alone” on cybersecurity, which Kelly noted in written remarks prepared ahead of the speech.

U.S. critical infrastructure is “being bombarded on a daily, even an hourly basis,” Kelly said, and sometimes the motive is merely “to create havoc.” Last year alone, the U.S. Secret Service “prevented half a billion dollars in cyber losses,” Kelly’s written remarks noted, citing the Secret Service’s 2016 Office of Investigations statistics.

Throughout the speech, Kelly stressed the importance of teamwork, collaboration and partnership – both within DHS and with other governmental and private entities.

The speech, entitled “Home and Away: DHS and the Threats to America,” was delivered at the George Washington University Center for Cyber and Homeland Security just days after Kelly told NBC’s Meet the Press that, amid ongoing tensions with North Korea, “A kinetic threat against the United States right now I don’t think is likely, but certainly a cyber threat” is present.

In prepared remarks, Kelly called for “a new approach to cyber,” while cautioning of “a long fight ahead.” The speech was light on details of emerging plans and specific policies.

Kelly warned in written remarks that bureaucratic paralysis in the face of a rapidly evolving cyber threat scape could result in the cyberspace equivalent of “sending troops to take Fallujah armed with muskets and powdered wigs.” Kelly’s remarks further urged, “We have to be proactive, and we have to think differently.”

[Editor’s Plug: Find out how to get proactive by checking out our free editorial white paper on the topic, “Getting Aggressive.”]

Perhaps partly reflecting the broader philosophy of the Trump administration, while in agreement with experts such as former NSA Director and the first Commander of U.S. Cyber Command Gen. Keith Alexander (ret.), Kelly’s written remarks noted that DHS is looking to strengthen ties with private industry partners to “build in resilience to our digital and physical infrastructure.”

Resilience is an oft-cited goal of experts in cybersecurity and closely related to the concepts of continuity of operations (or business continuity planning in the private sector) and disaster recovery. Resilience means the ability of critical infrastructure to retain functionalities and continue operating during and after disruptions, ranging from natural disasters to cyberattacks.

Kelly’s remarks noted that commercial technology paired with the government’s “unique capabilities” would allow the U.S. to “aggressively defend our federal networks against the endless stream of cyberattacks.”

“No more muskets,” Kelly’s remarks said. “Our federal cybersecurity needs heavy artillery.”

Concurrent with internal DHS initiatives, Kelly’s remarks noted, “[W]e’re striving to foster a culture where organizations of all stripes – from Main Street to Wall Street – are able to defend themselves against cyber threats.”

The need for the private sector to deploy effective cybersecurity is particularly important in the U.S., where over 80% of information technology infrastructure is privately owned and operated, according to former CIA Director John Brennan.

Currently, DHS is charged with cybersecurity across federal civilian government – the so-called .gov domain, which is distinct from the .mil domain that DoD is charged with securing. Yet, the precise role that DHS, U.S. Cyber Command and even the Department of Defense should take in protecting U.S. private networks has been a point of debate.

In November, then-President elect Donald Trump called for the DoD and the U.S. Joint Chiefs of Staff to “develop a comprehensive plan to protect America’s vital infrastructure from cyberattacks and all other form of attacks.” The status of such a plan, if in development, is not currently known to the public.

More recently, proposed legislation aims to allow private companies to undertake “active cyber defense measures.” Some have noted that the legislation is “a slippery slope with a number of negative effects.”

In January 2016, the Government Accountability Office released a report criticizing DHS’s cybersecurity initiatives. DHS had already been under sustained political pressure since the discovery of the 2014-2015 Office of Personnel Management hack, in which extensive background information on tens of millions of U.S. government and military personnel with security clearances was stolen. China is widely believed to have been behind the hack.

The GAO report was especially scathing in its criticism of the effectiveness of EINSTEIN, DHS’s intrusion detection and protection system, and resulted in a series of congressional hearings. The most recent occurred last month.

Admitting surprise to find himself now heading a federal agency, Kelly began his speech with a bit of understated humor. “When I retired from the Marine Corps 45 years and more ago, my biggest fear, frankly, at the time, was being offered another full-time job, particularly in the government,” he told the audience. “And I certainly didn’t want to go up and down the Beltway every day … I didn’t like the bureaucracy, but here I am today.”