Department of Homeland Security (DHS) Secretary Alejandro Mayorkas on March 31 previewed six “sprints” planned by DHS and its Cybersecurity and Infrastructure Security Agency (CISA) component throughout 2021 to bolster Federal cybersecurity across a range of areas including ransomware, industrial control system (ICS) security, and workforce development.
In prepared remarks at a virtual event hosted by RSA, Mayorkas said each sprint will play out over 60 days and will address “the most important and most urgent priorities needed to achieve our goals.” The sprints, he said, “will mobilize action by elevating existing efforts, removing roadblocks, and launching new initiatives where necessary.”
Ransomware in the Crosshairs
The first sprint will focus on ransomware attacks that have been on the rise particularly during the coronavirus pandemic, and that often victimize organizations with less sophisticated cyber defenses, such as hospitals and schools.
He said DHS “in the coming weeks” will “step up our efforts to tackle ransomware on both ends of the equation,” including launching an awareness campaign and engaging with industry partners including insurance companies.
“With respect to responding to ransomware attacks, we will strengthen our capabilities to disrupt those who launch them and the marketplaces that enable them,” Mayorkas said while declaring that ransomware “now poses a national security threat.”
Mayorkas said DHS next month will launch the second in the series of sprints, this one focused on workforce development.
“Front and center is support for our current workforce, who have done a heroic job protecting the election and now responding to two major incidents,” he said. The sprint will include launching a DHS “Honors Program” with an initial focus on cybersecurity, expanding an existing cybersecurity education and training program aimed at teachers, and stepping up the agency’s diversity-equity-inclusiveness (DEI) strategy “to ensure we are attracting, developing, and retaining the best diverse talent.”
“Beyond DHS, we will champion DEI across the cyber workforce of the entire federal government,” he said.
ICS and Beyond
Mayorkas said the third sprint will focus on “mobilizing action to improve the resilience of industrial control systems,” and is set to launch “later this summer.”
The final three sprints will target improving protections for transportation systems, safeguarding election systems, and advancing international capacity-building efforts.
Mayorkas also spoke about the SolarWinds Orion supply chain hack, and said dealing with that “cannot be done in a sprint, as it will take months or even years to fully implement. He said the SolarWinds Orion exploit also points to the need for risk-based security approaches and an eventual move to zero trust security concepts.
“While some risks are clearly associated with certain foreign companies and governments, we need a risk-based approach to ensure we address all systemic supply chain risks,” Mayorkas said. “Bearing in mind that 100% cybersecurity is not possible, this includes considering zero trust architectures where needed to reach the level of resilience required.”
Finally, the DHS Secretary talked about the transition to post-quantum encryption algorithms necessary to stay ahead of quantum science development that can more easily defeat existing encryption structures.
“The transition to post-quantum encryption algorithms is as much dependent on the development of such algorithms as it is on their adoption,” he said. “While the former is already ongoing, planning for the latter remains in its infancy. We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future.”
“This is a priority and DHS will start developing a plan for how it can help facilitate this transition,” Mayorkas said. “Considering the scale, implementation will be driven by the private sector, but the government can help ensure the transition will occur equitably, and that nobody will be left behind.”