Department of Homeland Security U.S. Department of Homeland Security building in Washington, D.C. Photo: Diego M. Radzinschi/ALM

A recent cybersecurity strategy issued by the U.S. Department of Homeland Security lays out a framework for improving risk management and response in both the federal and private sectors. It also marks the latest attempt in the often difficult battle to encourage information sharing between the two.

Issued May 15, the strategy outlines a vision for a “more secure and reliable cyber ecosystem, through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.” Such cross-industry and sector collaboration has long been advocated by cybersecurity experts, many of whom believe that it increases awareness and fosters new, innovative approaches to preventing and addressing threats.

Rob Silvers, formerly DHS assistant secretary for cyber policy under the Obama administration, told Legaltech News that the strategy “has actually been in the works for some time.” While he doesn't believe there's “anything earth shattering” in the guidance, Silvers said it's “very significant” in outlining how DHS plans to “focus its energy and resources” while highlighting the “importance of securing federal IT systems.”

“DHS is putting itself out in the lead in terms of being the government agency that is in charge for setting the bar for cybersecurity best practices and encouraging industries to adopt them,” said Silvers, now a partner in Paul Hastings' cybersecurity practice. While compliance with such measures is voluntary, the strategy “becomes influential. And it's important to have a designated go-to agency that is thinking outside the context of a particular case or investigation [about] how we are elevating cybersecurity across the broader ecosystem.”

The strategy lays out seven cybersecurity goals involving identifying, preventing and addressing risks for both federal and private agencies. It also places special emphasis on threats to critical infrastructure, such as communications, health care, energy and transportation, and highlights the national risks presented by “the proliferation of technology,” which it says are “substantial.”

Secretary of Homeland Security Kirstjen Nielsen said in a statement that the United States has “reached a historic turning point” in the cyberthreat landscape.

“Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself,” Nielsen said. “In an age of brand-name breaches, we must think beyond the defense of specific assets—and confront systemic risks that affect everyone from tech giants to homeowners. Our strategy outlines how DHS will leverage its unique capabilities on the digital battlefield to defend American networks and get ahead of emerging cyber threats.”

The DHS strategy notes that private sector collaboration is imperative to bettering cybersecurity standards and practices, such as in protecting critical infrastructure, countering “illicit uses of cyberspace,” and working with the “critical shortage of cybersecurity talent globally.”

Global cybersecurity is indeed in a dismal state. 2018 alone has seen an influx of reports of major breaches, with Saks Fifth Avenue parent company Hudson's Bay, Delta Airlines, and Under Armour among victims. The public sector has also seen its share of challenges. The city of Atlanta was victim of a major breach this year, as was the Democratic Party right before the 2016 presidential elections.

“I don't think anybody right now would claim to be satisfied by the state of cybersecurity around the world. It's clear that attackers have significant advantage over defenders,” Silvers said. “But I do think the defensive capabilities keep towering, and some of that will be driven by technology.”

Silvers said that while at DHS, he started a program that relied upon technology to automate information sharing with private and public sector entities upon the discovery breach, something he expects has continued under the administration of President Donald Trump. He also noted that DHS currently has servers to which companies can connect and exchange “cyber threat indicators.” Upon receipt of such information, DHS anonymizes the info, then distributes it to industry partners.

The DHS strategy also emphasizes the importance of collaborating with other federal agencies, such as U.S. General Services Administration, the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and “those responsible for protecting military and intelligence networks to deliver cybersecurity outcomes for the federal enterprise.”

How this may be carried out in practice, however, is a different question. Stephen Lilley, former chief counsel to the U.S. Senate Judiciary Committee's Subcommittee on Crime and Terrorism, told LTN that the agencies “have missions that in places overlap, and others that are very different. And unless everybody is pulling in the same direction,” a “ripple effect” could have considerable consequences for cybersecurity.

“It's like an orchestra. You've got a lot of different agencies playing different instruments. Unless you've got a conductor, it could really messy, really quickly,” he said.

In Lilley's view, having a conductor is “very important,” and is perhaps why many were concerned about the White House's decision to eliminate the role of cybersecurity coordinator at the National Security Council. Currently partner at Mayer Brown, Lilley noted that while working on Capitol Hill, it was a “natural sort of tendency” of every government agency to “pursue their own mission” first and foremost.

“There's incredible value” in having the government “coherently bring everyone into the room” to ensure efforts are aligned, he noted.

Yet there remain challenges to encouraging the private sector to share information as well. Lilley noted that private companies sometimes resist sharing information with the federal government because they believe a regulator will misconstrue it, which could compromise breach response efforts.

“Information sharing is one of those cyber goals everybody supports and is actually quite hard to implement in practice,” he said. “It's gotten better over the past five years and will continue, but will take sustained effort from entities like DHS to continue to educate, explain benefits, and help companies through the process.”