We've all seen statements from leaders in government (and business) that contain a lot of words but little meaning.
Just the opposite was true as U.S. Secretary of Homeland Security Alejandro Mayorkas spoke this week, in stark terms, about the state of cybersecurity in the United States.
He unpacked foundational principles for the future of information security efforts. We'll look at those in a moment.
Ways the U.S. is failing at cybersecurity right now
Before looking to the future, however, the DHS Secretary spoke openly about three ways we are falling short in the security space. Here they are:
- "First, the government does not have the capacity to achieve our nation's cyber resilience alone. So much of our critical infrastructure is in the private sector's hands. We need to work with the private sector to protect the interests of the American people and the services on which we rely."
- "Second, our government got hacked last year and we didn't know about it for months. It wasn't until one of the world's best cybersecurity companies got hacked itself and alerted the government, that we found out. This incident is one of many that underscores a need for the federal government to modernize cybersecurity defenses and deepen our partnerships."
- "Third, the government seeks to speak with one voice but too often we speak through different channels, which can confuse and distract those who need to act on our information and act fast."
5 cybersecurity changes the United States plans to make
Secretary Mayorkas then moved on to his vision for how the Department of Homeland Security will move ahead in its fight to improve cybersecurity and defend the U.S. against cyber threats.
He says these are the foundational principles that will guide DHS work:
"To start, we cannot ignore the broader geopolitical context and democratic backsliding that is happening around the world. Far too often, cybersecurity is used as a pretext to infringe on civil liberties and human rights.
Make no mistake: a free and secure cyberspace is possible, and we will champion this vision with our words and our actions."
- "Second, we must fundamentally shift our mindset and acknowledge that defense must go hand in hand with resilience. Bold and immediate innovations, wide-scale investments, and raising the bar of essential cyber hygiene are urgently needed to improve our cyber defenses. We need to prioritize investments inside and outside of government accordingly.
At the same time, I promised hard truths and one hard truth is that no one is immune from cyber attacks, including the federal government or our most advanced technology companies. While one can reduce the frequency of incidents through modernized defenses, ultimately it is not a question of if you get hacked, but rather when. We must therefore also bolster our capacity to respond when incidents do happen."
- "Pursuing cyber resilience requires a third principle, namely a focus on a risk-based approach. Determining what risks to prioritize and how to allocate limited resources is crucial to maximizing the government's impact. A fact-based framework needs to guide the assessment of risk at home and abroad."
- "Relatedly, addressing the most important risks is a shared responsibility. We must strengthen collaboration between the private sector and government to generate the insights necessary to detect malicious cyber actors. If actionable, timely, and bidirectional information is not distributed quickly, malicious cyber actors will gain the advantage of more time to burrow into systems and inflict damage."
- "The final principle is to integrate diversity, equity, and inclusion—or DEI—throughout every aspect of our work. Developing sound public policy requires diverse perspectives from communities that represent America. It requires the recruitment, development, and retention of diverse talent. It requires equal access to professional development opportunities to fill the current half million cyber vacancies across our country and to prevent future shortages that threaten our ability to compete."
The DHS Secretary also spoke at length about the Cybersecurity and Infrastructure Security Agency (CISA) and how it is best positioned to help carry out the cyber mission across government and into the private sector.
He called CISA the "nation's cyber quarterback."
Read the complete cybersecurity statement of U.S. Secretary of Homeland Security Alejandro Mayorkas.
DHS Secretary: Cyber crimes impacting 'real people'
The Secretary also shared some ominous statistics from federal agencies:
"According to the FBI, the reported losses tied to cybercrime exceeded $4.1 billion last year alone. The Secret Service arrested more than 1,000 people for cyber-financial crimes and prevented over $2 billion in potential fraud losses.
These numbers highlight that cybersecurity is not some abstract concept or a threat limited to the government or critical infrastructure. Hackers target American citizens directly every day and impact their lives at a time when we have experienced unprecedented hardships."
[RELATED] Ransomware has been a growing cyberthreat, with devastating consequences over the last year. See the Trend Micro report, "State of Ransomware: 2020's Catch-22."