DHS’s Cybersecurity Mission—An Overview

After a cyberattack, much attention is paid to who the responsible party could be. But helping organizations protect themselves, respond to and recover from incidents is vital to the resiliency of the nation. The U.S. Department of Homeland Security (DHS) works broadly to manage all manner of cybersecurity risks, regardless of the individual threat actor.

This In Focus describes DHS's cybersecurity missions and how the Department interacts with others to accomplish them.

DHS's Cybersecurity Missions

DHS has a variety of cybersecurity missions, which span the spectrum of prevention, protection, mitigation, response and recovery. In operating along this spectrum, DHS seeks to assess cyber risks and use its understanding of those risks to promote security and resilience of information communication technology (ICT) systems. When a cyber incident occurs, DHS has capabilities and authorities to provide direct assistance to the victim (both federal and nonfederal) to help that victim recover from the incident.

Information Sharing

DHS seeks to improve the cybersecurity of the nation by sharing information among federal entities and with nonfederal entities (e.g., state governments and the private sector). This can be classified information from an intelligence community source, sensitive information from an industry partner, or unclassified information that is being promulgated through DHS's communications channels. However, information sharing by itself does not improve cybersecurity. That requires someone (e.g., a system administrator or an end user) to change a behavior in response to learning the shared information.

Federal Network Security

DHS monitors for threats against federal agencies and takes actions (either unilaterally or in collaboration with other agencies) to respond to threats. DHS can block malicious internet traffic before it enters an agency, inform an agency when it has a vulnerability, direct agencies to mitigate threats, and provide technical assistance to agencies to respond to cyber risks. The Federal Information Security Modernization Act of 2014 (P.L. 113-283) codified the role that DHS plays in securing federal networks along with the role that OMB, the National Institute of Standards and Technology (NIST), and the individual agencies play.

Critical Infrastructure Protection

DHS identifies entities among the 16 critical infrastructure sectors (as set forth in Presidential Policy Directive 21) and works with them to mitigate risks, regardless of whether those risks are natural (like a hurricane) or man-made (like a cyberattack). DHS conducts risk assessments of entities, provides technical assistance to achieve security (before, during, and after an incident), and shares information with entities to encourage changes in security postures. The department does this as part of the critical infrastructure protection mission granted to DHS by the Homeland Security Act of 2002 (P.L. 107-296, as amended) and as part of specific cybersecurity authorities granted in the National Cybersecurity Protection Act of 2014 (P.L. 113-282), the Cybersecurity Act of 2015 (P.L. 114-113, Division N), and the Cybersecurity and Infrastructure Security Agency Act of 2018 (P.L. 115-278).

Law Enforcement

DHS can investigate a variety of cybercrimes through the department's law enforcement agencies. These crimes include those enabled by the use of ICT, such as intellectual property theft or financial theft. Many criminal endeavors also carry a cyber element, such as the smuggling of money across borders through the use of cryptocurrencies and stored-value cards.

Research and Development

Through its components and the Science and Technology Directorate, the department funds research and development into technologies with the objective of improving cybersecurity and transitioning those technologies to wide adoption.

Mission Execution by DHS Components

There are many entities within DHS that execute the department's cybersecurity mission. Below are a few DHS components with cybersecurity roles.

Cybersecurity and Infrastructure Security Agency (CISA)

CISA is the primary DHS component involved with cybersecurity. CISA coordinates civilian cybersecurity activities and serves as the primary interface between the nonfederal entities and the federal government. CISA also performs stakeholder outreach, develops policies and implementing guidance for federal agency cybersecurity, and deploys tools for cybersecurity. CISA is also the sector- specific agency for many sectors, including information technology (IT), Communications, Dams, Nuclear Facilities, and Government Facilities (including election infrastructure).

U.S. Secret Service (USSS)

USSS investigates crimes against the financial sector and threats online, and in IT as part of its mission to protect the President and dignitaries.

Immigration and Customs Enforcement (ICE)

ICE's Homeland Security Investigations (HSI) investigates crimes on the internet such as intellectual property theft, currency smuggling, and child exploitation, among others.

Transportation Security Agency (TSA)

TSA, as the sector-specific agency for the transportation sector, has the responsibility to assess risks to the sector, share information on mitigating those risks and coordinate activities for risk mitigation. Through its regulatory authority, TSA also imposes security and reporting requirements on transportation facilities (e.g., pipeline operators, airports, and railways).

U.S. Coast Guard (USCG)

USCG, as the sector-specific agency for the maritime sector, assesses risks to the maritime industry, shares information, and works with the industry to mitigate those risks. Additionally, as a military branch, USCG has further cyber responsibilities to the Department of Defense.

Federal Emergency Management Agency (FEMA)

FEMA is the lead federal agency responsible for emergency response. It works with CISA on cyber response planning and ensures it aligns to the doctrine established in the National Response Framework (NRF). FEMA and CISA also partner to administer grants to state and local governments.

Specific Programs

DHS operates programs across components to execute against the variety of its cybersecurity missions. Below are a few such programs, but it is not an exhaustive list.

• The National Cybersecurity Protection System (NCPS) commonly referred to as EINSTEIN logs traffic coming into and out of agency networks from the public internet, alerts when known malicious traffic is identified, and blocks certain malicious traffic. A limit of NCPS is that it has to have seen and analyzed the malicious traffic before, rather than being able to identify novel malicious traffic at first encounter—EINSTEIN can only block known threats. CISA is working on the next evolution of NCPS to identify anomalous threats.
• Continuous Diagnostics and Mitigation (CDM) is a program that deploys sensors on an agency's network to identify what the agency has attached to their network and the vulnerabilities of those devices. It compares this against intelligence to prioritize actively exploited vulnerabilities for patching.
• Automated Information Sharing (AIS) was authorized in the Cybersecurity Information Sharing Act of 2015 (P.L. 114-113 Division N, Title I) and provides for machine-to-machine sharing of cyber threat indicators and defensive measures among the private sector, to DHS, and through DHS, among federal agencies.
• Electronic Crimes Task Forces (ECTF) are operated by the USSS out of their field offices to assist local law enforcement in investigating computer crimes.
• The National Cyber Security Alliance (NCSA) is a public-private partnership between DHS and the private sector to promote cybersecurity awareness. National Cybersecurity Awareness Month is part of this partnership.

Working with Others for Cybersecurity

DHS serves a national customer base when delivering cybersecurity capabilities and developing policies. However, these customers may be divided into two main groups: the .gov domain and the .com domain—or, as described in the National Cybersecurity Protection Act of 2014, federal and nonfederal entities. DHS has the power to compel federal agencies to act, but must collaborate and entice nonfederal agencies to act.

Federal Agencies (.gov)

DHS has specific authorities with regard to federal agency cybersecurity. As such, DHS has established forums and coordination mechanisms to work with agencies to improve agency cybersecurity, and it has other mechanisms to work with agencies toward national cybersecurity. DHS must deploy security technologies on agency networks to improve the security of the .gov domain. In doing so, DHS has a process to obtain and maintain agreements with individual agencies for the use of that technology. DHS uses the federal chief information officer (CIO) and chief information security officer (CISO) councils, which discuss federal IT security broadly. DHS also collaborates with other agencies, like NIST and the DOE national laboratories, to develop and promulgate cybersecurity best practices for federal and nonfederal entities.

Private Sector (.com)

DHS works with the IT sector to develop and implement improved cybersecurity tactics that could be deployed nationally. During the Obama Administration, policies were created to position DHS as the lead federal agency for interacting with the private sector on a variety of security matters. Presidential Policy Directive 41 (PPD-41) states that DHS is the lead for asset response, or helping victims of cyberattacks recover. This does not replace the FBI's responsibility for criminal investigation, as it states the FBI is the lead for threat response, nor does it detract from DOD's capabilities, as it is long-standing policy for military capabilities to supplement civilian capabilities when necessary, as part of Defense Support for Civil Authorities (DSCA). Viewed another way, domestic cybersecurity is primarily a civilian matter rather than a military or law enforcement matter. However, the military and law enforcement agencies bring capabilities that can assist the private sector.

The Cybersecurity Act of 2015 establishes DHS as the portal for sharing information between the private sector and the government. DHS is obligated to inform other federal agencies of pertinent information without delay.

International

CISA works with international partners to collaborate on operations, share information with national-level response teams, and influence the ecosystem. Some specific activities include engaging with standards development and participating in exercises to build confidence and capabilities.