2020’s ‘War on Pineapple’ and More For Cyber Resiliency at DHS

The Cybersecurity and Infrastructure Security Agency (CISA) was the most public-facing agency within the Department of Homeland Security this year, driving home its role as “the nation’s risk advisor” during its first year as an agency. In 2020, CISA looks to amplify that aspect of its mission ahead of the next presidential election with its #Protect2020 and #WaronPineapple campaigns, which the agency aims to promote awareness around election security and disinformation, respectively.

In addition to promoting awareness, CISA made strides this year in collaborating on election security with local and state governments. With CISA’s guidance, nearly all states will offer paper ballots in 2020, said CISA Director Chris Krebs at the CISA Cybersecurity Summit in September. There are one or two states that may not offer them by 2020 due to budget concerns, he added, but the election agencies see the federal government as a “dependable partner” in the process, and the push toward paper ballots and other secure systems has influenced what vendors sell.

Looking toward 2020, CISA is likely to encourage Congress to appropriate a steady stream of funding for election security — “something [agencies] can set their budgets and clocks by,” Krebs said – providing support for both near-term and long-term security concerns and innovation opportunities.

While election security was the focus for CISA in 2019, and will continue to be a focus in 2020, it is by no means the only initiative for the agency. Other highlights include the Continuous Diagnostics and Mitigation (CDM) program and ransomware protection.

CDM has evolved over 2019 to provide greater coverage of agency networks while also remaining flexible for agencies to find the tools that work best for their systems. 2019 saw the implementation of five CDM areas: the dashboard, asset management, identity and access management, network security management and data protection management. CISA expects that the federal dashboard will be deployed in 2020, and that the program will improve government-wide security through CDM data.

“In fiscal years 2019 and 2020, we really need to focus on the operationalization of CDM,” said CDM Program Manager Kevin Cox at the MeriTalk CDM Central Event in October. “It’s about getting the value of getting the tools out there, but [also] being able to utilize the data coming up from those tools to really help inform agency processes.”

Cox added that as of October, CISA has added over 245,000 tools to its approved products list, giving agencies a tremendous range of options for solutions to implementing CDM guidelines. This approach underscores the importance of the capabilities and outcomes of CDM, rather than the tools.

“One of the things that [SBA’s CDM pilot program] showed us about CDM is that it’s not about the tools,” said DHS CISO Paul Beckman, speaking at GovernmentCIO Media and Research’s State of Cyber CXO Tech Forum. “It’s about the data. It’s about the capabilities. CDM was always supposed to be a capability gap-filler.”

Ransomware was one of the fastest-evolving security concerns in 2019, as highlighted by the ransomware attacks in Baltimore, Texas and Louisiana. These attacks revealed that users are a common vulnerability in cybersecurity — irrespective of the perimeter’s strength — underscoring the need for training across all sectors. The other lesson learned was that it is far easier and less costly to prevent a ransomware attack than it is to recover from one, making a proactive approach all but essential.

“Nobody is shrugging the threat off,” said Krebs, adding that CISA is “evolving our approach” to such attacks. “Resiliency” is the word to look for in 2020, both in terms of how agencies design their systems and training with a better understanding of their users and potential vulnerabilities, as well as how CISA anticipates future attacks on availability and integrity.

Elsewhere at DHS, agencies began to integrate emerging technologies like new biometric identity verification systems and containerization into their processes and systems.

The Office of Biometric Identity Management (OBIM) transitioned from the Automated Biometric Identification System (IDENT) to the Homeland Advanced Recognition Technology (HART) system, a remarkable shift considering that IDENT was originally created in 1994.

“We are making a significant strategic shift from our enterprise data centers into the government cloud,” said David Grauel, OBIM’s replacement biometric system program manager, speaking at Connect:ID 2019 in April.

The shift to HART represents not only a transition to cutting-edge technology, but also a move away from legacy systems, one of the most expensive components of federal IT to operate and maintain.

New identification technology also yielded new use cases for DHS.

“We developed DNA [technology] originally for refugees and looking at families related [to those refugees] as they claimed,” said Christopher Miles, the deputy director of standards, integration and application at DHS.

After designing the technology, Miles learned that other agencies within DHS, like FEMA, were interested in ID technology for identification not only for border security, but also for natural disasters and other mass casualty events.

“We worked with FEMA local representatives and planned ahead and participated in a number of exercises, and those certainly prepared us [for disaster response],” he said.

Containerization — breaking large applications into easily configurable microservices — was a major change in both technology and the development approach in 2019 at the U.S. Citizenship and Immigration Service (USCIS). The process began with making it easier for development teams to work with the agency’s immigration application case management system, Ellis, and has widened into use of container technology across USCIS as well as a new mindset toward change management.

“Find a way to incentivize the development community to do it themselves,” said USCIS Cyber Defense Branch Chief Adrian Monza in November, “and that lets you focus your time, effort and energy on the things that matter. If you’re not going to sit down and have a discussion about a change, then why are you approving or reviewing it in the first place? Just get going.”

The U.S. Citizenship and Immigration Service (USCIS) will continue to innovate in 2020, thanks in part to the mindset its leadership brings to IT. For example, USCIS CISO Shane Barney has outright banned the use of the word “compliance” in his office, instead focusing on strategies for risk assessment.

“[Compliance] makes an assumption that you can check a box, and now you’re secure,” he said at the Billington Cybersecurity Summit in September. “Security is a proactive game.”