Report: Cooperation Is Required to Protect US Critical Infrastructure
A greater level of cooperation is needed between the Department of Defense and the Department of Homeland Security to ensure that U.S. critical infrastructure is protected against various cyberthreats, according to an inspector general’s report released this week.
The report recommends that both the Defense Department and DHS complete the obligations outlined in a 2018 memorandum that both departments signed, which includes details of responses to a variety of cyberthreats that threatened American critical infrastructure.
Specifically, the report recommends that the Joint DOD-DHS Cyber Protection and Defense Steering Group create milestones to track the progress of completing the 2018 agreement and that both departments do tracking to ensure the agreement is being implemented.
“Specific to the 2018 memorandum, the lack of an implementation plan could result in DOD officials not providing the level of assistance to the DHS needed for the DOD and the DHS to conduct joint operations to protect critical infrastructure; support state, local, tribal, and territorial governments; and jointly defend military and civilian networks from cyber threats,” according to the inspector general’s report, which was published on July 9, but declassified this week.
The report also notes that in the wake of the cyberespionage campaign that targeted SolarWinds and users of the company’s Orion network monitoring platform, close cooperation between the Defense Department and Department of Homeland Security is essential to help protect critical infrastructure.
Investigations into the SolarWinds intrusion found that the attackers specifically targeted 100 private firms as well as nine federal agencies, which included the Department of Homeland Security (see: Former DHS Leader Shares Details on SolarWinds Attack).
“Although the SolarWinds Orion compromise was not related to the lack of an implementation plan, the compromise continues to show the importance and criticality of the DoD’s and DHS’s ability to respond to any and all cyber threats, which would be significantly improved by implementing a plan to accomplish shared goals in the 2018 joint memorandum,” the report notes.
The report notes that the deputy secretary of defense agreed with the recommendations outlined by the inspector general, but the Joint Chiefs of Staff disagreed. The Joint Chiefs, however, are planning to convene the Defense Steering Group to develop a consensus on how to address the concerns outlined in the report.
“Therefore, we consider the planned actions by the Deputy Secretary of Defense and the Joint Staff sufficient to resolve the recommendations. We will close the recommendations once we verify that the action is complete,” according to the report.
The inspector general’s report did not contain a response from the Department of Homeland Security.
The departments of Defense and Homeland Security have signed three separate cybersecurity agreements over the years – in 2010, 2015 and 2018 – according to the inspector general’s report.
These agreements, which also include cooperation from the U.S. National Security Agency and U.S. Cyber Command, have developed various plans to respond to cyberthreats, including assistance that the Defense Department can provide for domestic cybersecurity preparedness and incident response, according to the report.
The 2018 agreement, which was signed by the secretaries of the departments of Defense and Homeland Security at the time, was supposed to continue developing these various cybersecurity plans, but the inspector general’s report found that the “co-chairs of the [Defense Steering Group] stated that they did not develop an implementation plan because they did not intend for the 2018 memorandum to serve as a contractual agreement.”
Regardless, the inspector general report urges both the DOD and DHS to fully implement the cyber plans outlined in the 2018 agreement.
” Without an implementation plan that clearly defines roles and responsibilities and identifies milestones and completion dates, the DOD may not be able to sustain collaboration with the DHS in protecting the nation’s critical infrastructure,” according to the report.
Focus on Critical Infrastructure
In addition to the campaign that targeted SolarWinds, a series of ransomware attacks over the past several months has shone a light on how cyberthreats could damage U.S. critical infrastructure. The U.S. Cybersecurity and Infrastructure Agency, which is part of the Department of Homeland Security, is normally responsible for addressing these types of incidents (see: Ransomware Landscape: REvil Is One of Many Operators).
On Thursday, the State Department announced it would pay out a $10 million reward for information about cyberthreats to the nation’s critical infrastructure. CISA also launched a new ransomware resources website called StopRansomware for businesses, individuals and organizations that need to learn more about these threats (see: US Offering $10 Million Reward for Cyberthreat Information).