On April 17, 2018, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen delivered a keynote address at the RSA Conference.  A copy of her prepared remarks is available here.  Secretary Nielsen’s remarks highlighted efforts by DHS to address the evolving cybersecurity threats to our country’s critical infrastructure.

Secretary Nielsen set the stage by describing the realities of the cyber threat landscape:  2017 was a landmark year in terms of cyberattack volume, with nearly half of all Americans having their sensitive personal information exposed online and ransomware attacks spreading to more than 150 countries.  The Secretary stated that cybercrime damages are estimated to reach $6 trillion annually[1] by 2021, and suggested that the emergence of internet-connected devices could make us even more vulnerable to cyberattacks.

To address evolving cyber threats and more sophisticated threat actors, Secretary Nielsen posited a five part approach that DHS is taking to support a “more forward-leaning posture” in the cybersecurity area.  Those five approaches are summarized below:

Systemic Risk.  Secretary Nielsen stressed that “single points of failure, concentrated dependencies and cross-cutting underlying functions” can have cascading and unintended consequences across an entire sector.  Although she did not offer much detail, the Secretary noted that DHS is working with users, buyers, and tech manufacturers to identify and resolve unseen security gaps, including identifying companies in the supply chain whose risks may go unnoticed.  She also suggested that government contractors and technology companies have an active role to play in this process, such as helping to identify systemic risks and flagging unseen or newer ones.

Collective Defense.  Due to the hyper-connectivity of systems and assets throughout the country, the Secretary stated that industry plays an important role in securing cyberspace.  Secretary Nielsen highlighted DHS’ Automated Indicator Sharing (AIS) initiative, through which companies share cyber threat indicators (CTIs) with DHS (such as a malicious IP address), which then anonymizes the CTIs and shares them with other participants to the AIS initiative.  She also encouraged the creation of industry-specific initiatives, like the Financial Systemic Analysis and Resilience Center (FSARC).  FSARC is an Information Sharing and Analysis Center, which was started by multiple banks in 2016 as a way for industry stakeholders to work together to fight emerging cybersecurity threats.

Rethink the Federal Role.  Secretary Nielsen suggested that the federal government has a greater role to play in correcting cyber market failures through empowerment, rather than through regulation.  The Secretary described “empowerment” as a two-fold approach, one for each side of the market curve:  first, helping programmers and technologists build better defenses into their product designs to enable better supply-side security; second, educating consumers to be more security conscious in their preferences, so as to help drive demand-side security.  As the Secretary noted, “[w]hy sell a $30 cyber-secure pedometer for marathon runners when you can sell a basic version for $5?  And who wants to buy the $30 version?”  Secretary Nielsen believes that DHS has a role to play on both sides of the curve, specifically by raising public awareness of these very real cyber risks and by convincing consumers that the added costs for cyber protection are necessary.

Advanced Persistent Resilience.  Secretary Nielsen recognized that cyberattacks will continue to impact systems no matter the amount of preventative measures taken.  Thus, she explained the need for “advanced persistent resilience,” or the ability for systems and assets to continue to deliver intended outcomes even in the face of continued cyberattacks.  She cited the recent ransomware attack on the City of Atlanta as an example of what happens when governmental systems lack built-in redundancies—public services are either slowed or fully stopped.  She also highlighted the need to protect election infrastructure, and pointed to DHS’ efforts to build redundancies into the state, local, and private sector levels.

Cyber Deterrence.  Finally, Secretary Nielsen stressed the need to better deter illicit cyber behavior.  Equating cybersecurity with national security, she advocated that the United States cannot stand on the sidelines whenever networks are compromised or assets are modified or stolen by bad actors.  She stated that the United States will increasingly utilize its response options to call out, punish, and deter future cyber hostility.

In concluding her remarks, Secretary Nielsen appealed to the RSA conference attendees to work together with DHS in policing cyberspace to stay ahead of threats while not stifling innovation.  Her keynote address demonstrates the increasing need for government contractors to plan for cyberattacks, and the growing role they can play in assisting governmental actors in combating and responding to cyber threats.

[1] Secretary Nielsen’s prepared remarks cite to the following source:  https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.