In accordance with Section 101 and Title I of the SECURE Technology Act (P.L. 115-390), this policy provides security researchers with clear guidelines for (1) conducting vulnerability and attack vector discovery activities directed at Department of Homeland Security (DHS) systems and (2) submitting those discovered vulnerabilities. This policy has been developed in consultation with the Attorney General, the Secretary of Defense, the Administrator of GSA, and non-governmental security researchers.
In response to reports of an increase in cybersecurity threats, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher C. Krebs issued the following statement:
“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.
U.S. Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) Office of Cybersecurity and Communication Assistant Secretary Jeanette Manfra addresses DHS’ ongoing and collaborative efforts to strengthen the cybersecurity of the Nation’s critical infrastructure.
DHS S&T has awarded 418 Intelligence Corporation of Herndon, Virginia $350,000 to develop a forecasting platform that will help critical infrastructure owners and system operators share and keep abreast of the latest developments in cybersecurity protection.
DHS S&T has awarded StackRox, Inc. of Mountain View, California, a $200,000 contract to harden the cyber defenses of financial institutions.
As Secretary of Homeland Security, I am often asked “who’s responsible within the federal government for cybersecurity? Who in the government do I contact in the event of a cyber incident?”
Secretary Johnson today hosted U.S. Reps. Michael McCaul and John Ratcliffe at DHS’ National Cybersecurity and Communications Integration Center (NCCIC) to officially deploy a system to exchange cyber threat indicators between government and the private sector at machine speed.
Cyber threats to critical infrastructure remain one of our Nation’s most serious security and economic sustainability challenges. With over 80 percent of critical infrastructure owned by the private sector, and with millions of cyber-dependent equities owned by individuals or federal, state, local, tribal, and territorial (SLTT) entities and agencies, securing cyberspace must be achieved collaboratively. Exercises are critical to testing this coordination, and more importantly, to building and maintaining strong relationships among the cyber incident response community.
The Department of Homeland Security (DHS) works closely with the Department of Energy (DOE) and the electric sector to ensure the security, resilience, and reliability of the U.S. power grid. Additionally, many American utility providers have invested heavily in both cyber and physical security. While the U.S. power grid is highly resilient, it’s important for owners and operators of electric and other critical infrastructure sector assets to be aware of this particular threat and to implement mitigation steps that will reduce their vulnerabilities to similar cyber-attacks and other malicious activity employing these tactics, techniques, and procedures. To be clear, this threat applies to any sector that uses industrial control systems, not just the electric sector.
Today the Department of Homeland Security, with the Department of Justice, issued guidelines and procedures, required by the Cybersecurity Act of 2015.