DHS and Cyber Security Readiness
(Cover artwork from Senator Coburn’s report on DHS)
A report from Senator Tom Coburn about the Department of Homeland Security details a variety of concerns about the organization’s ability to counter cyber attacks. ZDNet wrote an unflattering article about the cyber shortcomings with the headline “ New Report : DHS is a mess of cybersecurity incompetence”. The main points of the article are:
Cyber Hygiene Effectiveness
- Cyber hygiene does not stop nation state attackers
- Information shared from DHS is not useful
There are a variety of comments I would like to make about these points.
The entire world stinks at cyber hygiene. Until we complete a move to secure and resilient cloud based applications with hardened endpoints, cyber hygiene is our only option. There are no magic bullets, no magic policy or no technical break throughs which will “secure” networks inherently designed to be insecure.
Shared Information Usefulness
A well managed and patched network is harder for intelligence agencies to attack. We’ve seen many examples of this, including talks directly from the NSA’s Tailored Access Office, explaining why its harder to attack and persist and exfiltrate data with hardened systems.
What I am most disappointed about is the government’s priorities and timing. We spent many years debating if Microsoft was or wasn’t a monopoly and how “ mono cultures” could be easily attacked and now, it looks like the best refuge to place our data and applications are in the “mono cultures” of Microsoft Azure, Google and Amazon. Telling people to patch their systems and use two factor authentication when the rest of the nation has their photos and sales leads in the cloud is out of step an ineffective.
It’s easy to point a finger at DHS or US CERT and say their data wasn’t good or useful or slow. Intelligence is hard. I’ve seen bad data come from lots of different well funded sources both commercial and government.
I’ve blogged previously about a US CERT study which basically showed how hard it is to get cyber intelligence correct by evaluating hundreds of commercial threat feeds. It showed that the commercial feeds have old data and bad data mixed in with actual threats.
Misconceptions about DHS and the Government
What the US government, DHS and CERT are not getting credit for is having a framework in place which allows the industry to have a conversation. I’ll give a few examples:
- NIST’s National Vulnerability Database — Tracking vulnerabilities is a lot harder than people realize because it has to be technically accurate and handle many different combinations of software available today. Without this, we’d rely on vendors to name vulnerabilities and patches for them increasing complexity.
- DHS’s CyberScope program — Before this program, organizations did audits ONCE A YEAR. The program required government organizations to report to DHS on their cyber security in a vendor-neutral format. Things were that bad and that horrible and it would be no surprise with that type of environment, you’d get things like the Department of State getting completely owned in 2006. When I was Tenable CEO, I saw the effect of this first hand. Government organizations that had vulnerabilities multiple years old were now being fixed. Clearly, there is much more work to be done, but the government has come a longer way than people realize.
- The biggest form of cyber information sharing going on right now is the 1000s of DOD and .Gov cyber professionals who are done with their government service and joining the ranks of the commercial sector. These people are bringing operational knowledge of things like the DOD’s Risk Managment Framework or NIST’s Cyber Security Framework to the private sector.
If you are a US citizen, DHS has no charter to scan your computer for malware, filter your emails to keep you safe from attacks or help you recover from a cyber attack. If they did have a magical program or technique to keep your computer perfectly safe, there is no law saying you must deploy it or do it either.
What is less obvious to people who don’t work with the government, it’s pretty much the same thing for government agencies. DHS might have access to look at vulnerabilities, network traffic and other types of audits, but the responsibility to keep networks secure resides with the executives of each of the government agencies.
Note — The same day I published this article, President Donald Trump signed an executive order mandating the use of NIST CSF in government agencies. I think this is great since many government agencies were still sort of doing their own thing. Another thing I liked is the order gave priority to shared IT resources (i.e., Cloud services). I’ve seen too many agencies with poor IT claim the cloud isn’t secure when in fact they were just not wanting to change.
The report and article were overly harsh on DHS, but this is completely over-shadowed by the fact that DHS is less and less relevant to the multitude of Internet users and businesses who are moving to the cloud and discarding legacy technologies.
When I do public speaking, I try very much not to mention cyber hygiene or compliance anymore and instead talk about the benefits of moving to the cloud and getting rid of legacy technology. That is a broader message that helps non-technology leaders identify what they need to do in their organization to make it more secure.