04/27/2011 – When the Department of Homeland Security (DHS) was established in March 2003, enhancing U.S. cyber security was designated as one of its primary goals. In signing the legislation creating DHS in November 2002, President George W. Bush said “the department will gather and focus all out efforts to face the challenge of cyberterrorism….[and] will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack.”
After several years passed without major DHS action, however, observers concluded that the Department had failed to meet its important cybersecurity responsibilities and was insufficiently prepared for emergencies. “On paper at least, the DHS is responsible for overseeing information security across the federal government. But for most of its existence, the agency’s leadership on such issues has been conspicuous by its absence. Even where it has tried, its efforts have been less than successful.”
In June 2006, a report by the Business Roundtable identified three major “cyber gaps”: no clear warning indicators that a cyberattack was occurring, uncertainty who would lead efforts to restore damaged U.S. critical infrastructure, and the absence of dedicated resources to support such post-attack recovery efforts. The CSIS Commission on Cybersecurity for the 44th Presidency recommended that the president formally revoke DHS’s limited authority to coordinate cybersecurity because, never having cyber authority over the U.S. military, intelligence community, and law enforcement agencies, the department could not perform this coordination role effectively.
Instead, in recent years DHS has made addressing the cyber security issue a higher priority and earned greater support within Congress for keeping DHS as the lead civilian agency in this area. Under the Obama administration, DHS has made cybersecurity one of its five most important mission areas in the first ever Quadrennial Homeland Security Review (QHSR). The DHS Fiscal Year 2012 Budget Request submitted in February 2011 requests for $57.0 billion in total funding, $47.4 billion in gross discretionary funding, and $43.2 billion in net discretionary funding. One of the six missions concerns cyber security:
Mission 4: Safeguarding and Securing Cyberspace – By statute and presidential directive, DHS has the lead for the Federal Government to secure civilian government computer systems and works with industry and state, local, tribal and territorial governments to secure critical infrastructure and information systems. DHS analyzes and reduces cyber threats and vulnerabilities; distributes threat warnings; and coordinates the response to cyber incidents to ensure that our computers, networks, and cyber systems remain safe.
Major programs in this mission area include:
- Federal Network Protection: $233.6 million is requested to expedite the deployment of EINSTEIN 3 to prevent and detect intrusions on computer systems and to upgrade the National Cyber Security Protection System, building an intrusion detection capability and analysis capabilities to protect federal networks.
- Federal IT Security Assessments: A total of $40.9 million in requested funds will support the Department’s efforts to strengthen Federal Network Security of large and small agencies by conducting an estimated 66 network assessments to improve security across the Federal Executive Branch.
- Cybersecurity Workforce Needs: $24.5 million is proposed to provide high-quality, cost-effective virtual cybersecurity education and training to develop and grow a robust cybersecurity workforce that is able to protect against and respond to national cybersecurity threats and hazards.
- Cyber Investigations: The FY 2012 Budget continues to support cyber investigations conducted through the Secret Service and ICE, targeting large-scale producers and distributors of child pornography and preventing attacks against U.S. critical infrastructure through Financial Crimes Task Forces.
- Cyber Mission Integration: The FY 2012 request includes $1.3 million to enable DHS to coordinate national cyber security operations and interface with the U.S. Department of Defense’s (DOD) National Security Agency (NSA) at Fort Meade, Maryland. This funding will support a landmark memorandum of agreement signed by Secretary Napolitano and Secretary of Defense Robert Gates that aligns and enhances America’s capabilities to protect against threats to critical civilian and military computer systems and networks.
- Cybersecurity Research: The FY 2012 request includes an increase of $18 million for the Comprehensive National Cybersecurity Initiative to support research and development projects focused on strengthening the Nation’s cybersecurity.
At present, DHS has the lead to secure federal civilian systems, sometimes described as the “dot-gov” domain. Through its National Infrastructure Protection Plan, DHS works with critical infrastructure and key resources (CIKR) owners and operators—whether private sector, state, or municipality-owned—to bolster their cyber security preparedness, risk mitigation, and incident response capabilities. The National Security Agency (NSA) has the greatest capabilities of any cyber organization within the U.S. government; it plays a key supporting role for both DHS and DoD, but its role in the protecting critical private sector infrastructure remains contested.
In January 2008, DHS launched its Comprehensive National Cybersecurity Initiative (CNCI) as the department’s main program to secure the online presence of U.S. government’s civilian agencies. The initiative aims to strengthen federal cyber defense by consolidating thousands of Internet connection points across agencies into a more manageable number of trusted Internet connections.
DHS is also responsible for implementing data traffic monitoring systems to detect nefarious activity and stop it before cyber attacks get out of control. Some of its goals include shoring up our network vulnerabilities by reducing and consolidating the government’s Internet connections, establishing better defenses through the development and deployment of modern network intrusion detection and monitoring systems, and improvement of the government’s collaboration with a private sector who owns more than 85 percent of U.S. critical infrastructure.
One element of CNCI involves reducing and consolidating the number of external connections federal agencies have to the Internet through the Trusted Internet Connections Initiative. This effort allows the department to focus its monitoring and eventually prevention efforts into limited and known avenues through which traffic must flow, while also establishing baseline security capabilities and validating agency adherence to those security capabilities.
Second, DHS is deploying Einstein 2 to these trusted Internet connection points. Einstein 2 uses passive sensors to identify when unauthorized users attempt to gain access to those networks. Einstein 2 already provides visibility into nearly 180,000 events a month.
Third, building upon enhanced situational awareness, DHS is testing the technology for the third phase of Einstein: an intrusion prevention system that will provide DHS with the ability to automatically detect malicious activity and disable attempted intrusions before harm is done to critical networks and systems.
Fourth, CNCI aims to strengthen DHS partnerships with the private sector and non-federal entities. A pilot program enables mutual sharing of cybersecurity information, working with private sector partners in the financial sector, the Department of Defense and the Financial Services Information Sharing and Analysis Center. Another pilot program brings together state fusion centers and private sector owners and operators of critical infrastructure to provide secret-level classified cybersecurity information.
A final element is to increase the number of federal workers in the DHS National Cybersecurity Division. In 2010, DHS aimed to hire 1,000 cyber experts but could only find and attract some 300 suitable candidates. Facing a similar shortage, the military services are considering extending the normal three-year rotations to keep network security specialists in their billets for a longer period.
Future DHS priorities are to expand Einstein’s capabilities, develop the DHS National Cyber Incident Response Plan in collaboration with the private sector and other key stakeholders to facilitate a unified national response to a significant cyber event, and increase the security of the automated control systems that operate elements of the U.S. national critical infrastructure.
DHS representatives argue that it is more efficient for one department to oversee the protection of both physical and virtual critical infrastructure in the US private sector, which fits in well with the department’s “all-hazards” approach. For example, when the DHS conducts an assessment of critical infrastructure sector, it examines the facilities doing physical and cyber infrastructure at the same time. DHS has co-located its cyber watch centers in the National Cybersecurity and Communications Integration Center which coordinates many physical response activities. They further claim that DHS is well-suited for responding to cyber threats since, like terrorist threats, the cyber threat environment is constantly changing.
Still, doubts persist. Critics cite the department’s mixed record at countering terrorist threats and protecting the U.S. critical infrastructure from physical disasters such as Hurricane Katrina. The Federal Information Security Management Act (FISMA) of 2002 uses a paper-based reporting system that takes up time that agencies should be using to protect their networks through more real-time continuous monitoring.
The Einstein system is controversial. It is an Internet traffic monitoring technology which records data flows in and out of federal networks, helping analysts identify irregular data patterns. Current Einstein technologies require significant analytical support, but DHS plans eventually to release a third-generation Einstein deployment that would automate the system’s data pattern analysis. Given delays releasing the first and second generation Einstein systems, it is not clear that DHS can remain on schedule to have Einstein 3 deployed by 2013 even though it employs technologies similar to those used by the Department of Defense.
The fundamental problem is that, at present, DHS has responsibility to protect all non-defense, public sector and private sector networks from cyber attack but lacks sufficient authority to accomplish this mission. The department has broad authority within the civilian government space to set requirements for other agencies. But DHS does not have direct enforcement authority over those departments and agencies, which has raised issued in particular cases. For example, DHS experienced difficulty in obtaining responses regarding the scope of the Conficker worm attack from different departments and agencies.
In addition, the U.S.-CERT program which is charged with monitoring the security of civilian cyber networks does not have the enforcement authority that it needs to ensure that agencies comply with its recommendations and mitigation guidance. U.S.-CERT also does not have the authority to compel agencies to deploy technology for determining in real time if a cyber attack is taking place. Sometimes the other agencies cannot meet DHS requirements for valid reasons, such as when they are constrained by their limited resources. But sometimes the other agencies just ignore DHS since it is a relatively weak department that lacks a means to punish them—such as by withholding funds—for non-compliance.
According to media reports, the White House has drafted legislation to significantly enhance DHS oversight over all civilian agency computer networks. the 100-page document is going through interagency review. It reportedly would give DHS many, if not all, of the same authorities for the .gov networks that the Defense Department has for the .mil networks.
For example, DHS would enjoy the same broad hiring authorities as the Defense Department, including the right to make direct hires, establish compensation rates, and pay additional benefits and incentives. Furthermore, the draft legislation would give DHS a major role in cybersecurity-related procurements. Given the large volume of cybersecurity software purchased by the federal government, DHS could use this market power to establish and raise de facto standards in the software industry.
The bill would also authorize the Secretary of DHS to determine what is critical infrastructure, assess audit systems for cyber resilience, and empower third-party accreditors and evaluators to assess the cybersecurity requirements of private sector owners and operators of critical information systems. A senior accountable official would have to sign and attest that owners and operators of critical infrastructure have developed and implemented effective cybersecurity measures. Third-party evaluators would then review and cross-check these measures.
See further coverage of cybersecurity and the Department of Homeland Security.
(In addition, the late Jack Wheeler developed a thoughtful approach to cyber con-ops.)