The Department of Homeland Cyber Security: Does it Work?

05/27/2012

May 27, 2012: by Richard Weitz

When the Department of Homeland Security (DHS) was established in March 2003, enhancing U.S. cybersecurity was designated as one of the new department’s primary goals. In signing the legislation creating DHS, President George W. Bush said, “The Department will gather and focus all-out efforts to face the challenge of cyberterrorism.”

The new Department then rapidly created several key cybersecurity institutions within the federal government. In cooperation with Carnegie Mellon University, DHS established a U.S. Computer Emergency Response Team (CERT) to coordinate emergency efforts and established an alert system for cyber threats.

The National Cybersecurity Center (NCSC) was created to coordinate operations among itself, the Office of Intelligence and Analysis in DHS, private-sector partners and five other Government cybersecurity centers: the Joint Task Force–Global Network Operations (JTF-GNO), the National Cyber Investigative–Joint Task Force (NCI-JTF), NSA Threat Operations Center (NTOC), the U.S. Computer Emergency Readiness Team (US-CERT) and the Defense Cyber Crimes Center (DC3).

DHS also operates the National Cybersecurity and Communications Integration Center (NCCIC), which is responsible for coordinating the defense of the Federal Government’s networks. This is a 24-hour DHS-coordinated watch and warning center whose Mission is to improve national efforts to address threats and incidents affecting the nation’s critical information technology and cyber infrastructure.

In 2003, White House issued Homeland Security Presidential Directive 7, which emphasized, “critical infrastructure and key resources provide the essential services that underpin American society.”  The directive resulted in development of the National Infrastructure Protection Plan (NIPP), which was released in 2006.

The NIPP details cooperative strategies for public and private sector information sharing and network protection. The NIPP relies on several institutions that facilitate information exchange, particularly Information Sharing and Analysis Centers (ISACs) to facilitate data exchanges with critical business sectors, such as financial institutions and energy companies. ISACs are established and funded by the private sector, and private-sector participants largely provide the data handled by ISACs.

ISACs also receive information from other entities, including law enforcement agencies and security associations.  In addition to the ISACs, critical business sectors have Sector Coordinating Councils that develop policy recommendations in coordination with government agencies.  The NIPP and its associated centers represent a major component of the DHS cybersecurity effort.

After several years passed without major DHS initiatives in this area, however, observers concluded that the Department had failed to meet important cybersecurity responsibilities and was insufficiently prepared or resourced to overcome cyber emergencies. For example, a June 2006 report by the Business Roundtable identified three major “cyber gaps” in how the department was empowering the private sector to respond to a cyberattack:

It provided no clear warning indicators that a cyberattack was occurring (let alone advanced warning that one was about to occur)

There was uncertainty who would lead efforts to restore cyber damaged U.S. critical infrastructure

The Department lacked dedicated resources to support post-cyberattack recovery efforts

In addition, terrorists failed to launch major cyberattacks on the United States or other countries; instead, they used the Internet primarily as a means of recruitment and propaganda. Meanwhile, nation states (sometimes through affiliated hacker groups) and criminal organizations did attack U.S. networks, but the military and the FBI seemed to have the best tools and authorities to counter these two threats.

The influential CSIS Commission on Cybersecurity for the 44th Presidency recommended in 2008 that the President formally revoke DHS’s limited authority to coordinate cybersecurity because, never having had authority over the U.S. military, Intelligence Community and law enforcement agencies, the Department could not perform this coordination role effectively.

The problem is as well is lack of focus. If you try to do everything, to protect everything, you end up protecting nothing. The Government is not a Think Tank. Credit Image: Bigstcok

DHS’s Cybersecurity Mission

Although the Barack Obama administration followed many of the Commission’s recommendations, it ignored this one about reducing DHS’s role in cybersecurity. In recent years, DHS has made it a higher priority to address the security of U.S. civilian cyber networks and has earned greater support in Congress for keeping DHS as the lead civilian agency in this area. At the White House’s urging, DHS made cybersecurity one of its five most important Mission areas in the first-ever Quadrennial Homeland Security Review (QHSR).

At present, DHS has the lead role in securing Federal civilian systems, sometimes described as the “dot.gov” domain. Through its National Infrastructure Protection Plan, DHS works with critical infrastructure and key resources (CIKR) owners and operators—whether private sector, state or municipality-owned—to bolster their cybersecurity preparedness, risk mitigation and incident response capabilities.

The DHS Fiscal Year 2013 Budget Request submitted in February 2012 requests $58.6 billion in total funding, $48.7 billion in gross discretionary funding and $39.5 billion in net discretionary funding.  The DHS has apportioned $769 million of this for cybersecurity, 74% higher than the 2012 budget. Of this, $345 million of this is for the deployment of Einstein 3. Its major programs in this mission area include:

  • Federal Network Protection
  • Deploy Einstein 3 in 2013 to prevent and detect intrusions on computer systems.
  • Upgrade the National Cyber Security Protection System.
  • Build an intrusion detection capability and analysis capability to protect Federal networks.
  • Federal IT Security Assessments
  • Strengthen Federal Network Security of large and small agencies by conducting an estimated 66 network assessments to improve security across the Federal Executive Branch.

Cybersecurity Workforce Needs

Provide high-quality, cost-effective virtual cybersecurity education and training to develop and grow a robust cybersecurity workforce that is able to protect against and respond to national cybersecurity threats and hazards.

Cyber Investigations

Support cyber investigations conducted through the Secret Service and the DHS Immigration and Customs Enforcement (ICE) division, targeting large-scale producers and distributors of child pornography and preventing attacks against U.S. critical infrastructure through Financial Crimes Task Forces.

Cyber Mission Integration

Enable DHS to coordinate national cybersecurity operations and interface with the U.S. Department of Defense’s (DoD’s) National Security Agency (NSA) at Fort Meade, MD; a memorandum of agreement signed by Secretary of Homeland Security Janet Napolitano and then Secretary of Defense Robert Gates aligned and their capabilities to protect against threats to critical civilian and military computer systems and networks; the Congress subsequently codified this agreement in legislation.

Cybersecurity Research

Support research and development projects focused on strengthening the national cybersecurity through the Comprehensive National Cybersecurity Initiative (see below).

Comprehensive National Cybersecurity Initiative

In January 2008, DHS launched its Comprehensive National Cybersecurity Initiative (CNCI) as the department’s main program to secure the online presence of U.S. Government’s civilian agencies. The initiative aims to strengthen Federal cyberdefense by consolidating thousands of Internet connection points across agencies into a more manageable number of trusted Internet connections. DHS is also responsible for implementing data-traffic-monitoring systems to detect nefarious activity and stop it before cyberattacks get out of control.

Some of its goals include shoring up our network vulnerabilities by reducing and consolidating the Government’s Internet connections, establishing better defenses through the development and deployment of modern network intrusion detection and monitoring systems and improvement of the Government’s collaboration with a private sector which owns an estimated 90 percent of U.S. critical infrastructure. CNCI focuses on twelve initiatives:

  • Reducing and consolidating the number of external connections Federal agencies have to the Internet through the Trusted Internet Connections Initiative. This effort allows the Department to focus its monitoring and prevention efforts on limited and known avenues through which traffic must flow, while also establishing baseline security capabilities and validating agency adherence to those security capabilities.
  • Deploying Einstein 2 to the identified trusted Internet connection points. Einstein 2 uses passive sensors to identify points at which unauthorized users attempt to gain access to those networks. Einstein 2 already provides visibility into nearly 180,000 events a month.
  • Building upon enhanced situational awareness, testing the technology for the third phase of Einstein, an intrusion prevention system that will provide DHS with the ability automatically to detect malicious activity and disable attempted intrusions before harm is done to critical networks and systems.
  • Centralizing information on what R&D is being done around the country and reducing redundancies to insure tax money is not being wasted.
  • Connecting cyber ops centers to improve information sharing.  This will bring government security offices together so that they can share date regarding malicious attacks against federal systems.
  • Develop and implement a government-wide cyber counterintelligence (CI) plan. A government-wide cyber counterintelligence plan is necessary to coordinate activities across all Federal Agencies to detect, deter, and mitigate the foreign-sponsored cyber intelligence threat to U.S. and private sector information systems.
  • Increase security of classified networks.
  • Expand cyber education to develop a skilled workforce to make sure that the U.S. cyber community will have workers with the necessary skills in the future.
  • Define and develop enduring “leap-ahead” technology, strategies, and programs. One goal of the CNCI is to develop technologies that provide increases in cybersecurity by orders of magnitude above current systems and which can be deployed within 5 to 10 years. This initiative seeks to develop strategies and programs to enhance the component of the government R&D portfolio that pursues high-risk/high-payoff solutions to critical cybersecurity problems.
  • Define and develop enduring deterrence strategies and programs.  This Initiative is aimed at building an approach to cyber defense strategy that deters interference and attack in cyberspace by improving warning capabilities, articulating roles for private sector and international partners, and developing appropriate responses for both state and non-state actors.
  • Develop a multi-pronged approach for global supply chain risk management.  This initiative will enhance Federal Government skills, policies, and processes to provide departments and agencies with a robust toolset to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.
  • Define the Federal role for extending cybersecurity into critical infrastructure domains.

Future DHS priorities are to expand Einstein’s capabilities, develop the DHS National Cyber Incident Response Plan in collaboration with the private sector and other key stakeholders to facilitate a unified national response to a significant cyber event, and increase the security of the automated control systems that operate elements of the U.S. national critical infrastructure.

Critics and Defenders

DHS defenders argue that it is more efficient for one Department to oversee the protection of both physical and virtual critical infrastructure in the U.S. private sector, which fits in well with the Department’s “all-hazards” approach. For example, when DHS conducts an assessment of the critical infrastructure sector, it examines the facilities doing physical and cyber infrastructure at the same time. DHS has co-located its cyber watch centers in the National Cybersecurity and Communications Integration Center, which coordinates many physical response activities. DHS representatives also insist that DHS is well suited to respond to cyberthreats since the cyberthreat environment, like terrorist threats, is constantly changing.

Critics cite the Department’s mixed record at countering terrorist threats and protecting U.S. critical infrastructure from physical disasters such as Hurricane Katrina. Nonetheless, the department’s defenders note that the United States has never again suffered a massive 9/11-style terrorist attack.

The Federal Information Security Management Act (FISMA) of 2002 uses a paper-based reporting system that requires an investment of time that agencies should be using to protect their networks through more real-time continuous monitoring.  However, there have been multiple attempts to amend FISMA to account for a decade of technological innovation while addressing its shortcomings. The most recent move was from Rep. Darrell Issa with the Federal Information Security Management Act 2012 (FISA), which aims to establish stronger oversight through automated and continuous monitoring of cybersecurity threats while conducting regular threat assessments.

The Einstein system is controversial. It is an Internet-traffic-monitoring technology which records data flows in and out of Federal networks, helping analysts identify irregular data patterns. Current Einstein technologies require significant analytical support, but DHS plans eventually to release a third-generation Einstein deployment that would automate the system’s data pattern analysis. Einstein-3 aims to filter government traffic on private sector networks, collect network traffic flow in real time, and also analyze the content of some communications looking for malicious code such as email attachments. DHS aims to use AT&T as the test for Einstein 3.

The fear is that hackers could obtain sensitive data from defense contractors and other private sector firms with government contracts. Given delays releasing the first- and second-generation Einstein systems, it is not clear that DHS can remain on schedule to have Einstein 3 deployed by 2013, even though it employs technologies similar to those already used by the DoD.

Inadequate Authorities

The fundamental problem is that, at present, DHS has responsibility to protect all non-defense, public sector and private-sector networks from cyberattack, but lacks sufficient authority to accomplish this mission.

(Editorial Comment: The problem is as well is lack of focus.  If you try to do everything, to protect everything, you end up protecting nothing.  The Government is not a Think Tank.)

The Department has broad authority within the civilian government space to set requirements for other agencies.

But DHS does not have direct enforcement authority over those departments and agencies, a circumstance, which has raised issues in particular cases. For example, DHS experienced difficulty in obtaining responses from different departments and agencies regarding the scope of the Conficker worm attack.

In addition, the Department’s United States Computer Emergency Readiness Team (U.S.-CERT) program, which is charged with monitoring the security of civilian cyber networks, does not have the enforcement authority that it needs to ensure that agencies comply with its recommendations and mitigation guidance. In particular, U.S.-CERT also does not have the authority to compel agencies to deploy technology for determining in real time whether a cyberattack is taking place.

Sometimes the other agencies cannot meet DHS requirements for valid reasons—for example, they are constrained by limited resources. But sometimes the other agencies just ignore DHS, since it is a relatively weak department that lacks the means to punish them for noncompliance—say, by withholding funds.

The Department has made some progress in strengthening interagency coordination. On October 30, 2009,DHS Secretary Janet Napolitano opened a new National Cybersecurity and Communications Integration Center (NCCIC) — a 24-hour, DHS-led coordinated watch and warning body that monitors threats and incidents to U.S. critical information technology and cyber infrastructure. It is responsible for the production of a common operating picture for cyber and communications across the federal, state, and local government, intelligence and law enforcement communities and the private sector.

The NCCIC is operated within DHS’ Office of Cybersecurity and Communications, a component of the National Protection & Programs Directorate. The NCCIC provides an integrated incident response facility to mitigate risks that could disrupt or degrade critical information technology functions and services, while allowing for flexibility in handling traditional voice and more modern data networks. It combines several DHS operational elements, including: the U.S. Computer Emergency Readiness Team (US-CERT); the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT); the National Coordinating Center for Telecommunications (NCC); and the DHS Office of Intelligence & Analysis.

In addition, the NCCIC integrates the efforts of the National Cybersecurity Center (NCSC), which coordinates operations among the six largest federal cyber centers at the Department of Defense, Department of Justice, Federal Bureau of Investigation, U.S. Secret Service, and the National Security Agency.

It also has state and local representation as well as private sector and non-government partners. During a cyber or communications incident, the NCCIC serves as the national response center for integrating federal, state, local, and private sector capabilities.

But the main problem still persists: DHS lacks authority and influence over the decisions of the private sector operators that control some 90% of the U.S. critical infrastructure.

Proposed Changes

Joseph Lieberman and other U.S. Senators have proposed legislation that would dramatically expand the department’s authority with respect to U.S. critical infrastructure under private ownership.  In partnership with industry, DHS would determine which infrastructure networks were critical to U.S. national security and would secure mutually acceptable security standards. If it was determined that the company lacked adequate protection, DHS could take measures to improve it.

Senator John McCain has championed an alternative approach by offering legislation that would promote the voluntary sharing of information by private companies with the National Security Agency (NSA), establishes liability protections for the companies that participate, but not expand the DHS’ authority to mandate security procedures.

Last year, a divided and fractured Congress proved unable to enact comprehensive cybersecurity legislation, so Congressional leaders requested that Obama administration submit its own proposal.

The White House wants to rely primarily on incentives but nonetheless proposed both mandatory as well as voluntary compliance. Some proposed changes—such as upgrading US laws that govern cybersecurity activities–have gained widespread approval. The desire to have DHS lead federal civilian cybersecurity efforts also is widely supported.

But more opposition has arisen regarding mandatory sharing of information with federal authorities and how some proposed federal actions could perversely create disincentives for private sector cyberdefense actions.

The comprehensive Obama approach would strengthen the authority of DHS to defend civilian government sites to include deploying intrusion detection software, conducting risks assessments, and take other preventive measures as well as develop incident response capabilities. They also want to give DHS the same enhanced authorities as the Department of Defense (DoD) to recruit and retain more and better IT employees.

McCain and other critics note that the DoD already has excellent cyberdefense capabilities, specially within the NSA and the new Cyber Command, and argue that it would be more efficient and effective to use these already existing and proven capabilities rather than have DHS try to replicate these capabilities for civilian networks.

The administration’s proposal would also facilitate Federal cyber assistance to state and local governments as well as the private sector by clarifying the exiting but vague statutory authority in this area. Their proposal would make clarify what federal agencies can and cannot do when institutions experiencing cyberattack request federal assistance.

This issue has provoked much debate regarding what help federal agencies should be able to render the state, local, and private sector actors. There are doubts whether DHS has the experience and resources to undertake these proposed expanded policy, regulatory, and operational tasks. Critics worry that businesses would try to free ride on federal cybersecurity capabilities rather than pay to develop their own.

Except for certain “covered ” critical infrastructure sectors, the administration proposal would rely primarily on market sector incentives to drive private sector toward greater cybersecurity.

The private sector would lead in developing frameworks and the voluntary plans to implement them. Government agencies would mostly help only if requested. The expectation is that the disclosure of cybersecurity performance would expose firms to reputation, litigation, and other risks. Firms with poor cyber security will find it harder to attract investment, find business partners, and obtain government procurement; they would also have to pay more for cyber insurance. Critics worry that making private sector activities more transparent to market also can help potential attackers identify vulnerabilities

The administration proposal would subject ‘core’ US critical infrastructure to more stringent regulation.

The covered firms would adopt risk mitigation standards and plans that would be assessed by a third-party commercial evaluator. A ‘high-level summary’ of the plan and the assessment would be made public to ensure their adequacy. DHS could substitute its own risk mitigation framework if the one produced through the above process is deemed inadequate. Critics say that the administration has yet to specify what networks fall into this category; it proposes public agency rulemaking deliberations with private sector participation to make this determination for each sector, but some analyst’s worry this will take too long

The administration proposal leaves out key features that have appeared in major congressional bills; members have pressed for their inclusion in recent hearings. For example, some members want a White House CyberSpace Policy Office headed by an official requiring Senate confirmation. They also want specification of what actions the President can take in a cyber emergency (i.e., no “kill switch”). They want legislation that guarantees a private “Right of Action” that would facilitate legal action for private sector cybersecurity negligence.

They want greater federal action to improve supply chain security and counter insider threats. Many members want to create incentives for more public and private sector cyber-related R&D. Finally, they want to supplement or replace the proposed regulations with more positive incentives such as tax waivers and R&D subsidies.