DHS, GAO: Federal networks are safer today but long way left to go

Capture-1.jpg

Homeland Security Acting Deputy Undersecretary for Cybersecurity Jeanette Manfra testified before the House Homeland Security Committee on March 28, 2017. (Photo Credit: House Homeland Security Committee)

The federal government has made “significant progress” in its efforts to shore up cybersecurity at civilian agencies after suffering numerous high-profile breaches in recent years, but there’s still room to do more, Department of Homeland Security Acting Deputy Undersecretary for Cybersecurity Jeanette Manfra told the House Homeland Security Committee on March 28.

Manfra reported on progress across broad initiatives, including improving agency cybersecurity, establishing a common baseline of protection and codifying roles and responsibilities to effectively manage cybersecurity risks and incidents.

Manfra said DHS views cybersecurity and IT modernization initiatives as opportunities to make “generational advances in capabilities,” which echoes President Donald Trump’s early draft executive orders covering the dual objectives of cybersecurity and IT modernization. The executive orders have not been enacted, though a final version is expected eventually.

In its proposed fiscal 2018 budget, the Trump administration has requested $1.5 billion from Congress for DHS to secure federal IT infrastructure.

Among the successes, Manfra said 93 percent of federal civilian users today are covered by EINSTEIN, DHS’s intrusion detection and protection system, compared to just 38 percent prior to the passage of the Cybersecurity Act of 2015. Manfra said that EINSTEIN generates approximately 30,000 alerts daily on potential malicious cyber activity.

Congressional Research Service Cybersecurity Policy Analyst Chris A. Jaikaran said the act – along with the 2014 Federal Information Security Modernization Act (FISMA) and the National Cybersecurity Protection Act (NCPA) of 2014 – were key in changing how federal cybersecurity is managed. The three bills effectively gave the Office of Management and Budget the strategic, DHS the operational and individual agencies the tactical role in federal civilian cybersecurity, Jaikaran noted.

Prior to the passage of these bills, Jaikaran said, agency heads could opt whether to accept tools, such as DHS’s EINSTEIN, and implement guidance. Now federal cyber risk management is mandated statutorily and operationalized by DHS through binding directives, among other means. The statutory requirements in the three landmark laws accounted for the jump in federal coverage by EINSTEIN, Jaikaran said.

Jaikaran characterized the current environment created by the Cybersecurity Act, FISMA and NCPA – wherein one cabinet-level agency can direct another to take an action, namely on how to use its resources – is unique in the federal government.

Manfra noted that DHS has so far issued four binding operational directives, including one for identifying high-value assets and another for promptly patching known vulnerabilities on agencies’ internet-facing devices. Since December 2015, Manfra said in written testimony, DHS has identified an average of less than 40 critical vulnerabilities at any given time, and agencies have addressed those vulnerabilities rapidly once they were identified.

While EINSTEIN is just one component of the broader National Cybersecurity Protection System (NCPS), Manfra said, it is the platform’s principal component.

However, a historical technological weakness with EINSTEIN has been the system’s reliance on signature-based attack detection, which U.S. Government Accountability Office Information Security Issues Director Gregory C. Wilshusen reported in January 2016. Signatures are based on known patterns of malicious software. Signature-based detection is not effective against emerging threats and new attacks, for which signatures have not yet been discovered. For these classes of attack, different detection and mitigation techniques are required.

Wilshusen’s team suggested several enhanced capabilities to improve the effectiveness of EINSTEIN’s detection, including anomaly-based detection. Anomaly-based detection works by establishing technological and behavioral baselines for people and technologies, and then flagging any anomalies that deviate from established baselines.

A second weakness identified with EINSTEIN was its inability to inspect all types of network traffic. Such a limitation would allow threat actors to successfully infiltrate networks using types of network traffic unsearchable by EINSTEIN. Wilshusen’s team also identified weaknesses in DHS’s information sharing practices with other agencies.

Ultimately, Wilshusen’s team made nine recommendations to DHS on enhancing and expanding EINSTEIN’s capabilities.

Based on Wilshusen’s report, Manfra said DHS is improving EINSTEIN’s detection capabilities by increasing the number of known threat indicators available, deploying reputation scoring for priority-based actions and piloting a new capability of anomaly-based detection. One challenge with the new anomaly-based detection – as with many technologies – is scaling its implementation across sprawling intra- and inter-agency infrastructures, Manfra noted.

Another component of DHS’s cybersecurity defense is Continuous Diagnostics and Mitigation (CDM). CDM is being rolled out across federal agencies in four phases:

  1. CDM Phase 1 identifies all computers and software on agency networks and checks for known vulnerabilities.
  2. CDM Phase 2 allows agencies to better manage identities, accounts and privileges for the people and services using their networks.
  3. CDM Phase 3 will assess activity happening on agencies’ networks to identify anomalies and alert security personnel.
  4. CDM Phase 4 will protect sensitive and high-value data within agency networks.

Manfra said acquisition of most CDM Phase 1 tools is complete. According to Wilshusen, as of May 2016, 14 of 17 federal civilian agencies were implementing CDM Phase 1, but only two had implemented security dashboards. In written testimony, Manfra said six agencies have now fully deployed CDM Phase 1, including dashboards. Other agencies continue deployment. DHS has awarded two CDM Phase 2 contracts, with more on the way.

Since the passage of the 2015 act, DHS has automated the sharing of threat information across the government, with Manfra noting this sharing is done in a way that protects privacy and civil liberties. Still, partner organizations have criticized both the timeliness of DHS alerts and their quality, namely the context of alerts.

Manfra said DHS has automated the sharing of alerts across agencies, while admitting better context is needed. Manfra acknowledged a two-phase alert system – in which an alert is issued quickly and then followed up with contextual information to make the alert actionable – could work.

Continuing challenges for DHS, Manfra said, include obtaining proper levels of resourcing, modernizing federal IT systems and protecting legacy IT systems.

Developing effective workforce practices, particularly recruiting and retention, also continues to be a challenge. One hurdle, Manfra noted, is the ongoing disparity between government and private-sector pay.

Asked what DHS wanted from Congress, Manfra said reform to federal acquisition processes to allow for faster refreshes and working with nontraditional government contractors would be helpful. Wilshusen added that leveraging government-wide demand to obtain volume discounts would lower prices. Additional areas for acquisition reform and improvement, Wilshusen said, include technological standardization and integration, as well as sharing resources.

Rep. Cedric Richmond, D-La., asked about the status of a comprehensive DHS cyber strategy, which was required to be submitted to Congress by March 23. Manfra said work on the strategy is underway, but DHS will need the Trump administration’s review and input. Manfra said Congress could expect to receive the strategy “within months.”