The Homeland Security Department is expected Wednesday to make its case once again to lawmakers for clearer cybersecurity authorities to protect federal networks.
Larry Zelvin, the director of the National Cybersecurity and Communications Integration Center in DHS’s National Protection and Programs Directorate, is scheduled to testify before the House Homeland Security Subcommittees on Counterterrorism and Intelligence and on Cybersecurity, Infrastructure Protection, and Security Technologies. At the hearing, he is expected to say the implementation of advanced intrusion detection and prevention program known as Einstein is hampered by the need for more clarity about the exact role DHS is allowed to play under the current set of cybersecurity laws.
“EINSTEIN 3 Accelerated (E3A) currently provides Domain Name System and/or email protection services to a total of seven departments and agencies, and we are working with our service providers to bring coverage to the rest of the executive branch,” Zelvin’s written testimony stated, which was obtained by Federal News Radio. “However, this process has been significantly delayed by the lack of clear authorities for DHS. E3A gives DHS an active role in defending .gov network traffic and significantly reduces the threat vectors available to malicious actors seeking to harm federal networks.”
Zelvin also is expected to reiterate DHS’s challenges to protect federal networks against the Heartbleed vulnerability.
Delayed response to Heartbleed
Earlier this month, Phyllis Schneck, DHS’ deputy undersecretary for cybersecurity, told Senate lawmakers that it took several days longer than it should have to fix the Heartbleed vulnerability.
Zelvin said when Heartbleed became known, the NCCIC created a number of detection signatures for the Einstein system that were shared with agencies and critical infrastructure providers.
“While there was rapid and coordinated federal government response to Heartbleed, the lack of clear and updated laws reflecting the roles and responsibilities of civilian network security caused unnecessary delays in the incident response,” his testimony states. “DHS worked with civilian agencies to scan their .gov websites and networks for Heartbleed vulnerabilities, and provided technical assistance for issues of concern identified through this process. Once in place, DHS began notifying agencies that EINSTEIN signatures had detected possible activity, and immediately provided mitigation guidance and technical assistance.”
DHS is using the Heartbleed vulnerability to make its case for the need for comprehensive cybersecurity legislation.
Zelvin’s testimony said the Obama administration’s proposal from May 2011 would give “DHS with clear statutory authority to carry out this operational mission, while reinforcing the fundamental responsibilities of individual agencies to secure their networks, and preserving the policy and budgetary coordination oversight of the Office of Management and Budget and the Executive Office of the President.”
But commenters to Federal News Radio’s article on May 9 first detailing DHS’ delays in responding to Heartbleed said they saw no problems.
One commenter wrote, “The agency I work for did scan our own internal network and remediated everything available outside our firewall in less than five days. There was no ‘red tape’ that delayed this and no need to wait for information to be provided by DHS. We used the scanning capabilities that we are required to maintain to quickly locate all vulnerable systems. I suspect that most, if not all agencies have similar capabilities and were proceeding as quickly as they could and were not waiting for DHS.”
Another commenter said, “The IT department at each agency could have scanned their internal network and applied the patches. Why should they have to wait on DHS? This is so messed up it is embarrassing.”
Zelvin said a comprehensive cyber bill that addresses information sharing is essential.
“We continue to seek legislation that clarifies and strengthens DHS responsibilities and allows us to respond quickly to vulnerabilities like Heartbleed,” he wrote. “We continue to seek legislation that incorporates privacy, civil liberties and confidentiality safeguards into all aspects of cybersecurity; strengthens our critical infrastructure’s cybersecurity by further increasing information sharing and promoting the adoption of cybersecurity standards and guidelines; gives law enforcement additional tools to fight crime in the digital age; and creates a National Data Breach Reporting requirement.”
Along with Zelvin, Joseph Demarest, the assistant director of the FBI’s cyber division, is expected to testify about the agency’s ongoing cybersecurity initiatives.
Demarest is expected to tell the subcommittees about several FBI cyber efforts, including a recently launched Guardian for Cyber application. The Guardian for Cyber application, which the Guardian Victim Analysis Unit (GVAU) is developing, will provide a comprehensive platform that tracks U.S. government coordination and efforts to notify victims or targets of malicious cyber activity.
“The FBI is working toward the full utilization of Guardian for Cyber across FBI, other government agencies, state, local, tribal and territorial (SLTT) governments, as well as industry partners, in order to provide forward understanding of cyber related threats, increase awareness of victim actions to mitigate those threats, and facilitate a coordinated overall cyber incident response by the U.S. government,” he wrote.
The FBI also recently set up a Key Partnership Engagement Unit (KPEU), which is a targeted outreach program focused on building relationships with senior executives of key private sector corporations.
“Through a tiered approach the FBI is able to prioritize our efforts to better correlate potential national security threat levels with specific critical infrastructure sectors,” he wrote. “The KPEU team promotes the FBI’s government and industry collaborative approach to cybersecurity and investigations by developing a robust information exchange platform with its corporate partners.”
For example, the FBI and the Treasury department earlier this year provided a classified briefing to senior executives in the financial services industry on potential and real cyber threat.
Demarest will say executives of more than 40 banks participated via secure video teleconference in FBI field offices in the initial briefing. The FBI and Treasury held another cyber briefing in April where 100 banking executives participated.
Also expected to testify at the hearing is Glenn Lemons, a senior intelligence officer in the Cyber Intelligence Analysis Division of DHS’s Office of Intelligence and Analysis.