An untold number of federal IT systems potentially were left vulnerable to one of the most serious cybersecurity flaws in history for several days longer than necessary, not because federal officials didn’t know how to fix it, but because it wasn’t clear that they had the legal authority to do so.
The Heartbleed vulnerability originated from a programming flaw in OpenSSL, a widely-deployed variant of the encryption system used to protect Web traffic around the world. Security researchers estimated it could affect up to two-thirds of all Web servers, and agencies weren’t immune. The software’s makers issued a fix on April 7, the same day the vulnerability was made public. Cybersecurity professionals scrambled in the hours after to determine whether their systems were subject to the flaw and to patch them if necessary.
But inside the federal government, that process took several days longer than it needed to because the agency in charge of protecting civilian agency IT systems, the Department of Homeland Security, didn’t have clear legal authority to scan other agencies’ networks, even though it had the technical ability to do so.
“So as fast as we could, we went door-to-door and got a letter of authorization from each agency, working with each lawyer, to make sure that we could scan their systems. That cost us five to six precious days in some cases,” Phyllis Schneck, DHS’ deputy undersecretary for cybersecurity told the Senate Appropriations Committee Wednesday. “The whole world knew about this vulnerability and all the information they could capture, while we were lawyering. If we had the clarification in law that this was our role, we would have gotten started a lot faster.”
DHS’ mandate to protect agencies from cyber threats comes from presidential memos and a patchwork of federal laws, including the 2002 Homeland Security Act, which tasks DHS with “response and mitigation” of cyber threats across federal, state and local agencies and private sector critical infrastructure providers.
“The problem, and I know this from working in the private sector, is that when the lawyers get involved — and to their credit, they’re protecting the company — they don’t really know if we’re supposed to be scanning,” she said. “This is what happened with the cabinet-level agencies; we had to scan for Heartbleed.”
Schneck said DHS wants Congress to give it explicit statutory authorization to scan those networks as part of a series of legal changes in proposed cybersecurity legislation, which would also include liability protections for companies that share cyber threat information with the federal government.
“It makes it very clear what our authorities are, to help with the information- sharing across the private sector, and narrowly-targeted liability protection,” she said. “I came from industry eight months ago and that’s very helpful to a company because it speaks to the general counsel and says, ‘This is OK to share with government and protect others, and the company won’t get hurt.'”
Schneck said even though DHS’ response to the specific Heartbleed issue was slower than it should have been, agencies are much safer from hackers seeking to exploit that vulnerability and others like it than they would have been a few years ago. DHS says agencies’ move toward a regime of continuous diagnostics and mitigation means they are much more likely to have noticed a bad actor who tried to make use of the security flaw. She also cited heightened perimeter defenses around government networks under the Einstein 3- Advanced (E3A) program as a reason for increased confidence in network security.
“The system constantly measures how healed up it is and how secure it is, so you’re always aware of behavior that’s different,” she said. “And as we grow that system, it will become more and more like your body’s immune system: You don’t need to have a conference call to fight a cold. You always know something coming in and you’ll be able to see different bad behaviors across all of the U.S. government. Across the government, we are very much operational. We very much have turned a corner. If I could have one wish, it would have been able to act faster in Heartbleed so that we wouldn’t have had to get letters of authorization for every unique organization that we scanned.”
Information sharing showing its value
In the absence of legislation that would authorize more information sharing, DHS has moved forward with the Enhanced Cybersecurity Services program, in which a limited number of Internet service providers and other private companies are able to see some of the government’s sensitive and classified cyber threat signatures. That information is valuable, officials say, because agencies often have access to information about potential threats long before they emerge in the private sector.
The same is true for individual, specific cases of cyber crime and cyber espionage, said to William Noonan, the Secret Service’s deputy special agent in charge for cyber operations.
“We have a proactive approach to going after cyber criminals. It’s generally based on source information we obtain in a number of different ways, including confidential informants, undercover operations, trusted partners within the industry, and we’re able to crunch that data and determine where there’s a vulnerability and who potentially has been victimized,” he said. “Just this year, we’ve notified two financial institutions that (have) been compromised. And I’m telling you, if it were not for that notification by law enforcement to those two financial institutions, they would not be in business today. They did not lose a single dollar because of that advanced warning.”
Dave Mahon, the vice president and chief security officer at CenturyLink, one of the three largest companies whose infrastructure makes up the Internet’s “backbone,” said the information sharing programs the government has launched within its existing authorities have proved their worth, but they need to go much further.
“While they do have very good programs with the ECS and E3A, the majority of the homeland security information sharing model is one-size-fits-all,” he said. “They get broad-based information from other government agencies. They put it in a format suitable for dissemination across all verticals, all infrastructures, small to large corporations. The analogy that I often use is that you’re invited to a wedding and you bring a gift to the bride. She certainly appreciates it, but she would prefer you go to her wedding registry and select something she really needs. That’s really where we need to go. We have very specific collection requirements on how to protect our network, but we do not have access to all of the threat information. And I believe the government could give better assistance to us if we gave them very specific information requests to see if they could fulfill them.”