Andy Ozment, the DHS assistant secretary for cybersecurity and communications, will join Federal News Radio on Oct. 11 at 1:30 p.m. for a special Ask the CIO online chat to discuss the department’s cybersecurity efforts and National Cybersecurity Awareness Month. Please register today.
The Homeland Security Department is pushing hard toward its legislative mandate to install the EINSTEIN 3A cyber tools in every major agency by mid-December. At the same time, DHS also is thinking about the future of the cybersecurity tool by developing a new cyber risk scoring system.
Phyllis Schneck, the deputy undersecretary for cybersecurity and communications in the National Protection and Programs Directorate, said DHS is piloting analytics as part of a cyber immune system.
“Using data that we can purchase from the private sector, and we do, and also using data that we uniquely see across the federal government with help of our privacy and civil liberty experts only the data that is needed for this, only the data the that we are lawfully allowed to have and only data that’s across the federal civilian government—plus data the private sector sees protecting their hundreds of millions of customers every day, we’re able to come up with a crowdsourced cyber risk score of, for example, different machine addresses or, in the future, different domains, and assess the severity,” Schneck said during her appearance on Ask the CIO in recognition of National Cybersecurity Awareness Month. “We use that to also block things using the EINSTEIN program. Before, the attack we would block had to be previously known, you would‘ve had to have a vaccine, or in the industry called a signature. Now heuristically we can begin to identify things we may not know are bad, but behaviorally we can sense they are.”
DHS already has begun beta testing in a production environment and seeing good results.
The cyber risk scoring system combines data from various sources, the private sector and the intelligence community, and can analyze potential and real threats or vulnerabilities and provide risk score for that information.
“For example, if you have a machine with a certain score on a scale of say 1 to 10, you can now use that in a couple of ways. If it’s really bad, for example a 10, if traffic comes in from that address aimed out of one of our federal agencies, it might indicate that that agency was instructed by malware to reach out to a bad place, and you would want to flag that,” Schneck said. “In the future, we may use that score to block it. We are doing right now is testing it so we would not issue a block on that right now. We are looking at how accurate it is. It’s actually very accurate, but that’s not enough as we strive for excellence. We are refining it. This is a first and giant step toward being able to identify activity that indicates bad behavior or the presence of malware or data exfiltration long before it would’ve shown up otherwise and without the need for a signature.”
When DHS believes the risk scoring system is ready for broader release, it will be another piece within the E3A program and will advise the software to block potential or real threats.
While some have criticized E3A and questioned why DHS is pushing agencies toward “old” technology, Schneck said E3A is similar to a vaccine — agencies still need it for long-term cyber health because it’s been proved to work. But at the same time, she said, DHS expects agencies to have other intrusion detection and intrusion prevention tools and layered defenses.
“This is a very special system that will detect things that no one else on classified information and will block them from getting in,” Schneck said. “As of Sept. 15, 103 federal civilian departments and agencies and their subcomponents are participating on E3A services. That represents about 65 percent of the dot-gov population.”
Schneck said she anticipates every CFO Act agency will receive the EINSTEIN 3A services by the congressionally-mandated Dec. 18 deadline.
“E3A initially focused on counter measures that will address about 85 percent of the most significant cyber threats. We are evolving that and we are growing that, but our first priority is getting our CFO Act agencies online with the protection,” Schneck said. “The more agencies that are online, the more federal agency data that we can see and then heuristically defend against and identify, and eventually block attacks that we did not know yet were bad and that’s how your body’s immune system works. Biologically, your body knows it’s bad and chemically it attacks something that is there to hurt you. We have to do that with math.”
There already is some concern on Capitol Hill about whether DHS and agencies will meet the upcoming deadline. Sen. Ron Johnson (R-Wis.), chairman of the Homeland Security and Governmental Affairs Committee, recently wrote to the IRS asking why it told DHS it wouldn’t install E3A by Dec. 18.
While the IRS said publicly it would meet the deadline, Schneck said DHS understands the challenges several agencies face, but they shouldn’t stop the departments from meeting the deadline.
“When we think about cultures that change, I believe there are some agencies that believe their data is too sensitive to have this system on it. But I also know the law that was passed at the end of 2015 says that all agencies do need to connect to the system because it’s in their best interest, in their data’s best interest and in the overall protection of the U.S. government and private sector’s best interest. So I’m very optimistic we will work through that, but it’s very understandable as culture changes, human policy needs to adapt to that,” she said.
The culture change is more easily happening because of the consistent focus on cybersecurity throughout the year and especially during National Cybersecurity Awareness Month.
Schneck said the theme for the 2016 recognition is cybersecurity is a shared responsibility for citizens, businesses and the government.
“People are feeling it and they are more and more starting to understand it,” she said. “While cybersecurity will always be intangible, people have heard about all these breaches and they understand that this could not only cause a company reputation damage, but it could cause damage by theft of intellectual property, certainly by some sort of corporate espionage and the understanding that with everything connected and employees with mobile devices, really having to map out a network and see what’s there, these decisions are now being taken as part of the overall corporate risk — which doors do you lock, what do you protect, and prioritizing that with the overall company funds and strategy.”
Schneck said nearly every aspect of DHS is involved in cybersecurity today.
“The role of DHS is to help mitigate, and, if you will, clean up intrusions and help people become stronger,” she said. “The analogy people use often is we are like firemen — help prevent fires and help clean them up. We work hand-in-hand in our partners in law enforcement whether that’s the U.S. Secret Service, Homeland Security Investigations or the FBI. Those are the policemen and those people help find who the criminals are, help enforce and help put people away in orange jumpsuits if you will.”