How DHS wants to build on its ‘defining moment’ for cyber

If the Wannacry cyber attack that impacted hundreds of thousands of computers worldwide earlier this year was a defining moment for the progress the federal government has made in defending its networks over the last few years, then the Homeland Security Department wants to do even better next time.

Jeanette Manfra, the assistant secretary for the office of cybersecurity and communications in the National Protection and Programs Directorate (NPPD), said the goal now is to be more proactive in detecting, sharing and stopping potential malware threats.

“I want to lean-in a little bit more in terms of deepening our partnerships with industry so we become more collaborative, able to potentially identify things earlier, share information quicker and act collaboratively between industry and government to reduce the impact or ideally prevent something from happening,” Manfra said in an interview with Federal News Radio.

Manfra said DHS has a couple of different sharing programs, including the Automated Information Sharing program, but they need to mature to be less reactive to what’s happening.

Advertisement

She said DHS cyber analysts need to engage with industry analysts more often and more collaboratively to identify areas where they can take joint action against a potential or real threat.

“Where can we work closer with Internet Service Providers and where can we work closer with managed service providers to identify things they may be able to see before it gets to one of their customers, like an electric utility,” Manfra said. “We are looking for opportunities to have more innovative collaboration with the private sector, with state and local governments and with other federal agencies, putting more capability from DHS out into in particular the federal agencies.”

Agencies came away pretty much unscathed by the Wannacry cyber attack that impacted more than 300,000 computers in 300 countries.

The White House yesterday blamed North Korea for Wannacry cyber attack.

Tom Bossert, the White House’s homeland security adviser, said the administration took a lot of time to look through classified and sensitive information to determine North Korea conducted the attack.

“We relied on technical links to previously identified North Korean cyber tools, tradecraft and operational infrastructure. We had to examine a lot and we had to put it together in a way that allowed us to make a confident attribution,” Bossert said in a press briefing with reporters on Tuesday. “As we move forward and attribution becomes part of our accountability pillar, we can’t do it wrong; we can’t get it wrong, and we can’t try to rush it. I think ultimately at this point if we had gotten it wrong, it would have been more damaging to our reputation and our national security then it would have been a boon for us to have done it quicker.”

The fact that the government faced few problems from that attack is part of the ongoing progress agencies have made over the last two years.

Manfra said the improved tools under the EINSTEIN program and the implementation of the continuous diagnostics and mitigation (CDM) program are two of the more public improvement that protected agencies.

Going forward, Manfra said the administration’s IT modernization strategy and DHS’s recent binding operational directives will help continue to push agencies forward.

“One of the pieces of the President’s executive order was looking at the enterprise risk of federal systems. We’ve, over the years, have gained a lot of insights into departments and agencies and how they think about risk and allocate their resources,” she said. “So what I want is to take that understanding and combine that with our authorities to issue BODs, and focus on how do we best use that directive authority to target common challenges that agencies might have. How do we move the priorities of some key issues up the stack that they may not see from an individual perspective, but we are seeing from an enterprise perspective?”

Manfra said DHS and other lead agencies continue to work on enterprise risk report required under the EO.

“The information that we learned from that is something that we already are using to help agencies through their prioritization processes and thinking about where they are and where they want to go, how they are using the [NIST] framework, if they are, and if not, how can they better use it. And using that to get to that enterprise picture and I think that’s where DHS fits best,” she said.

One example of this is the directive to improve agency email security using the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol and the STARTTLS protocol, which signals to a sending mail server that the capability to encrypt an email in transit is present. The latest data from the CIO Council shows about 40 percent of all agencies have implemented the DMARC and STARTTLS protocols.

Manfra said DMARC also is a good example of how DHS can encourage public and private sector entities to do the basic of cybersecurity to better protect themselves.

At the same time, DHS also is looking for innovations that can automate processes and enable analysts to look at data in different ways.

“We see some gaps between what an entity might consider adequate security for themselves or their sector, and what’s in the public interest,” she said. “The American people depend on critical services and functions such as electricity, a stable financial system, dependable communications, all things that enable our modern way of life. Many of these are run by the private sector. To ensure adequate security in the private sector, DHS plans to move beyond only offering voluntary assistance to more proactively in becoming the world leader in cyber risk analysis and intervening directly with companies when necessary.”