The Office of the Inspector General released the results of an internal audit of the U.S. Department of Homeland...
Security, including a number of areas where cybersecurity and training was unsuccessful and describing plans to improve in the future.
A major takeaway from the report is that the Department of Homeland Security (DHS) will be making a big push for better collaboration between the main components of DHS -- U.S. Immigration and Customs Enforcement (ICE), which focuses on criminal activities over the Internet and cross-border cybercrimes; U.S. Secret Service (USSS), which investigates potential attacks on America's critical financial infrastructure and payment systems; and National Protection and Programs Directorate (NPPD), which is primarily responsible for non-law enforcement cybersecurity missions as well as crisis management, incident response, and defense against cyberattacks for all .gov networks.
The report includes plans to solidify the DHS cyber mission by establishing a cyber training program, a cyber strategy program, threat intelligence sharing operations, and plans to remediate a number of vulnerabilities found throughout DHS systems.
However, Jason Polancich, founder and chief architect at SurfWatch Labs Inc., said the overall report is disappointing because the DHS should be past the stage of organizing and planning.
"A decade has gone by now and all the organization responsible for defending us and our government has done is try to get organized. It's frustrating," Polancich said. "Our government moves too slowly. If this were a corporation, these decisions would have been made and put into action years ago."
Vulnerabilities and upgrades
The reason for the delay is the timeline set up in the DHS audit for each of the issues the agency needs to deal with. Remediation of software vulnerabilities is scheduled to be done by Nov. 30, 2015; the cyber strategy plan is due to be completed and implemented by Feb., 29, 2016; the cyber training plan by March 31, 2016, although some courses won't be available until summer of 2016; and the threat intelligence sharing capabilities are estimated to be operational by Aug. 31, 2016.
Jason Polancichfounder, SurfWatch Labs Inc.
The DHS audit found a number of vulnerabilities on internal ICE and USSS websites, which could potentially allow attackers to insert worms, cause a denial of service, or "impact the Department's cyber data confidentiality and integrity."
Additionally, it was found that DHS baseline configurations and guidelines were not being followed. According to the assessment, ICE had only implemented 79% of control settings for Windows 7 machines, and 58% of security controls for Windows Server 2008 machines.
The Office of the Inspector General and DHS did not respond to questions asking about potential plans for upgrading Windows Server 2008 machines given that the platform has already reached the end of mainstream support from Microsoft, and will hit the end of extended support in January 2020.
Strategy and training
DHS said work has already begun on the cyber strategy plan needed to ensure understanding of departmental responsibilities, but progress has been delayed because the Office of Cyber, Infrastructure and Resilience didn't have the staff or resources to complete the plan.
The DHS audit revealed that cyber training had fallen off because of a lack of resources and communication. One ICE analyst cited in the report hadn't attended any formal training in four years, and had instead spent his own money on training. And many ICE and USSS agents said training was prioritized for forensics personnel and military, making it more difficult to attend training sessions. Part of the budgetary issues resulted from duplicate spending, which the DHS also aims to fix.
Polancich worries that the training may be too little, too late.
"There aren't enough cyber resources to go around and training is the worst of the problem," he said. "Because cyber is so dynamic, it takes years of experience to become competent at knowing what to do."
Sharing cyber information
The DHS said threat intelligence sharing capabilities were not unified before. ICE, USSS and NPPD have been using cybersecurity threat sharing standards like STIX and TAXII, but said they were also using "e-mail, phone and personal interactions to exchange cyber-related information."
The DHS acknowledged the need for an "enterprise-wide" system that uses a single data sharing standard, and could allow for inter-departmental searching of data, easy access to and notifications for indicators and warning alerts, and faster sharing of actionable information to then speed up response and investigations.
These all sound like very necessary changes, but Polancich again criticized the government for taking this long to get to this point.
"They are trying to look as if they are addressing the steep challenges, but it's little more than busy work in the end," Polancich said. "Our best approach may be for the government to bring in an industry maverick empowered and ready to run cyberdefense like a business."
Learn about how government agencies have struggled with security data analytics.