DHS under more scrutiny after attacks
Agencies told to hold contractors accountable for cybersecurity when they write contracts
The Homeland Security Departments networks are vulnerable to cyberattacks, and several lawmakers said last week that sends a poor message and highlights the challenges agencies face in securing networks that contractors manage.
Reps. Bennie Thompson (D-Miss.) and Jim Langevin (D-R.I.) are pressing an investigation into why DHS and its network contractor, Unisys, didnt prevent recent cyberattacks originating from Chinese-language Web sites and allegations that DHS officials werent notified about the incidents.
According to DHS incident reports provided to the Homeland Security Committee, intruders placed a hacking tool, a password dumping utility and other malicious code on more than a dozen computers at headquarters. The committee learned that hackers compromised dozens of DHS computers, and the department did not notice those incidents until months after the initial attacks.
Your security solution today may not be effective tomorrow. Amit Yoran, NetWitness
Langevin, chairman of the committees Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, said DHS isnt serious enough about cybersecurity. It sends a bad signal when the agency that is charged with protecting government networks is
not doing the basics, he said.
The committee has asked DHS inspector general to investigate the recent cyberattacks and the responses by Unisys, which managed the networks security.
Security experts say DHS vulnerabilities are not unique. Hackers ping nearly every agency in search of vulnerabilities. Commerce, Defense, State and other departments have testified this year about recent intrusions, specifically by suspected nation-state attackers. As those attempts rise, security experts say, DHS and other agencies must ensure their networks, which contractors often manage, are secure.
Although defending against all attacks is difficult, agencies should manage and reduce risk, Langevin said. That means taking basic precautions, such as ensuring that firewalls are in place and testing cyberpenetration to determine if equipment is working.
Experts say cybersecurity is not an exact science.
Your security solution today may not be effective tomorrow, said Amit Yoran, chief executive officer of NetWitness and former director of DHS National Cyber Security Division.
Its more difficult to define what success would look like, Yoran said. Adversaries are continually developing new techniques and new exploits to compromise systems and bypass security. Agencies sustain numerous network intrusions or attempts even thousands every day.
Langevin and Thompson said they would seek a review of the department officials who oversee management of the Unisys contract, according to a Sept. 21 letter they sent to Richard Skinner, DHS IG. The FBI is investigating to determine if any criminal violations occurred during the attacks, Langevin said.
The two lawmakers said Unisys provided inaccurate and misleading information to DHS about the source of the attacks and attempted to hide gaps in its security capabilities. In the letter to Skinner, the lawmakers also said DHS officials did not act on the information about the attacks. Unisys built and maintains the networks for DHS headquarters and the Transportation Security Administration.
Unisys said it performed its contract according to protocol. Unisys spokeswoman Lisa Meyer said she could not speak about specific incidents because of federal security regulations.
We can state generally that the allegation that Unisys did not properly install essential security systems is incorrect, Meyer said. We always elevate incidents in accordance with the proper protocols. We believe that a proper investigation of this matter will conclude that Unisys acted in good faith to meet the customers security requirements.
DHS said it takes the committees allegations seriously and has cooperated fully. We will continue to work with the departments inspector general and the committee as necessary concerning these allegations, a DHS spokesman said.Request for IG investigation
Langevin said he had not received confirmation that Skinner will pursue the investigation, but he said he expects Skinner will. The lawmaker promised more hearings and possible legislation, adding that he thinks the cyberattacks reflect a management problem at DHS. Langevin said he did not have a specific date yet for the committees next hearing on the subject.
Langevin said he will focus oversight on DHS progress in securing networks, the expertise of staff members responsible for cybersecurity and the amount of money the department spends on security and research and development efforts.
During the recent cyberattacks, hackers extracted information from DHS systems and transferred the information to a Web hosting service that connects to Chinese Web sites. Although network intrusion-detection systems were part of the departments Information Technology Managed Services contract, the systems were not fully functional when the initial incidents occurred, the lawmakers said in their letter.
The contractor was to install intrusion-detection devices, and, from what I understand, they were not installed and sat in boxes, Langevin said.
The committee received a wealth of information from the investigation during the past several months, Langevin added. The FBI investigation and IG investigation, if its taken up, will tell us if Unisys did what DHS contracted for, he said.
The number of cyberattacks on public and private-sector networks has increased to such an extent that the National
Security Agency plans to work with DHS and other agencies in a highly classified effort to monitor networks related to the countrys critical infrastructure, according to a Sept. 20 article in the Baltimore Sun.
With the rise of intrusion attempts against federal networks, agencies have an enormous amount of information to sift through to determine the nature of those attacks and the urgency required in
responding, said Patrick Howard, the Housing and Urban Development Departments chief information security officer. You have to have some filters in place to know what is important and what is not.
To determine the seriousness of intrusions, agencys security employees must know the business or mission goals to assess the short- and long-term impact of security incidents, Howard said. It is clear, however, when to report incidents involving personally identifiable information: Report everything that moves.
If agencies conduct risk assessments and determine system categorizations, youll know which systems are important, Howard said. Agencies need to work with systems owners and program managers to make sure they understand risk and system categorization, he added.NIST guidance
Agencies can ensure that vendors deliver appropriate cybersecurity by specifying those provisions in their contracts, such as using security standards from the National Institute of Standards and Technology. NIST guidance provides flexibility for agencies to insert agency-specific standards, such as password length. But agencies still have to implement it correctly, Howard said.
You have to go to that level to identify that for the potential contractor, he said. If you want them to protect a particular system, then you should know what the risks are that they have to protect against.
Leaving it to agencies to fill in specific details of NIST standards lets busy IT security employees ignore it, said Alan Paller, research director at the SANS Institute. NIST standards are not detailed enough.
Instead of being general so that users are uncertain whats being required, we have to be specific so they actually do the things that are necessary, Paller said.
An effective security control would be to have an intrusion-detection and log management system in place with extensive triggers that are verified to be looking at current attacks by an outside security auditor, Paller said.
If were ever going to get ahead of this problem, he said, its at this spot at the contracting for security controls up front, buying security baked in.