Cybersecurity

Heartbleed tested agency readiness

Heartbleed Logo

Agencies that were most active in achieving government-wide cybersecurity goals had an easier time mitigating the threat posed by the Heartbleed vulnerability, said Ari Schwartz, director for privacy, civil liberties and cybersecurity policy at the White House.

Systems that had implemented basic hygiene in keeping with the Cross-Agency Priority Goal faced less risk from the Heartbleed vulnerability in the open source security software OpenSSL than those who were lagging behind, Schwartz said at a May 28 cybersecurity event held by AFCEA's Washington, D.C., chapter.

The government response to Heartbleed was instructive, Schwartz said. "We did a lot of things right. We have a lot of things to learn. That's going to be a theme for the administration going forward -- how we deal with incident response," he said.

Part of the problem with response is the lack of authority on the part of the Department of Homeland Security to scan agency systems for evidence of vulnerabilities, according to recent Congressional testimony from DHS officials.

In a May 27 letter to top administration cybersecurity policy advisor Michael Daniel, Sen. Kirsten Gillibrand (D-N.Y.) argued the need for a more unified response to cyber threats.  

"A significant aspect of any federal strategy should ... include policies that ensure that different agencies within the government are not hindered in their ability [to] share information and respond appropriately when there is a known and ongoing threat to the federal cyber infrastructure," she wrote. Gillibrand wants the administration to create "clear legal authority and processes to facilitate a seamless response to cybersecurity threats to federal agencies."

Schwartz said the government needs to lead by example on cyber, by protecting federal networks. He cited the nascent DHS continuous diagnostics and mitigation program and ongoing efforts to improve identity management for users of agency systems as examples. But federal systems are still subject to threats, with phishing techniques that embed malware in computers the leading avenue of attack.

"There has been a lot of growth and effort in this space, but clearly we still have more work to do," he said.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.