Can DHS get it together?
Twelve years after its creation, the Department of Homeland Security is at a crossroads in how it handles its ever-evolving cybersecurity mission. On the one hand, the department says it lacks the legal authority to tackle the subject, and it struggles to hire and retain cybersecurity experts. On the other hand, former DHS officials say key cybersecurity programs and the department's ability to coordinate the response to cyber threats -- internally, with other agencies and with industry -- has markedly improved.
The department's technical efficacy in cybersecurity might now rest on how well its separate programs of intrusion detection and Continuous Diagnostics and Mitigation can complement each other.
That mixed report card reflects the challenges of harnessing a big bureaucracy to defend federal civilian networks and the emphasis the department has placed on cybersecurity in recent years, although it has been part of the department's mission since its inception.
John Cohen, who until April was the acting undersecretary for intelligence and analysis at DHS, said various facets of cybersecurity under the department's charge, such as cyber intelligence and threat detection, have become better integrated than they were five or six years ago. Then, two of the department's main cyber-related divisions -- DHS' Office of Intelligence and Analysis and the National Protection and Programs Directorate -- suffered from stovepiping and subpar levels of communication. Threat analysis done by I&A was not very well integrated into the threat-detection activities that went on in NPPD, he said.
Coordination between the two divisions has come a long way, said Cohen, who is now chief strategy adviser at data-protection firm Encryptics. For starters, DHS' intelligence office has a seat at NPPD's hub for monitoring cyber threats, the National Cybersecurity and Communications Integration Center (NCCIC).
That closer intra-agency coordination was put to the test last year when President Barack Obama was considering airstrikes against the Syrian regime. Cohen said there was evidence that the Syrian Electronic Army, a hacking group sympathetic to Syrian President Bashar al-Assad, was considering retaliatory cyberattacks on U.S. assets if Washington struck Damascus.
The United States has since gone on to bomb the Islamic State in Syria but not Assad, and Cohen said the intelligence office shared cyber threat information coming from the Syrian Electronic Army with NCCIC, which in turn was able to give a more credible perspective of the threat to U.S. critical infrastructure. According to Cohen, that coordination would have been unlikely just a few years ago.
Rob Zitz, who was deputy undersecretary of preparedness at DHS from 2006 to 2007, said the department's cyber capability in those years was somewhat fragmented because of bureaucratic growing pains and evolving technology.
For Zitz, who is now senior vice president of Leidos, the introduction of a vast intrusion-detection program called Einstein in 2005 was a turning point in the department's prioritizing of cybersecurity.
Einstein is one of DHS' primary weapons for defending federal civilian networks. The intrusion-detection system is designed to provide the department's U.S. Computer Emergency Readiness Team (US-CERT) with a "snapshot of the health of the federal government's cyberspace," as a DHS description puts it. The program installs sensors at Web access points on federal agency networks and sifts through that data looking for vulnerabilities.
As of August 2013, according to an inspector general report published in March, NPPD had spent more than $321 million on intrusion-detection capabilities. (When asked for an updated tally of Einstein's costs, a DHS spokesman referred FCW back to that figure.)
Einstein is now the tip of the spear in the U.S. government's response to the most acute cyber threats. And yet its efficacy is evidently undercut by the department's nebulous legal mandate to implement it. Deploying Einstein throughout the executive branch "has been significantly delayed by the lack of clear authorities for DHS," said then-NCCIC Director Larry Zelvin in testimony before the House Homeland Security Committee in May. Zelvin, who left DHS in August and is now director of Citi's Cyber Security Fusion Center, declined to be interviewed for this story. A DHS spokesman also declined to make current cybersecurity officials available for an interview.
Although DHS is responsible for guarding federal civilian networks, it needs permission from each agency, through a memorandum of agreement, to deploy Einstein on its network. That bureaucratic conundrum was on display in the government's response to Heartbleed, an OpenSSL vulnerability that emerged in April.
Einstein was able to detect the bug's threat to federal networks but, as Deputy Undersecretary for Cybersecurity and Communications Phyllis Schneck said recently, nearly a week passed before lawyers from various agencies could agree to allow DHS' technical team to scan agency networks and mitigate the threat. A cybersecurity adviser on the Senate Homeland Security and Governmental Affairs Committee, one of several congressional committees with jurisdiction over DHS, said department officials were prompt in briefing committee members on the nature of the Heartbleed threat. But in this case, word of the threat got out much quicker than DHS could deploy Einstein to address it.
In July, the House passed the kind of legislation that senior DHS officials have long been calling for. The National Cybersecurity and Critical Infrastructure Protection Act would codify and enhance NCCIC as the hub for sharing threat information across sectors. The bill, which now sits before the Senate Homeland Security and Governmental Affairs Committee, will compete with several other measures for lawmakers' attention during the lame-duck session this fall. However, a committee aide expressed optimism that bipartisan support for doing something on cybersecurity would help the bill's chances.
Too big a piece of the puzzle?
Einstein is a central piece of DHS' cyber defense. Indeed, some experts warn that it could be too central to the effort.
John Pirc, a former cybersecurity researcher at the CIA and until recently chief technology officer at IT testing organization NSS Labs, said he believes DHS might be making a mistake by relying so heavily on Einstein.
The kind of intrusion-detection systems Einstein uses are "typically myopically focused on exploits," Pirc said. "If you have a pared-down list of known vulnerabilities or exploits...are those current or are those legacy? And the reason why that's important is that the adversary is not always going to be using new techniques. They're going to use old stuff...for the mere fact of trying to evade the system."
Pirc argues that Einstein's signature-based security technologies "only know what they're being told to look for" and don't address much of the encrypted traffic on networks. He said the program is helping the government improve its cybersecurity posture, but "where I think Einstein is falling short...is you're using technology that is only solving a fraction of the problem."
Ken Durbin, manager of Symantec's Continuous Monitoring and Cybersecurity Practice, said it is important not to think of Einstein as a silver bullet for the government's cybersecurity vulnerabilities but as one of an arsenal of weapons.
"I've heard several times that cybersecurity isn't like finding a needle in a haystack. It's like finding a dirty needle in a pile of needles," he said. "And any tool that you can use to pull out some of those needles to reduce the scope of your search is effective and useful."
Symantec, one of the largest information security firms in the world, was unsuccessful in its bid to have DHS use the firm's data repository to feed into Einstein, but Durbin said he gained intimate knowledge of the program in pursuit of that work.
In separate interviews, Durbin and Zitz described Einstein as a foundational tool for threat detection that complements another pillar of DHS' cybersecurity work: the Continuous Diagnostics and Mitigation program.
Congress established CDM as a risk-based approach to cybersecurity that uses sensors to detect weaknesses on agency networks and send alerts to local dashboards. Whereas Einstein addresses network traffic, CDM scans the endpoints of that traffic, such as servers and workstations, for vulnerabilities and secure configurations. Durbin said the two programs are symbiotic: CDM aggregates and correlates data that can be used to develop more security signatures for Einstein.
Zitz said DHS' treatment of Einstein as just one piece of the cyber puzzle "is indicative of the maturation of...NPPD [as a place] where all of those pieces come together now."
Still lacking manpower
Despite the rise in automated cybersecurity services, which can reduce the manpower needed for some security missions, complex programs such as Einstein and CDM require experts to carry them out. And DHS has at times struggled to hire and retain those experts. Cybersecurity professionals can earn significantly more money in the private sector than they can in government, and the work can require long and stressful hours on the job.
A recent front-page Washington Post article states that a high turnover rate among senior DHS cybersecurity officials has hampered the department's work. From June 2011 to March 2012, five such officials left for the private sector, according to the Post. But Zitz rejected the notion of instability among the department's cybersecurity leadership. He cited Ann Barron-DiCamillo, who has worked at US-CERT for two years and been its director since January 2013, as one example of continuity.
"I think you've got stability in the leadership," Zitz said. "I think a continuing concern is more so the idea that the subject-matter experts and technical experts who are inside of government, who are performing cybersecurity duties -- they are extremely valuable and sought after in the private sector as well."
Here, again, Congress could help. On Sept. 18, the Senate approved a measure that would give DHS Secretary Jeh Johnson greater authority to hire cybersecurity professionals and pay them salaries commensurate with those of cybersecurity experts at the Defense Department. The average annual salary for cybersecurity professionals, public or private, is around $80,000, according to a recent Rand study, which cited 2012 data from the Office of Personnel Management. More than one-quarter of federal security employees earn $74,872 to $97,333, or somewhere near that industry average, according to the study.
Yet there is a roughly $155,500 ceiling for how much the government can pay cybersecurity professionals, while top private-sector jobs can offer several hundred thousand dollars in annual pay. As the Rand study notes, "Once professionals can command more than $250,000 a year, the competitiveness of the U.S. government as an employer suffers correspondingly."
Regardless of any action Congress takes on cybersecurity hiring, private-sector IT experts will, in general, always earn more than their public-sector counterparts. But it is not always about the money. DHS recruiters hope their appeals to a sense of mission to protect federal networks in cyberspace will resonate as that mission grows clearer.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.