The DHS Wants To Pitch In With The Cyberwar But Can't Even Be Bothered To Secure Its Own Backyard
from the safe-as-homelands dept
The US government has basically declared war over the Sony hacking, offering full-throated support for the
beleaguered embarrassed company. Why this one — rather than the countless hacks of corporate networks (including those where credit card data and personal information were compromised) — remains a mystery.
The end result has been a call for more government intrusion and a reanimation of CISPA’s lumbering corpse. “Share with us,” says the government. “Gird yourself for the cyber Pearl Harbor,” say its supporters. “Let us handle it,” say those whose desire for expanded government power exceeds their crippling myopia.
Yeah, let’s do that. Let’s allow the government to set the rules on cybersecurity. Let’s give agencies like the DHS — which can’t even be bothered to secure its own assets — more leeway to investigate and react to cyberthreats. (h/t to NextGov)
DHS lacks a strategy that: (1) defines the problem, (2) identifies the roles and responsibilities, (3) analyzes the resources needed, and (4) identifies a methodology for assessing this cyber risk. A strategy is a starting point in addressing this risk. The absence of a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to a lack of action within the Department. For example, no one within DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014.
That’s the Government Accountability Office’s assessment of the DHS’s qualifications as a potential cybersecurity agency. [pdf link] This is the agency tasked with securing federal assets and ensuring the safety of not only government employees, but Americans in general. And it can’t do it. In fact, it can’t even begin to do it.
Despite being specifically directed by 2002’s Federal Information Security Management Act (FIMSA) to periodically assess risks, report on them and DO SOMETHING ABOUT IT, the agency has managed to blunder into 2015 with no specific plan to tackle cyberthreats to the federal buildings under its protection.
And, while the President and those pushing the revived CISPA seem rather keen on “sharing info,” it’s a one-way street, apparently. The DHS can’t even be bothered to share with other government agencies.
The Interagency Security Committee (ISC), which is housed within DHS and is responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyber threats to building and access control systems in its Design-Basis Threat report that identifies numerous undesirable events.
Whatever the DHS/ISC has managed to glean from situations like 2009’s hacking of a Dallas hospital’s HVAC system or 2006’s hacking of Los Angeles traffic signals hasn’t been passed on to other government agencies because the ISC believes “active shooters” and “workplace violence” are bigger threats. Maybe so, in terms of actual physical violence, but that’s no excuse for ignoring something the government as a whole considers to be its next battlefield.
So, why is the DHS so bad at this? It would seem to be two things: the DHS is too big to move at the speed the threat mandates and it’s always someone else’s job. Because it has failed to take charge of the situation (despite a federal mandate and a 2013 presidential policy directive [p. 8-9]), no one seems to know what to do, how to do it or even who should do it.
[B]ecause DHS has not developed a strategy, several components within DHS have made different assertions about their roles and responsibilities. For example, FPS’s Deputy Director for Policy and Programs said that FPS’s authority includes cybersecurity. However, FPS is not assessing cyber risk because, according to this official, it does not have the expertise. Furthermore, although ICS-CERT has developed a tool to assess cyber risk, it also is not assessing cyber risk to building and access control systems at federal facilities. Moreover, NPPD’s Federal Network Resilience is to, among other things, identify common cybersecurity requirements across the federal government, but it also is not working on issues regarding the cyber risk of building and access control systems in the federal government.
An official from the Office of the Under Secretary of NPPD acknowledged that NPPD has not yet determined roles and responsibilities, including what entity should conduct cyber risk assessments of FPS-protected facilities or what assessment tool should be used. This official said that the Department has not developed a strategy, in part, because cyber threats involving building and access control systems are an emerging issue.
Somehow, despite being well-financed and incredibly large, the DHS can’t find the time to properly assess the facilities it’s supposed to be “securing.”
Moreover, GSA [General Services Administration — reports to the DHS] has not conducted security control assessments for all of its systems that are in about 1,500 FPS- protected facilities. In November 2014, GSA information technology officials said that from 2009 to 2014, the agency conducted 110 security assessments of the building control systems that are in about 500 of its 1,500 facilities. GSA has not yet assessed the security of control systems with network or Internet connections in about 200 buildings. GSA officials stated that they plan to assess these systems during fiscal year 2015.
The GSA isn’t just being outpaced by hackers. It’s being outpaced by the government’s own slow stagger into the connected future. 800 systems are expected to switch from “standalone” to networked in the near future. The GSA plans to re-assess these systems’ security after the changeover, but it’s still working its way through the last half-decade’s backlog. With its parent agency unable to provide guidance and its other agencies unwilling to share information, the GSA becomes the third prong in this triumvirate of failure.
And what it does actually get around to assessing isn’t much help, either. Being crossed off the GSA’s to-do list means being no more safe than you were before the agency finally strolled through the door.
Further, our review of 20 of 110 of GSA’s security assessment reports (between 2010 and 2014) show that they were not comprehensive and not fully consistent with NIST guidelines. For example, in 5 of the 20 reports we reviewed, GSA assessed the building control device to determine if a user’s identity and password were required for login but did not assess the device to determine if password complexity rules were enforced. This could potentially lead to weak or insecure passwords being used to secure building control devices.
GSA also conducted its assessments of building control systems in a laboratory setting which allowed it to test components and to identify weaknesses in their default configuration. However, GSA does not conduct further assessments after installation when configuration settings may no longer reflect their default values. As a result, GSA has limited assurance that the configurations assessed reflect the configurations implemented in the facility, thereby increasing the risk that vulnerabilities in building control systems may not be detected.
This is the government that wants the nation’s companies to “partner up” against cyberthreats and cyberterrorism: the same government that can’t even ensure its own infrastructure is protected. And no one cares because compromising control systems doesn’t make for very sexy copy or hawkish soundbites about being “tough on cybercrime.”
If you need a solid argument against the government’s desire to play the part of (cyber)security guard to the nation’s companies, look no further than the GAO’s list of “Related GAO Products” (p. 34) that follows this report.
Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity. GAO-14-459. Washington, D.C.: June 5, 2014.
Information Security: Agencies Need to Improve Cyber Incident Response Practices. GAO-14-354. Washington, D.C.: April 30, 2014.
Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness. GAO-13-776. Washington, D.C.: September 26, 2013.
Cybersecurity: National Strategy, Roles, and Responsibilities Need to BeBetter Defined and More Effectively Implemented. GAO-13-187. Washington, D.C.: February 14, 2013.
Cybersecurity: Threats Impacting the Nation. GAO-12-666T. April 24, 2012.
Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011.
Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008.
Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain. GAO-07-1036. Washington, D.C.: September 10, 2007.
The government doesn’t have the skills necessary to ply its wares in the cybersecurity business. If it can’t lock down its own assets — despite seemingly limitless funding and manpower — it has nothing to offer the private sector but intrusiveness and harmful regulation.
Now, if you’re a fan of bad news, you’re going to love the worse news. The fight over who should head up the government’s War on All Things Cyber doesn’t put the DHS at the front of the list — but it’s not because the agency clearly can’t handle the job. It’s because agencies that are even more intrusive than the DHS want a piece of the action, namely the FBI and the NSA. If either of these two end up in that position, expect to find domestic surveillance rules relaxed. The latter agency defines cybersecurity as “peeking in at everyone,” which is at odds with those on the receiving end (US companies) who believe being secure means removing backdoors or otherwise locking everyone out, not just the “bad guys.” That isn’t going to sit well with the FBI and NSA — one of which believes no one should be able to “lock out” law enforcement and one that intercepts hardware and inserts backdoors when not deploying malware for the same purpose. So, the DHS may be the lesser of three evils, if only because its incompetence exceeds its reach.