DHS Inspector General Says Office Has No Idea How New Cybersecurity Act Is Supposed To Be Implemented
from the OIG-to-Congress:-you-made-this-mess,-now-fix-it dept
The reanimated CISA, redubbed The Cybersecurity Act (a.k.a., OmniCISA) and hurried through the legislative process by stapling its 2000 pages to the back of a “must-pass” budget bill, is still in the processes of implementation. Not much is known about what the law is intended to do on the granular level, other than open up private companies to government surveillance so the USA can beat back “the cyber.”
Surveillance aficionados were quick to lean on private companies to start sharing information, but the government needs to be taught new tricks as well. There’s plenty of info siloing at the federal level, which keeps the DHS, FBI, and others involved in the cyberwar from effectively communicating, much less sharing anything interesting they might have had forwarded to them by the private sector.
The federal government has been less than successful in securing its own information — something CISA was also supposed to fix. The DHS’s Inspector General has performed a follow-up investigation on the department’s implementation of CISA’s requirements. For the most part, things seem to be moving forward, albeit in a vague, undefined direction.
The OIG notes that the DHS has put together policies and procedures and, amazingly, actually implemented some of them. Better still, it has moved many critical account holders to multi-factor authorization. Unfortunately, the DHS still has a number of standalone systems that can’t handle multi-factor authorization, which will make them more vulnerable to being breached.
That’s pretty much the end of the good news. There are still holes in the DHS’s data systems at a very critical juncture. From the report [PDF]:
Although the Department has established software inventory policies, not all DHS components used data exfiltration protection capabilities to support data loss prevention, forensics and visibility, and digital rights management. Further, the Department had not developed policies and procedures to ensure that contractors implement data protection solutions.
Then there’s this part of the report, which shows that no one truly understands the 2000-page law — not even the DHS’s first level of oversight, which can’t even tell what the agency is supposed to be doing to comply with the new law. (h/t Eric Geller)
DHS and its Components can benefit from additional data protection capabilities and policy to help ensure sensitive PII and classified information are secure from unauthorized access, use, and disclosure. We are submitting this report for informational purposes to the appropriate Congressional oversight committees, as required by the Act. Due to a lack of specific criteria, this report contains no recommendations.
This explains why the report is so short: the OIG doesn’t have anything to work with. Two thousand pages and yet the Cybersecurity Act’s demands and goals remain so vague that all the Inspector General can do is take a cursory look at the DHS’s security protocols and see if they’ve improved. Beyond that, the DHS and its Inspector General have no specifics to guide them and no firm goals to reach. So, the Inspector General’s office is doing the only thing it can do: kick the problem over to the legislators who created it.
This is already quite the problem considering the DHS is flying blind with achieving its internal directives. What makes matters worse is the DHS is a clearinghouse for the information and data obtained from private companies — like ISP monitoring of user activity for “cybersecurity purposes” — and is in charge of determining whether or not any personally-identifiable information needs to “scrubbed” before it is passed on to other government agencies.
If it doesn’t have enough guidance to determine what direction it should be going in securing its own systems, it presumably has far less when it comes to the handling of private sector information. Those privacy protections were stripped during CISA’s swift push through Congress and replaced with a DOJ judgment call on whether or not the DHS has performed an adequate scrub before handing over data to the FBI, NSA, et al. “Lack of specific criteria” pretty much defines the government’s approach to domestic surveillance — which is enabled by this law: grab it all now; figure it out later.
Filed Under: cisa, cispa, cybersecurity, cybersecurity act, dhs
Comments on “DHS Inspector General Says Office Has No Idea How New Cybersecurity Act Is Supposed To Be Implemented”
2000 pages.
The reason that the government cannot control its agencies is clear, the laws are so voluminous that nobody reads them, and they can probably be read to justify whatever the agency wants to do.
Re: 2000 pages.
That’s a feature, not a bug.
Re: Re: 2000 pages.
You have to applaud the accomplishment. War and Peace was 1200 pages.
Writing something that long and saying nothing, by it’s very nature is an extraordinary achievement.
Ignorance of the law is no excuse.
Unless you’re enforcing it. Then it totally is.
State of the art, gobment style
That is a great image, Government agents using wooden clubs to beat the tar out of digital packets, hoping they won’t get electrocuted, then realizing they were supposed to be collecting those packets. Looks at club, looks at packets…collecting????
Re: State of the art, gobment style
digital garbage bags, that is the answer!
(how many 0’s and 1’s can ya fit into a 50 gallon digital garbage bag anyway?)
Re: Re: State of the art, gobment style
Remember
But remember, no matter how vague the law is, *you* are still guilty.
Another job opening, I really should update my résumé.
I have a few constitutional amendments in my back pocket
One of them is, “bills shall be of a single subject.” Sure, there will be lots of fighting about what constitutes a single subject, but no more omnibus late night rider crap. The issue stands or falls on its own. Period.
Re: I have a few constitutional amendments in my back pocket
No mandate shall be made of the people that is not carried out on House and Senate.
Re: I have a few constitutional amendments in my back pocket
Puh-lease.
Silly patriot. Composition standards are for peasants.
Just to add...
On top of this apparently sharing ISN’T increasing despite it’s passage.
http://www.eweek.com/security/cyber-threat-data-sharing-off-to-slow-start-despite-u.s.-legislation.html?platform=hootsuite
Now add how DHS is a fucking mess in how it’s trying to implement and it’s no surprise.