Homeland Security Secretary Jeh Johnson on Wednesday said his department is undertaking a number of new steps to address cyber security concerns, including new reporting requirements within his department and accelerating technology initiatives, in response to ever increasing cyber attacks, including the recently disclosed breach of networks at the federal Office of Personnel Management.
“To be frank, our federal cyber security is not where it needs to be,” Johnson said at a speech at the Center for Strategic and International Studies. “But we have taken, and are taking, accelerated and aggressive action to get there.”
One such recent action was giving the department’s around-the-clock cyber watch center, the National Cybersecurity and Communications Integration Center (NCCIC), a direct reporting line to Johnson, he said. Previously the NCCIC, which includes stakeholders and partners from other federal agencies and departments and the private sector, reported through the Office of Cybersecurity and Communications within the National Protection and Programs Directorate.
So far in fiscal year 2015 the NCCIC has shared over 6,000 bulletins, alerts, and warnings, and responded to 32 incidents on-site, double the number for all of FY ’14, Johnson said.
Johnson also highlighted the advancements of the EINSTEIN cyber defense system, which is managed from the NCCIC. EINSTEIN 3 Accelerated (E3A), the latest version of the system, protects over 931,000 federal personnel, or about 45 percent of the federal civilian workforce, a significant increase over the December 2014 level of 200,000 personnel.
Johnson has directed that the department make E3A fully available to all federal departments and agencies and “challenged us to make aspects of E3A available to all federal civilian departments and agencies by the end of 2015.”
The EINSTEIN system is a basic layer of protection at the network perimeters of federal civilian departments and agencies. EINSTEIN 1 acts like a recording camera, observing basic information about activity entering and exiting a network. EINSTEIN 2 detects known prohibited adversaries that enter or exit networks, alerting personnel to the adversaries. These two versions currently protect all federal civilian traffic routed through a secured gateway to the internet, Johnson said.
E3A resides with Internet Service Providers (ISP) that serve the federal government. It can both identify and block known malicious traffic. It also uses classified information to protect unclassified government systems and information.
Since its introduction, E3A has blocked over 550,000 requests to access potentially malicious websites, Johnson said.
The secretary also highlighted the Continuous Diagnostic and Mitigation (CDM) effort, a program meant to fix problems within the network perimeters of federal agencies in near-real-time. “Once fully deployed, CDM will monitor agency networks internally for vulnerabilities that could be exploited by bad actors that have breached the perimeter.” This program has three phases as well.
The first, currently being deployed, checks that computers and software on agency networks are secure. The second phase will monitor users on the networks to ensure they are not engaging in unauthorized activity. The final phase will assess activity within networks to identify anomalies and alert personnel.
Whereas the first phase of CDM is currently available to eight agencies covering more than 50 percent of the federal civilian government, Johnson has directed DHS make the first phase available to 97 percent of the federal civilian government by the end of this fiscal year, which is by Sept. 30, 2015. He said the department is requesting congressional authorization for more funding to speed up phase two.
Johnson also pointed to three areas he wants Congress to include in cyber legislation.
First, “Congress should expressly authorize the EINSTEIN program,” he said. “This would eliminate any remaining legal obstacles to its deployment across the federal government.” Johnson noted the House has passed H.R. 1731, which accomplishes this, although the Senate has yet to do (Defense Daily, April 23).
The government must also incentivize the private sector to share cyber threat indicators with the federal government through the NCCIC in a way that provides protection form civil and criminal liability. H.R. 1731, as well as several other information sharing bills in Congress, contains relevant provisions.
Third, the government requires “a national data breach reporting system, in lieu of the existing patchwork of state laws on the subject, and enhanced criminal penalties for cybercrime,” Johnson said.
DHS has responsibility for protection of the federal civilian computer networks but “legally,” the heads of agencies and departments have responsibility for their own systems, Johnson said. He said there are times when agency lawyers block information sharing, arguing, for example, that the sought after information is “sensitive.”
“And as I see it and where we see it, where we need help in protecting federal cyber security, is making express our legal authority to receive information from other departments and governments,” Johnson said. That authority would “make it plain that when we utilize things like EINSTEIN (and) EINSTEIN 3A, those other agencies are authorized to share information with us, to give us access to [their] network.
Johnson also said that DHS is working to improve the automation of the sharing of cyber threat indicators so that it occurs in near-real-time. He said he has directed NCCIC to purse an “aggressive schedule” with this automated sharing and “extend this capability across the federal government and to the private sector.”
So far one agency is using this automated sharing capability, which is a month ahead of schedule, and “we expect multiple agencies and private sector partners will begin sharing and receiving information through this automated system by October of this year,” he said.
The automated sharing systems are known as TAXII, the Trusted Automated eXchange of Indicator Information, STIX, the Structured Threat Information eXpression, and CybOX, the Cyber Observable eXpression.