Ongoing deployments of technologies designed to detect and prevent intrusions of cyber threats against government networks and other systems designed to monitor for computer viruses inside these networks go hand-in-hand with the need for sharing cyber threat data between the public and private sector, a Department of Homeland Security Official (DHS) said on Wednesday.
As the federal government improves its cyber security “we learn things” to help protect partners in the private, state, local and territorial sectors, and when these sectors uncover and learn about threats “we can use that information to protect” federal networks, Andy Ozment, assistant secretary for the Office of Cybersecurity and Communications within the DHS National Protection and Programs Directorate, told the House Homeland Security Subcommittee on Cybersecurity.
The deployments of the EINSTEIN detection and intrusion prevention system, which provides perimeter protection, and the Continuous Diagnostics and Mitigation (CDM) that monitors inside networks, help the federal government detect and learn about threats, and “with information sharing legislation, we’ll be able to share that information outward,” Ozment said.
Rep. Michael McCaul (R-Texas), the chairman of the full committee, said at the beginning of the hearing that the House this year has passed legislation to promote the sharing of cyber threat data between the public and private sectors and called on the Senate to do the same.
Wednesday’s hearing was entitled “DHS’ Efforts to Secure.gov,” although much if it was focused on the announcement earlier this month of a cyber hack against the federal Office of Personnel Management (OPM) that has resulted in theft allegedly by Chinese hackers of personally identifiable information belonging to more than 4 million current and former federal employees and potentially up to 18 million records.
Ozment also said that cyber security legislation is needed to help DHS and the Obama administration further the deployment of the EINSTEIN system across the federal government by removing obstacles related to agencies’ concerns about data sharing.
“Some agencies have questioned how deployment of EINSTEIN under DHS authority relates to their existing statutory restrictions on the use and disclosure of agency data,” Ozment stated in his prepared remarks. “DHS and the Administration are seeking statutory changes to clarify this uncertainty and to ensure agencies understand that they can disclose their network traffic for narrowly tailored purposes to protect agency networks, while making clear that privacy protections for the data will remain in place.”
EINSTEIN works by using known threat signatures to try and prevent malicious computer codes from entering a government network. In the case of the OPM breach, the code was unknown, which is referred to as a Zero Day Attack.
Ozment said that DHS is trying to get beyond the limitations of EINSTEIN by “developing advanced malware and behavioral analysis capabilities that will automatically identify and separate suspicious traffic for further inspection, even if the precise indicator has not been seen before. We are examining best-in-class technologies from the private sector to evolve to this next stage of network defense.”
Despite the limitations of EINSTEIN, it proved useful after the OPM breach was discovered by using the new threat indicator and applying it “back in time” to investigate other compromises across the federal government, Ozment said. This proved helpful in finding that OPM data stored on Department of Interior networks had been, leading to mitigation that would not have been accomplished as quickly without EINSTEIN. The system was then used to see if data had been exfiltrated, he said.