The Department of Homeland Security (DHS) is reviewing how it goes about responding to cyber security incidents across the federal civilian government even if an agency doesn’t request help, a department official said on Tuesday.
In 2016, a computer system used by the U.S. Securities and Exchange Commission to receive corporate financial disclosures was breached. The agency, which protects investors and ensures fairness in the markets, detected the breach in late 2016 and publicly disclosed it in Sept. 2017.
Since the breach was first discovered by the SEC, DHS has played little to no role in helping the agency with the response to the incident.
“Sir, we have very limited involvement with the SEC,” Jeanette Manfra, assistant secretary for Cybersecurity and Communication at DHS, told the House Homeland Security Subcommittee on Cybersecurity in response to a question from Rep. Jim Langevin (D-R.I.). “They did not request our follow-on assistance for a response.”
DHS was notified of the SEC breach on Nov. 4, 2016, Manfra said. She added that “at that time, the extent of the issue was not well understood.”
Given the time constraints of the panel’s hearing, Manfra offered to provide Langevin and other interested subcommittee members more details in separate briefings.
Langevin also asked Manfra how DHS could better work with federal civilian agencies in the future.
In response, she said that, “Sir, in addition to this in addition to this incident as well as several others, we are reviewing our procedures to ensure that it’s clear that when an incident happens what role the department needs to play in response, not just at the request of an agency; and that if we’re looking at critical services and functions, then the department needs to have a more active role in that response regardless of whether the agency requests it.”
Manfra told Langevin that her office would be “Happy to come in and have a more fulsome conversation with you about that.”
As to the other incidents mentioned by Manfra that prompted DHS to review how it responds federal network breaches, a DHS spokesman told Defense Daily that said the department doesn’t have “any other specific examples.”
The roles of DHS in helping oversee the security of federal civilian computer networks include assisting in creating security programs and working with agencies to strengthen their security posture. The department also shares cyber threat information with agencies and the private sector.
DHS also provides technical help to federal civilian agencies, including overseeing the procurement of sensor tools for monitoring cyber security on their networks and the monitoring of Internet traffic into agencies of potential threats.
President Donald Trump in May issued an executive order directing that department and agency heads ultimately be responsible for the security of their networks.
In a statement on Sept. 20, Jon Clayton, chairman of the SEC, released a lengthy statement on cyber security. Buried in the statement was mention of the 2016 breach. He also said that in August, the SEC learned that the breach “may have provided the basis for illicit gain through trading.”
On Oct. 2, Clayton made another statement that the SEC’s ongoing investigation found that personal information of two individuals was disclosed in the earlier breach. He also outlined steps the commission is taking to strengthen its cyber security posture, including hiring more staff and outside technology experts, and the establishment of a “senior-level” working group to find ways to improve “management and oversight of cybersecurity across the SEC’s divisions and offices.”
In response to from Defense Daily regarding the SEC not seeking further assistance from DHS following notification of the breach last year, a commission spokesman provided a link to Clayton’s Oct. 2 statement, adding that the SEC has “No additional comment.”
In the statement, the SEC also says that “Other initiatives resulting from the general cybersecurity assessment Chairman Clayton initiated in May are ongoing or will commence shortly. These include internal, Commission-level incident response exercises and continued interaction on cybersecurity efforts with other government agencies and committees, including the Department of Homeland Security, the Government Accountability Office and the Financial and Banking Information Infrastructure Committee.”