The Homeland Security Department is rushing to give civilian agencies tools so they can share information about cybersecurity threats nearly as they happen, Secretary Jeh Johnson said Wednesday.
Acknowledging that the government’s cybersecurity capabilities are not where they need to be, Johnson said he had made boosting those capabilities “a personal mission.”
He is elevating the department’s cyber information-sharing hub so that its leaders report directly to him. The National Cybersecurity and Communications Integration Center, or NCCIC, coordinates incident communication and response among civilian agencies and the private sector.
It has an “aggressive schedule for deployment of next-generation information sharing techniques,” he told the audience at the Center for Strategic and International Studies in Washington.
“Oneofthethingswe’redoingwithconsiderableurgencyisgettingtonear–real–timeinformationsharing,sowhensomethingcomesinthedoor,wecandothepropervettingforprivacyandsoforthandgetitoutinautomatedfashiontoplayerswhoneedthatinformation,” he said.
DHS automates the sharing of cyber-threat indicators. One agency has begun receiving information through the system a month ahead of schedule. Johnson said he expected “multiple” agencies, as well as companies that regularly work with NCCIC , to join in by October.
At the same time, agencies are becoming more diligent about their own cyber defenses, he said. DHS ordered agencies on May 21 to fix critical vulnerabilities in their networks that the NCCIC had identified. For the first time, the department compelled agencies to act quickly by issuing a “Binding Operational Directive,” which Congress last year gave it the authority to do. It would be the first of many, he said.
“We’regoingtodoalotmoreofthesebecausewesawthatagencieswereabletocleanupsomethinglike60percentofthevulnerabilitiesweidentifiedinaveryshortamountoftime,” he said.
Johnson’s remarks come on the heels of multiple data breaches at the Office of Personnel Management. Investigations into those breaches are ongoing. The government still is not prepared to publicly identify the leading suspect, he said.
As if to underscore the urgency for this type of communication among agencies and companies alike, Johnson said that United Airlines, the New York Stock Exchange and the Wall Street Journal had suffered cyber “malfunctions” earlier in the day. He had spoken to leaders of all three organizations, he said.
Johnson urges Congress to pass cybersecurity legislation
Johnson called on Congress to pass legislation that would knock down remaining barriers to sharing cyber-threat information. Agency lawyers are still reluctant to share sensitive information with DHS, which slows down the government’s response, said Johnson, a former Pentagon lawyer.
He endorsed House legislation that would spell out DHS’ legal authority to receive information about cybersecurity risks from other parts of the government. The authority is particularly important as the department prepares to launch EINSTEIN 3A, a system capable of identifying and blocking cyber threats, throughout the government. Johnson has ordered DHS to make parts of the system available to the entire civilian government by the end of the year. It currently covers 45 percent of those agencies.
He also reiterated his support for legislation that would legally protect companies that share this sort of information with the government. Congress has repeatedly attempted, and failed, to pass measures that would shield companies from civil and criminal prosecution.
“From my corporate-lawyer days, I know how boards of directors think. Limiting liability for sharing cyber threat indicators is meant to be a strong encouragement and inducement to help us in the cybersecurity mission of the country,” he said.
He said he was encouraged by Congress’ recent attention to the government’s cybersecurity problems.
Other senior officials have pointed to China as the most likely perpetrator of the OPM data breaches. Johnson said he had visited Beijing in April to meet with Chinese government officials and that he would continue to talk with them about cybersecurity in hopes of reaching common ground. But he said it was “a work in progress.”
“We have differing views on a lot of fundamental issues, a lot of fundamental understandings about the nature of cybersecurity,” he said.
When asked whether the United States would consider such breaches acts of war, Johnson said he paid little heed to how such events are characterized.
“It’s more significant that the response be proportionate, although not necessarily of the same kind,” he said. “We don’t need to say it’s an act of war to respond proportionally. I believe appropriate responses are important.”