The Department of Homeland Security told Congress Tuesday that it’s seeing significant dividends from a new legal authority Congress granted the department in 2014: the ability to force other federal agencies to take concrete steps to improve their cybersecurity posture. DHS has issued four such directives in the past two years, two more than it’s previously disclosed.
The two additional orders, known as Binding Operational Directives, were sent to agencies by then-Homeland Security secretary Jeh Johnson in the final months of the Obama administration.
One, in September of last year, ordered agencies to immediately fix “urgent vulnerabilities” in firewall products made by Cisco. DHS didn’t specify exactly which problems the order addressed, but at about the same time, the department issued a public advisory warning that criminal networks were distributing malware that could allow hackers to take full control of the systems, known as Adaptive Security Appliances.
The department issued another directive in October, essentially to comply with a Congressional mandate in the 2014 Federal Information Security Modernization Act. The October directive sets out specific procedures agencies have to follow in reporting cybersecurity incidents and their overall cybersecurity posture to Congress, the Office of Management and Budget and DHS.
DHS’s first two binding operational directives have already been widely reported. The first, in May of 2015, told agencies to get to work immediately on mitigating their most critical vulnerabilities within 30 days. The second, last June, ordered that agencies participate in “DHS-led assessments” to identify and secure their highest-value IT assets.
Jeanette Manfra, the acting deputy undersecretary of Homeland Security for cybersecurity said the directive authority Congress created as part of the 2014 FISMA update has turned out to be an extremely valuable tool — giving DHS the authority to mandate security improvements instead of merely suggesting them, and overcoming agencies’ previous questions about legal authorities.
“They were all delivered by former Secretary Johnson directly to his peers in other departments, and we believe that’s part of the success of these directives,” she told the House Homeland Security Committee on Tuesday. “On the directive for critical vulnerabilities, we have excellent data showing that not only are agencies closing those, they’re reducing the time it takes to do so. We gave them 30 days — and many of those vulnerabilities had been open for more than a year. We’re now seeing a dramatic reduction in the amount of time it takes agencies to handle them. It’s a demonstrable change in behavior, and a reflection of the value of these binding operational directives.”
Indeed, at the time Johnson issued the first order on critical vulnerabilities, DHS had identified at least 360 “stale” ones — security holes that agencies had known about for more than a month but still hadn’t patched.
By contrast, Manfra said during an average month since December 2015, DHS scans of federal agency networks have turned up 40 critical vulnerabilities at any one time, and agencies are now moving quickly to fix them.
“And we did not close the binding operational directives on critical vulnerabilities or high value assets, because those are ones we want to continue to measure,” she said. “We’ll continue to work with agency chief information officers and chief information security officers and continue to provide them reports on their status. We think those are always valid.”
Manfra’s comments about operational directives came during a hearing in which lawmakers sought an overall assessment of DHS’s capabilities in securing federal civilian agency networks, just a week after the committee’s chairman, Michael McCaul, called for the creation of a new agency that would be exclusively charged with ensuring the cybersecurity of the .gov domain.
That topic did not come up in Tuesday’s hearing. But as a general matter, the Government Accountability Office said DHS’s efforts to secure federal networks have left a lot of room for improvement. As of last month, GAO had made roughly 2,500 recommendations to shore-up civilian agency cybersecurity, and about 1,000 have gone unaddressed.
For example, although DHS’s Einstein program now covers 45 agencies and 93 percent of the civilian workforce with tools that can detect and stop malicious software at network boundaries, even the latest version — Einstein 3a — can only spot malware that the government and its intelligence agencies have seen before.
“It is unable to detect intrusions for which it did not have a valid or enabled signature deployed, because it did not provide for an anomaly-based intrusion capability,” said Greg Wilshusen, GAO’s director for information security issues. “Such a capability involves comparing current network activity against pre-defined baselines of normal behavior to identify deviations that could indicate malicious activity. Einstein was also unable to detect exploits across all types of network traffic, because it wasn’t monitoring all types of traffic.”
Manfra said DHS agrees with GAO’s conclusions about Einstein, adding that the department is trying to improve it in at least three areas, including by making sure the threat signatures it uses to flag malware are accurate and up-to-date.
“Signatures are still a useful capability,” she said. “We want to ensure we’re using our private-sector partnerships to increase both the quantity and quality of those. We also need to ensure that agencies understand that this is not black-or-white; we need to give them information about the severity of the threats — what we call reputation scoring. And we are working on anomaly-based detection. It’s more challenging, the technology does exist in industry and we are piloting it, but we’re still trying to understand the challenges from those pilots before we fully-deploy it.”
The hearing also touched briefly on the DHS workforce that’s in charge of handling complex tasks like scanning agency systems for vulnerabilities, and whether the government has sufficient tools at its disposal to hire and retain top-notch cyber experts.
“What I hear from a lot of government employees is that they’re sitting next to a private contractor every day, but that those contractors are paid one-and-a-half times as much for the same work,” said Rep. Bennie Thompson D-Miss. “That affects morale, and it affects a lot of other things.”
Manfra said the department has the same concerns about employee retention and morale, but there are reasons for optimism.
Congress has already granted DHS several new authorities to boost its cyber workforce, including one to onboard employees into an “excepted service” that bypasses many of the usual restrictions on civilian hiring.
And a Cyber Skills Incentive Program the department implemented last year has already begun to slow down the loss of DHS cyber employees to private industry by offering retention bonuses of up to 25 percent of a worker’s base salary, depending on their certifications.
“That program, for now, while we work to implement the excepted service, has actually had a drastic effect in reducing our attrition rate,” she said. “We were at about a 13 percent attrition rate and we’re now down to nine, which we think is commensurate with industry.”