The Department of Homeland Security is embarking on an “aggressive” timetable to secure civilian networks in response to the cyber attack on the Office of Personnel Management.
“As the OPM breach painfully demonstrated, our cybersecurity efforts are not where they need to be,” Homeland Security Secretary Jeh Johnson said Nov. 18.
Johnson did not provide any further details on the timetable during his speech at the Federal Times CyberCon event in Arlington, Virginia, however he did outline a number of initiatives DHS is working on to increase government cybersecurity.
As Federal News Radio reported earlier this month, DHS’ automated, near real time information sharing system is up and running as of Oct. 31.
“We recently made the first phase of our continuous diagnostics and mitigation program available to 97 percent of the civilian dot-gov,” Johnson said. “This program known as [Continuous Diagnostics and Mitigation] helps federal agencies identify and fix problems on their networks in near real-time.”
The Office of Management and Budget gave DHS a Sept. 30 deadline to implement phase 2 of the continuous diagnostics and mitigation (CDM) program to civilian agencies, according to a new cybersecurity strategy and implementation plan OMB released Oct. 30.
“Once fully implemented, CDM tools will monitor agency networks internally for vulnerabilities that could be exploited by bad actors that have breached the perimeter,” Johnson said.
DHS also has increased the implementation of the EINSTEIN intrusion and detection prevention system, otherwise known as E3A. It now protects 47 percent of the agencies, slightly more than the 45 percent the department said it covered in June.
Johnson’s announcement comes as Defense Information Systems Agency Director Lt. Gen. Alan Lynn said there is currently an ongoing “economic cyber Cold War.”
“Imagine a country that is working a long war fight that is not interested in a dramatic one-day cyber attack, but a 20-year plan to periodically do a cyber takedown of the Sony, Home Depot, Target, name your company,” Lynn said. “It costs pennies to conduct those attacks and millions of dollars to fix them.”
Lynn said that will erode confidence in U.S. retail, goods and services. Companies, however, are continually becoming more cyber reliant. Uber for example is a taxi company with no taxis, Lynn said.
“It’s cyber, Amazon surpassed Wal-Mart as the largest retailer this summer, it’s not brick-and-mortar, it’s cyber,” Lynn said.
Allegedly, China is one of the biggest hackers of the United States government and U.S. based companies.
President Barack Obama signed an agreement with China in September to halt the theft of intellectual property via cyber.
Government officials have been skeptical of China’s ability to live up to the agreement.
Deputy Defense Secretary Bob Work, National Security Agency Director Adm. Mike Rogers and Director of National Intelligence James Clapper all said they were wary of China’s ability to stop stealing intellectual property during the Sept. 29 Senate Armed Services Committee hearing.
“Hope springs eternal,” Clapper said. “We will have to watch what their behavior is.”
In response to committee Chairman John McCain’s (R-Ariz.) question as to whether or not he was optimistic about the Chinese sticking to the agreement, Clapper said no.
“The extent to which Chinese are purloining our data is pretty pervasive,” Clapper said.
Johnson will be part of the ministerial-level dialogues on the agreement between the countries, the first of which are scheduled to take place in Washington on Dec. 1 and 2. Johnson will be joined by the attorney general for the talks.
The deputy DHS secretary also traveled to Beijing last week to prepare for the meetings.
“Time will tell whether the Chinese government’s commitments in writing are matched by action,” Johnson said. The meetings “will remain an important indicator … they represent a step forward in our efforts to address one of the sharpest areas of disagreement in the U.S.-China bilateral relationship.”