The DHS Wants To Pitch In With The Cyberwar But Can't Even Be Bothered To Secure Its Own Backyard
from the safe-as-homelands dept
The US government has basically declared war over the Sony hacking, offering full-throated support for the beleaguered embarrassed company. Why this one -- rather than the countless hacks of corporate networks (including those where credit card data and personal information were compromised) -- remains a mystery.
The end result has been a call for more government intrusion and a reanimation of CISPA's lumbering corpse. "Share with us," says the government. "Gird yourself for the cyber Pearl Harbor," say its supporters. "Let us handle it," say those whose desire for expanded government power exceeds their crippling myopia.
Yeah, let's do that. Let's allow the government to set the rules on cybersecurity. Let's give agencies like the DHS -- which can't even be bothered to secure its own assets -- more leeway to investigate and react to cyberthreats. (h/t to NextGov)
DHS lacks a strategy that: (1) defines the problem, (2) identifies the roles and responsibilities, (3) analyzes the resources needed, and (4) identifies a methodology for assessing this cyber risk. A strategy is a starting point in addressing this risk. The absence of a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to a lack of action within the Department. For example, no one within DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014.That's the Government Accountability Office's assessment of the DHS's qualifications as a potential cybersecurity agency. [pdf link] This is the agency tasked with securing federal assets and ensuring the safety of not only government employees, but Americans in general. And it can't do it. In fact, it can't even begin to do it.
Despite being specifically directed by 2002's Federal Information Security Management Act (FIMSA) to periodically assess risks, report on them and DO SOMETHING ABOUT IT, the agency has managed to blunder into 2015 with no specific plan to tackle cyberthreats to the federal buildings under its protection.
And, while the President and those pushing the revived CISPA seem rather keen on "sharing info," it's a one-way street, apparently. The DHS can't even be bothered to share with other government agencies.
The Interagency Security Committee (ISC), which is housed within DHS and is responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyber threats to building and access control systems in its Design-Basis Threat report that identifies numerous undesirable events.Whatever the DHS/ISC has managed to glean from situations like 2009's hacking of a Dallas hospital's HVAC system or 2006's hacking of Los Angeles traffic signals hasn't been passed on to other government agencies because the ISC believes "active shooters" and "workplace violence" are bigger threats. Maybe so, in terms of actual physical violence, but that's no excuse for ignoring something the government as a whole considers to be its next battlefield.
So, why is the DHS so bad at this? It would seem to be two things: the DHS is too big to move at the speed the threat mandates and it's always someone else's job. Because it has failed to take charge of the situation (despite a federal mandate and a 2013 presidential policy directive [p. 8-9]), no one seems to know what to do, how to do it or even who should do it.
[B]ecause DHS has not developed a strategy, several components within DHS have made different assertions about their roles and responsibilities. For example, FPS’s Deputy Director for Policy and Programs said that FPS’s authority includes cybersecurity. However, FPS is not assessing cyber risk because, according to this official, it does not have the expertise. Furthermore, although ICS-CERT has developed a tool to assess cyber risk, it also is not assessing cyber risk to building and access control systems at federal facilities. Moreover, NPPD’s Federal Network Resilience is to, among other things, identify common cybersecurity requirements across the federal government, but it also is not working on issues regarding the cyber risk of building and access control systems in the federal government.Somehow, despite being well-financed and incredibly large, the DHS can't find the time to properly assess the facilities it's supposed to be "securing."
An official from the Office of the Under Secretary of NPPD acknowledged that NPPD has not yet determined roles and responsibilities, including what entity should conduct cyber risk assessments of FPS-protected facilities or what assessment tool should be used. This official said that the Department has not developed a strategy, in part, because cyber threats involving building and access control systems are an emerging issue.
Moreover, GSA [General Services Administration -- reports to the DHS] has not conducted security control assessments for all of its systems that are in about 1,500 FPS- protected facilities. In November 2014, GSA information technology officials said that from 2009 to 2014, the agency conducted 110 security assessments of the building control systems that are in about 500 of its 1,500 facilities. GSA has not yet assessed the security of control systems with network or Internet connections in about 200 buildings. GSA officials stated that they plan to assess these systems during fiscal year 2015.The GSA isn't just being outpaced by hackers. It's being outpaced by the government's own slow stagger into the connected future. 800 systems are expected to switch from "standalone" to networked in the near future. The GSA plans to re-assess these systems' security after the changeover, but it's still working its way through the last half-decade's backlog. With its parent agency unable to provide guidance and its other agencies unwilling to share information, the GSA becomes the third prong in this triumvirate of failure.
And what it does actually get around to assessing isn't much help, either. Being crossed off the GSA's to-do list means being no more safe than you were before the agency finally strolled through the door.
Further, our review of 20 of 110 of GSA’s security assessment reports (between 2010 and 2014) show that they were not comprehensive and not fully consistent with NIST guidelines. For example, in 5 of the 20 reports we reviewed, GSA assessed the building control device to determine if a user’s identity and password were required for login but did not assess the device to determine if password complexity rules were enforced. This could potentially lead to weak or insecure passwords being used to secure building control devices.This is the government that wants the nation's companies to "partner up" against cyberthreats and cyberterrorism: the same government that can't even ensure its own infrastructure is protected. And no one cares because compromising control systems doesn't make for very sexy copy or hawkish soundbites about being "tough on cybercrime."
GSA also conducted its assessments of building control systems in a laboratory setting which allowed it to test components and to identify weaknesses in their default configuration. However, GSA does not conduct further assessments after installation when configuration settings may no longer reflect their default values. As a result, GSA has limited assurance that the configurations assessed reflect the configurations implemented in the facility, thereby increasing the risk that vulnerabilities in building control systems may not be detected.
If you need a solid argument against the government's desire to play the part of (cyber)security guard to the nation's companies, look no further than the GAO's list of "Related GAO Products" (p. 34) that follows this report.
Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity. GAO-14-459. Washington, D.C.: June 5, 2014.The government doesn't have the skills necessary to ply its wares in the cybersecurity business. If it can't lock down its own assets -- despite seemingly limitless funding and manpower -- it has nothing to offer the private sector but intrusiveness and harmful regulation.
Information Security: Agencies Need to Improve Cyber Incident Response Practices. GAO-14-354. Washington, D.C.: April 30, 2014.
Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness. GAO-13-776. Washington, D.C.: September 26, 2013.
Cybersecurity: National Strategy, Roles, and Responsibilities Need to BeBetter Defined and More Effectively Implemented. GAO-13-187. Washington, D.C.: February 14, 2013.
Cybersecurity: Threats Impacting the Nation. GAO-12-666T. April 24, 2012.
Cybersecurity: Continued Attention Needed to Protect Our Nation’s Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011.
Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008.
Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain. GAO-07-1036. Washington, D.C.: September 10, 2007.
Now, if you're a fan of bad news, you're going to love the worse news. The fight over who should head up the government's War on All Things Cyber doesn't put the DHS at the front of the list -- but it's not because the agency clearly can't handle the job. It's because agencies that are even more intrusive than the DHS want a piece of the action, namely the FBI and the NSA. If either of these two end up in that position, expect to find domestic surveillance rules relaxed. The latter agency defines cybersecurity as "peeking in at everyone," which is at odds with those on the receiving end (US companies) who believe being secure means removing backdoors or otherwise locking everyone out, not just the "bad guys." That isn't going to sit well with the FBI and NSA -- one of which believes no one should be able to "lock out" law enforcement and one that intercepts hardware and inserts backdoors when not deploying malware for the same purpose. So, the DHS may be the lesser of three evils, if only because its incompetence exceeds its reach.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cispa, cybersecurity, dhs
Reader Comments
Subscribe: RSS
View by: Time | Thread
And suddenly it all makes perfect sense
Suddenly, the administration's fervor over 'cyber-security' makes perfect sense, those two agencies have got to be pushing hard, spinning apocalyptic story after apocalyptic story about the doom that awaits the country if 'something' isn't done, in order to panic enough morons/congresscritters into giving them their fix of spying.
CISPA was bad enough originally, but with those two just waiting in the wings for the powers it would grant them, the bill needs to be killed off now more than ever.
[ link to this | view in chronology ]
Re: And suddenly it all makes perfect sense
Critical infrastructure isn't actually being secured using basic network protections.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Due to the fact that they are involved in both offense, and defense, the defensive side often takes a back-seat, as anything that they would do to better secure systems and software(assuming they would actually ever do something like that), also makes it more difficult for them to break open those systems when they're on the offensive. As a result, more often than not defense gets ignored in favor of offense, and everyone else suffers because of it.
[ link to this | view in chronology ]
Re: offense v defense
[ link to this | view in chronology ]
They are hooking 800 building security systems to some kind of network and then going back later to determine if it is a security risk?
Nice plan. Did Sony come up with it for them?
[ link to this | view in chronology ]
Re:
Or put another way, rather than 800 potential security holes, that if breached would lead to individual systems being compromised, they'll have 800 potential security holes, that if breached will lead to the entire network being compromised.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
That's how it sounds to me as well. If that's the case, it's an example of total incompetence in security matters. Security bolted on after the fact is never as good as security that is part of the design in the first place.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
sdrawkcab
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Incompetents
It took three attempts to produce a simple WIC (Women, Infants and Chidlren) program, and succeeded only because it was allowed to bypass the security requirements of HIPPA.
The FBI has had multiple disastrous attempts at writing software. The last one was junked after spending a billion dollars on it.
A children's immunization database, while noble in intent, was repeatedly funded even though it was demonstrated to be impossible to be functional. It could only work in poor states where the overwhemlming percentage of the immunizations were given under state, not private control. Independent physicians simply would have nothing to do with it.
Security staff in at least one state were so incompetent that they were unaware that the mac address could be spoofed at the card level, and believed that a macid was absolute proof against an intruder.
Governmental agencies like the FBI can not produce user centric software, how the hell do they expect to protect the nation, or even themselves, from crack attacks -- I guess they will just blame the technology emanating from North Korea.
[ link to this | view in chronology ]
Relativity
As recent U.S. Supreme Court decisions have made crystal clear, in the eyes of our political system, speech is hardly anything more than just constitutionally-protected money.
[ link to this | view in chronology ]
For example, I have to ignore a cert warning to come to Techdirt because, according to my computer at work, the security certificate is invalid (it's been an issue since Techdirt moved to complete https). No other computer has issues with TD's certs.
Heck, there's a system I use at work that requires me to create a new password ever three months that must be between 9-15 characters with two uppercase, lowercase, numbers, and special characters, and can't be any of the previous 10 passwords (password crackers, point and laugh). However, if I forget my password, I only have to answer a security questions (like mother's maiden name) and, rather than send me an email to reset the password, resets it directly and shows me a temporary password in plaintext. That's right, if someone figured out someone's mother's maiden name (which is so hard thanks to Facebook) and social security number (again, so difficult to find) they can change their password and have full access to the system.
I fully believe that if "cyberwar" were actually a real threat we'd already have lost so hard our toasters would have stopped working, at least at the government level. It's just another imaginary fear tactic to keep people's attention off the stuff they should really be concerned about.
[ link to this | view in chronology ]
Re:
All this noise about "cyberwar" (ugh, can we EVER stop using the cyber prefix?? Please??) reminds me of all the noise over Y2K back in the day: there is a real issue in there, but it is being enormously exaggerated and misrepresented in order to accomplish goals that are independent of the issue. With Y2K the goal was to make a crapload of money. With "cyberwar" the goal is to enable ubiquitous surveillance and to make it difficult to use the internet as a tool for political change. And to make a crapload of money.
It's a special kind of lying: take a kernel of truth and inflate it until it's effectively a lie.
[ link to this | view in chronology ]
can we EVER stop using the cyber prefix??
Just ask Gen. Petraeus.
[ link to this | view in chronology ]
Would that be during the attack by the Japanese, then?
So, why is the DHS so bad at this?
Perhaps because all the modern alphabet soup agencies are oxymorons of the meaningful words in their names. So the FBI doesn't properly investigate real crimes, only the fake ones that it makes up; the CIA has no one with any intelligence in its leadership; and the NSA and DHS both know sweet FA about security. Simples!
[ link to this | view in chronology ]
If it aint broke, don't fix it.
This is of course in error.
Proper steps were indeed taken.
Where there is no threat there is no need for a plan of action.
You see, the DHS has indeed done a full and complete assessment of the cyber threat to federal buildings and other assets of the federal government and has determined that there is no threat at all from the NSA, the CIA, or the FBI, and so has indeed taken exactly the proper steps under this total lack of threat.
Since the USG controls all known terrorist groups worldwide and monitors all human communications media 24/7, the threat of such an attack on any company or institution in the US, without the full knowledge and approval of the USG is considered to be impossible.
Thus there is no need at all for an actual plan of action, which is exactly what the DHS has done - nothing.
---
[ link to this | view in chronology ]