Could a Name Change Clarify What DHS' Cyber Team Actually Protects?

The head of the National Protection and Programs Directorate has been urging Congress to change the office’s name to something that specifies what it does.

The new, preferred title, “Cyber and Infrastructure Protection Agency,” might provide employees with the clear sense of identity and mission that she told House lawmakers last October she wants.

But the rebranding also might telegraph that our digital lives and physical safety now are intertwined.

It's a message directorate Undersecretary Suzanne Spaulding has been trying to communicate since long before a Dec. 23, 2015, cyberattack against Ukraine knocked out power for 225,000 customers for as many as 6 hours. 

“I’ve been amazed on how little attention that’s gotten,” Spaulding said Wednesday afternoon at a New America Foundation cybersecurity summit.

She worried last April, during an event organized by Fordham Law School, that this would be the “year of the destructive attacks.”

Referencing a 2014 hack against a motion-picture firm the U.S. government has pinned on North Korea, Spaulding told the New York audience: "With the Sony incident, all of the attention was on the salacious emails and the theft of movies before they came out and far less attention was paid -- for reasons I'm not clear on -- on the destructive nature of that attack: that there was destructive malware deployed that destroyed computers and data irretrievably.”

Spaulding's directorate encompasses agencies that responded to the Sony and the Ukraine cyberphysical attacks.

On March 7, her subordinates DHS Assistant Secretary Andy Ozment and Deputy Assistant Secretary Greg Touhill announced the department plans to liaise with all critical infrastructure owners and operators about the Ukraine incident and offer preventative strategies. The electric sector already has been briefed, and DHS expects to hold sessions with the chemical, nuclear, transportation, natural gas, and water sectors.

After the Lights Go Out

Right after the cyber assault, the directorate's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, and U.S. Computer Emergency Readiness Team, along with staff from the departments of Justice and Energy, traveled to Ukraine to interview first responders. Russia was behind the blackout, Obama administration officials reportedly are saying quietly.

Some results of the fact-finding mission were shared publicly in a Feb. 25 ICS-CERT alert. After shuttering machinery, the hackers executed "KillDisk" malware that erases system files and corrupts the master boot record, essentially frying a system.

It is believed the hackers attempted to stall restoration activities by scheduling UPS disconnects, the bulletin says.

The hackers were able to execute these annihilistic commands by first stealing login credentials to the control systems.

Homeland Security said "BlackEnergy" malware, a type of spyware Russian hackers have previously used to target energy control systems, was found on the victims’ systems. But, according to DHS, It is not clear what role, if any, BlackEnergy played during the Ukraine cyber-strike.

Kyle Wilhoit, senior threat researcher at cybersecurity provider Trend Micro, said in a Feb. 11 online post that signs of the same BlackEnergy attack turned up at a mining company and a large railway operator in Ukraine.

Separately, a nonprofit consortium of cybersecurity industry experts organized by the Sans Institute criticized DHS and federal partners for waiting so long to illuminate the situation with a bulletin and then leaving out key details. The SANS Industrial Control Systems Team had crafted its own analysis but let the government provide insights first.

The ICS-CERT “is very shy in stating that BlackEnergy3 was involved in the incident,” yet “the use of BlackEnergy3 to harvest credentials in the impacted organizations was very clear from publicly available sources,” said Robert M. Lee, a SANS team member and founder of Dragos Security.

“When dealing with international incidents that set dangerous precedents, such as a clearly coordinated and intentional cyberattack against civilian infrastructure, there must be a more coordinated effort with messaging to a variety of audiences,” he added.

On Feb. 11, DHS Secretary Jeh Johnson said he wants to restructure the cyber directorate as an "operational" component, like the Transportation Security Administration, Secret Service and Customs and Border Protection.

Spaulding told Nextgov on Wednesday after she presented that DHS is "uniquely restricted" in its ability to reorganize, as compared to most federal agencies – in that Congress must pass a law to authorize office name and structural changes, but she is “optimistic” the lawmakers will come around.