DHS gives itself a 'C' for cybersecurity

OMB hints at new metrics for assessing agencies' vulnerability to computer attacks.

The top ranking official with the Homeland Security Department's national protection division called the agency's efforts in cybersecurity satisfactory, assigning a grade of 'C' during congressional testimony Thursday. Congress called the grade "not even close to good enough," emphasizing the need for better collaboration with agency technology leaders, real-time response to system attacks, and metrics that measure the ability to protect networks from specific threats rather than system compliance.

DHS officials didn't reveal too many specifics regarding the much anticipated but highly classified initiative during a hearing before the House Homeland Security Committee. Robert Jamison, undersecretary for national protection and programs directorate at DHS, described plans to enhance federal cyber-situational awareness, intrusion detection, information sharing and response capabilities. The primary means of accomplishing these goals will be through the trusted Internet connections (TIC) initiative, which aims to reduce the number of federal connections to networks outside the firewall, and Einstein, a system that monitors agency networks using an automated process for collecting, correlating, analyzing and sharing computer security information with the U.S. Computer Emergency Readiness Team, or US-CERT. So far, 15 agencies have deployed Einstein.

"The threat is real," Jamison said. "Our adversaries are adept at hiding attacks in normal everyday traffic that comes across the network. The only true way to protect networks is intrusion detection."

The total budget for the comprehensive initiative has not been confirmed, but reports estimate related funds to be in the billions. DHS requested $294 million in its fiscal year 2009 budget for cybersecurity, most of which will go to continued deployment of Einstein. While DHS will lead much of the initiative, individual agencies will be responsible for aspects of cybersecurity efforts, and the Office of Management and Budget will help enforce system compliance across the federal government.

When asked how he would grade DHS in its response to cybersecurity threats, Jamison gave the department "a solid 'C'," which members of Congress called unsatisfactory.

"I would say 'C' is an [accurate] score, but absolutely unacceptable, because they're supposed to lead by example," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md.

Among the problems that lawmakers noted is the tendency by agencies to leave in the dark those charged with protecting networks. Threat analysis conducted by DHS and other national security agencies is largely classified, and therefore not disclosed to chief information officers. Jamison said that efforts to improve situational awareness -- by consolidating the number of external Internet connections and improving intrusion detection -- will increase the amount of information available to agency CIOs.

Both Republicans and Democrats in Congress also stressed the need to move away from a reactionary strategy. Einstein, for example, tracks IP addresses, the size of data packets and where information is flowing network to network, but is largely passive. Information needs to be routinely downloaded and analyzed to detect patterns, malicious addresses and any suspicious activities. Planned enhancements to Einstein will allow real-time response to threats, Jamison said, by finding harmful code and alerting system administrators when intruders attempt access.

"I've been sitting here with my mouth open," said Rep. Jane Harman, D-Calif. "While all of you are well-meaning, the fact that you don't have threat information and are working on projects that will take years to complete is shocking. If we're serious about these threats, we're not being serious about response."

Karen Evans, OMB administrator of electronic government and information technology, hinted at new metrics for gauging the ability of agency networks to combat threats. Certification and accreditation of systems, currently the primary means of measuring agency compliance with cybersecurity efforts, allows agencies to do inventory of what they have in place, while future metrics will test for vulnerabilities.

"When we first started this process ... agencies didn't know what they didn't know," Evans said, loosely quoting a statement made by former Homeland Security CIO, Scott Charbo, during a June 2007 congressional hearing on the same topic. Charbo, who is now the DHS deputy undersecretary of the National Protection and Programs Directorate, also testified at Thursday's hearing.

"Certification and accreditation is a soup-to-nuts process," Evans said. "[Now] we have to move to the next level where we're actually achieving a result rather than doing a paper exercise."

New metrics need to measure how well agencies can withstand known attacks, Paller said.

"The biggest mistake of the last 10 years has been that people kept attacks secret; it caused the government to fall behind. Now that we know better, let's measure systems not on the hypothetical, but on what's real."