Government works toward a more proactive cybersecurity approach

Initiatives to detect and respond to cyberattacks are a preliminary step in protecting federal computer networks against hackers and will be followed by efforts to preempt attacks, the Homeland Security Department's cybersecurity chief said on Thursday.

The remarks by Gregory Schaffer, appointed assistant secretary of DHS' Office of Cybersecurity and Communications in June, came in response to criticisms that intrusion detection systems such as Einstein 2, deployed early this year, are too reactive.

"Einstein 2 really serves to alert the federal government to risks impacting our networks," said Schaffer, during the Homeland Security Symposium and Exposition, hosted by the National Defense Industrial Association. "I'd much prefer we know what's happening in one network within the federal government, secure that and then leverage [the solution] across agencies to prevent it from spreading. And I'd much rather know what was happening in real time, rather than learning at some later point after operations are impacted. Is that as far as we need to go? Absolutely not -- but we need this in incremental steps."

Schaffer noted that Einstein 3, which Homeland Security's U.S. Computer Emergency Readiness Team is developing and testing, will "give prevention capabilities that block [attacks] in their tracks before they penetrate the network." The department in July released a classified request for information to identify technologies that can identify possible threats, he said.

President Obama's fiscal 2010 budget proposal called for $355 million in Homeland Security spending "to make private and public sector cyber infrastructure more resilient and secure," up from the $294 million approved for fiscal 2009. Much of the cybersecurity budget is expected to go toward Einstein development and deployment.

Homeland Security also is working with the White House and industry on a cyber incident response plan that will guide how organizations react in case of a widespread attack, and is preparing for the third large-scale cybersecurity drill, Cyber Storm III, in September 2010.

"I worry a little when we only talk about response, and don't drive home the fact that preparation should be a part of this discussion," said Bob Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks. Dix is among the industry representatives involved in developing the cyber response plan and the Cyber Storm exercises. "It isn't just what we do when something bad happens, but how we protect ourselves in advance," he added.

The federal government and industry's response to the Conficker worm was "OK," Dix said, but "we can no longer sustain an ad hoc approach." That worm in March rapidly installed malicious software on computers running the Microsoft operating system.