Heartbleed tested agency readiness
A Democratic senator says "clear legal authority and processes to facilitate a seamless response" are still needed to effectively combat cyber threats, and the White House acknowledges "we still have more work to do."
Agencies that were most active in achieving government-wide cybersecurity goals had an easier time mitigating the threat posed by the Heartbleed vulnerability, said Ari Schwartz, director for privacy, civil liberties and cybersecurity policy at the White House.
Systems that had implemented basic hygiene in keeping with the Cross-Agency Priority Goal faced less risk from the Heartbleed vulnerability in the open source security software OpenSSL than those who were lagging behind, Schwartz said at a May 28 cybersecurity event held by AFCEA's Washington, D.C., chapter.
The government response to Heartbleed was instructive, Schwartz said. "We did a lot of things right. We have a lot of things to learn. That's going to be a theme for the administration going forward -- how we deal with incident response," he said.
Part of the problem with response is the lack of authority on the part of the Department of Homeland Security to scan agency systems for evidence of vulnerabilities, according to recent Congressional testimony from DHS officials.
In a May 27 letter to top administration cybersecurity policy advisor Michael Daniel, Sen. Kirsten Gillibrand (D-N.Y.) argued the need for a more unified response to cyber threats.
"A significant aspect of any federal strategy should ... include policies that ensure that different agencies within the government are not hindered in their ability [to] share information and respond appropriately when there is a known and ongoing threat to the federal cyber infrastructure," she wrote. Gillibrand wants the administration to create "clear legal authority and processes to facilitate a seamless response to cybersecurity threats to federal agencies."
Schwartz said the government needs to lead by example on cyber, by protecting federal networks. He cited the nascent DHS continuous diagnostics and mitigation program and ongoing efforts to improve identity management for users of agency systems as examples. But federal systems are still subject to threats, with phishing techniques that embed malware in computers the leading avenue of attack.
"There has been a lot of growth and effort in this space, but clearly we still have more work to do," he said.