Soon, DHS Will Have Eyes on Computer Vulnerabilities Across the Government

The Homeland Security Department will begin standing up a dashboard in October that shows cyber officials what software is running across most of the civilian federal government and points out dangerous vulnerabilities, a top department official said Friday.

The dashboard will allow defenders at Homeland Security’s cyber operations center to pinpoint which departments and agencies are running vulnerable versions of software when they learn about a new digital virus or vulnerability, Jeanette Manfra, assistant secretary for Homeland Security’s Cybersecurity and Communications Office, said.

That’s a far cry from when the Heartbleed vulnerability struck in 2014 and Homeland Security officials were “searching for CIO phone numbers” to urge each agency to patch against the vulnerability, Manfra said during an address at the Center for Strategic and International Studies think tank.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“Now, I can have advanced awareness of a vulnerability … I can go into our dashboard and know instantly who’s running that version of that system and focus the agencies on protecting that asset,” Manfra said.  

The dashboard is part of Homeland Security’s Continuous Diagnostics and Mitigation program, which supplies cyber protection services to federal agencies. Agencies participating in the continuous diagnostics program have stood up their own agency-level software dashboards over about the past year.

The federal dashboard will collect information from those agency dashboards, Manfra said.

The dashboard is part of a broader effort by Manfra’s agency to shift from a bureaucratic and compliance-focused model of cybersecurity to an operational vision in which cyber threats are detected and mitigated at rapid speed, she said.

Other elements include placing sensors across federal networks to alert the agency about threats and vulnerabilities and beefing up information sharing about cyber threats with industry, she said.

Rep. Will Hurd, R-Texas, also spoke during Friday’s CSIS event. Here are some highlights.

• Hurd’s Modernizing Government Technology Act, which would boost funding to replace vulnerable computer systems is “almost across the finish line,” but he’s “not going to spike the football yet,” he said. The bill was included in the Senate version of a must-pass defense policy bill that cleared the upper chamber earlier this month.
• Hurd plans to focus on his plan for a cyber National Guard after the MGT bill passes.
• Hurd lamented that so many agencies are working with acting chief information officers rather than Senate-confirmed CIOs more than nine months into the Trump administration. He warned, however, that those acting CIOs shouldn’t drag their heels on cyber fixes and implementing Homeland Security initiatives. If they do lag, Hurd said, he’ll call them up to testify before the House Oversight committee.
• Hurd also had some tough words for his colleagues who still haven’t caught up on the basics of cyber defense. “There are still colleagues of mine who believe the ‘dark web’ is direct messaging on Twitter,” he said.