DHS CISO eyes shift from perimeter defense to data protection

Federal agencies are investing heavily in perimeter network defense, but in five years the Department of Homeland Security's chief information security officer said he hopes to see a lot more spending on defense of data within networks.

"As you look at defense in depth, a lot more resources go toward perimeter defense than do actually controlling the data," DHS CISO Jeff Eisensmith told FCW after his Oct. 20 appearance at a conference hosted by ISACA.

Data can be prioritized by its value to an organization, Eisensmith said. "And that's a level of granularity that right now is kind of cost prohibitive and not overly mature," he added, while not discounting the importance of perimeter defense. "It is happening, but not on the scale that I'd like it to be."

Einstein and Continuous Diagnostics and Mitigation are two vast DHS programs that together cover various aspects of network defense. Einstein focuses on perimeter defense, while CDM is a broad threat-detection program designed to give network operators a clearer view of vulnerabilities.

Chris Cummiskey, former acting undersecretary for management at DHS, has told FCW that CDM stands a better chance than Einstein of mitigating sophisticated breaches because CDM "seems to give us the additional ability to see these bad actors on the networks, once they're already through the perimeter."

Both programs draw on big coffers. CDM's acquisition vehicle has a $6 billion ceiling, and DHS has requested $479.8 million for "network security deployment" in fiscal 2016, including the latest iteration of Einstein, known as Einstein 3A.

DHS Secretary Jeh Johnson told the House Homeland Security Committee on Oct. 21 that he has directed DHS to make at least some of Einstein 3A's features available to all federal civilian agencies by year's end, and agencies are on track to adopt the system. The program has blocked more than 650,000 requests to access potentially malicious websites, Johnson said in his prepared testimony. Nonetheless, he also stated that "our federal .gov cybersecurity, in particular, is not where it needs to be."

Eisensmith advised putting money toward the weakest link in an organization's cybersecurity.

"If you're going to make an investment, you look and you say, 'Where [am I] not really at a maturity level that I want to be?' That's where the next dollar goes," he said. "The only caveat to that would be if a new threat pops up tomorrow that changes the maturity level. Then you have to react."