DHS under more scrutiny after attacks

Agencies told to hold contractors accountable for cybersecurity when they write contracts

The Homeland Security Department’s networks are vulnerable to cyberattacks, and several lawmakers said last week that sends a poor message and highlights the challenges agencies face in securing networks that contractors manage.Reps. Bennie Thompson (D-Miss.) and Jim Langevin (D-R.I.) are pressing an investigation into why DHS and its network contractor, Unisys, didn’t prevent recent cyberattacks originating from Chinese-language Web sites and allegations that DHS officials weren’t notified about the incidents.According to DHS incident reports provided to the Homeland Security Committee, intruders placed a hacking tool, a password dumping utility and other malicious code on more than a dozen computers at headquarters. The committee learned that hackers compromised dozens of DHS computers, and the department did not notice those incidents until months after the initial attacks.Langevin, chairman of the committee’s Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, said DHS isn’t serious enough about cybersecurity. “It sends a bad signal when the agency that is charged with protecting government networks is…not doing the basics,” he said.The committee has asked DHS’ inspector general to investigate the recent cyberattacks and the responses by Unisys, which managed the networks’ security.Security experts say DHS’ vulnerabilities are not unique. Hackers ping nearly every agency in search of vulnerabilities. Commerce, Defense, State and other departments have testified this year about recent intrusions, specifically by suspected nation-state attackers. As those attempts rise, security experts say, DHS and other agencies must ensure their networks, which contractors often manage, are secure.Although defending against all attacks is difficult, agencies should manage and reduce risk, Langevin said. That means taking basic precautions, such as ensuring that firewalls are in place and testing cyberpenetration to determine if equipment is working.Experts say cybersecurity is not an exact science.“Your security solution today may not be effective tomorrow,” said Amit Yoran, chief executive officer of NetWitness and former director of DHS’ National Cyber Security Division.“It’s more difficult to define what success would look like,” Yoran said. “Adversaries are continually developing new techniques and new exploits to compromise systems and bypass security. Agencies sustain numerous network intrusions or attempts — even thousands — every day.”Langevin and Thompson said they would seek a review of the department officials who oversee management of the Unisys contract, according to a Sept. 21 letter they sent to Richard Skinner, DHS’ IG. The FBI is investigating to determine if any criminal violations occurred during the attacks, Langevin said.The two lawmakers said Unisys provided inaccurate and misleading information to DHS about the source of the attacks and attempted to hide gaps in its security capabilities. In the letter to Skinner, the lawmakers also said DHS officials did not act on the information about the attacks. Unisys built and maintains the networks for DHS’ headquarters and the Transportation Security Administration.Unisys said it performed its contract according to protocol. Unisys spokeswoman Lisa Meyer said she could not speak about specific incidents because of federal security regulations.“We can state generally that the allegation that Unisys did not properly install essential security systems is incorrect,” Meyer said. “We always elevate incidents in accordance with the proper protocols. We believe that a proper investigation of this matter will conclude that Unisys acted in good faith to meet the customer’s security requirements.”DHS said it takes the committee’s allegations seriously and has cooperated fully. “We will continue to work with the department’s inspector general and the committee as necessary concerning these allegations,” a DHS spokesman said.Langevin said he had not received confirmation that Skinner will pursue the investigation, but he said he expects Skinner will. The lawmaker promised more hearings and possible legislation, adding that he thinks the cyberattacks reflect a management problem at DHS. Langevin said he did not have a specific date yet for the committee’s next hearing on the subject.Langevin said he will focus oversight on DHS’ progress in securing networks, the expertise of staff members responsible for cybersecurity and the amount of money the department spends on security and research and development efforts.During the recent cyberattacks, hackers extracted information from DHS’ systems and transferred the information to a Web hosting service that connects to Chinese Web sites. Although network intrusion-detection systems were part of the department’s Information Technology Managed Services contract, the systems were not fully functional when the initial incidents occurred, the lawmakers said in their letter.“The contractor was to install intrusion-detection devices, and, from what I understand, they were not installed and sat in boxes,” Langevin said.The committee received a wealth of information from the investigation during the past several months, Langevin added. “The FBI investigation and IG investigation, if it’s taken up, will tell us” if Unisys did what DHS contracted for, he said.The number of cyberattacks on public and private-sector networks has increased to such an extent that the NationalSecurity Agency plans to work with DHS and other agencies in a highly classified effort to monitor networks related to the country’s critical infrastructure, according to a Sept. 20 article in the Baltimore Sun.With the rise of intrusion attempts against federal networks, agencies have an enormous amount of information to sift through to determine the nature of those attacks and the urgency required inresponding, said Patrick Howard, the Housing and Urban Development Department’s chief information security officer. “You have to have some filters in place to know what is important and what is not.”To determine the seriousness of intrusions, agency’s security employees must know the business or mission goals to assess the short- and long-term impact of security incidents, Howard said. It is clear, however, when to report incidents involving personally identifiable information: “Report everything that moves.”If agencies conduct risk assessments and determine system categorizations, “you’ll know which systems are important,” Howard said. Agencies need to work with systems owners and program managers to make sure they understand risk and system categorization, he added.Agencies can ensure that vendors deliver appropriate cybersecurity by specifying those provisions in their contracts, such as using security standards from the National Institute of Standards and Technology. NIST guidance provides flexibility for agencies to insert agency-specific standards, such as password length. But agencies still have to implement it correctly, Howard said.“You have to go to that level to identify that for the potential contractor,” he said. “If you want them to protect a particular system, then you should know what the risks are that they have to protect against.”Leaving it to agencies to fill in specific details of NIST standards lets busy IT security employees ignore it, said Alan Paller, research director at the SANS Institute. NIST standards are not detailed enough.“Instead of being general so that users are uncertain what’s being required, we have to be specific so they actually do the things that are necessary,” Paller said.An effective security control would be to have an intrusion-detection and log management system in place with extensive triggers that are verified to be looking at current attacks by an outside security auditor, Paller said.“If we’re ever going to get ahead of this problem,” he said, “it’s at this spot at the contracting for security controls up front, buying security baked in.”

6 ways to get IT security right

Patrick Howard, the Housing and Urban Development Department’s chief information security officer, offered some best practices for addressing network security in information technology contracts.
He recommended that agencies:

  1. Use performance-based contracting.
  2. Build metrics for the Federal Information Security Management Act into service-level agreements.
  3. Provide a single point of contact.
  4. Communicate often and at many organizational levels.
  5. Get requirements right.
  6. Use standard terminology and processes from National Institute of Standards and Technology documents, especially Special Publication 800-53 and Federal Information Processing Standard 199.

— Mary Mosquera

“Your security solution today may not be effective tomorrow.” Amit Yoran, NetWitness

Request for IG investigation

NIST guidance