Red tape delayed federal network fixes to Heartbleed vulnerability by several days

Friday - 5/9/2014, 3:47am EDT

Jared Serbu, DoD Reporter, Federal News Radio

Download mp3

An untold number of federal IT systems potentially were left vulnerable to one of the most serious cybersecurity flaws in history for several days longer than necessary, not because federal officials didn't know how to fix it, but because it wasn't clear that they had the legal authority to do so.

The Heartbleed vulnerability originated from a programming flaw in OpenSSL, a widely-deployed variant of the encryption system used to protect Web traffic around the world. Security researchers estimated it could affect up to two-thirds of all Web servers, and agencies weren't immune. The software's makers issued a fix on April 7, the same day the vulnerability was made public. Cybersecurity professionals scrambled in the hours after to determine whether their systems were subject to the flaw and to patch them if necessary.

But inside the federal government, that process took several days longer than it needed to because the agency in charge of protecting civilian agency IT systems, the Department of Homeland Security, didn't have clear legal authority to scan other agencies' networks, even though it had the technical ability to do so.

"So as fast as we could, we went door-to-door and got a letter of authorization from each agency, working with each lawyer, to make sure that we could scan their systems. That cost us five to six precious days in some cases," Phyllis Schneck, DHS' deputy undersecretary for cybersecurity told the Senate Appropriations Committee Wednesday. "The whole world knew about this vulnerability and all the information they could capture, while we were lawyering. If we had the clarification in law that this was our role, we would have gotten started a lot faster."

Congress must act

DHS' mandate to protect agencies from cyber threats comes from presidential memos and a patchwork of federal laws, including the 2002 Homeland Security Act, which tasks DHS with "response and mitigation" of cyber threats across federal, state and local agencies and private sector critical infrastructure providers.

"The problem, and I know this from working in the private sector, is that when the lawyers get involved — and to their credit, they're protecting the company — they don't really know if we're supposed to be scanning," she said. "This is what happened with the cabinet-level agencies; we had to scan for Heartbleed."

Schneck said DHS wants Congress to give it explicit statutory authorization to scan those networks as part of a series of legal changes in proposed cybersecurity legislation, which would also include liability protections for companies that share cyber threat information with the federal government.

"It makes it very clear what our authorities are, to help with the information- sharing across the private sector, and narrowly-targeted liability protection," she said. "I came from industry eight months ago and that's very helpful to a company because it speaks to the general counsel and says, 'This is OK to share with government and protect others, and the company won't get hurt.'"

Schneck said even though DHS' response to the specific Heartbleed issue was slower than it should have been, agencies are much safer from hackers seeking to exploit that vulnerability and others like it than they would have been a few years ago. DHS says agencies' move toward a regime of continuous diagnostics and mitigation means they are much more likely to have noticed a bad actor who tried to make use of the security flaw. She also cited heightened perimeter defenses around government networks under the Einstein 3- Advanced (E3A) program as a reason for increased confidence in network security.

"The system constantly measures how healed up it is and how secure it is, so you're always aware of behavior that's different," she said. "And as we grow that system, it will become more and more like your body's immune system: You don't need to have a conference call to fight a cold. You always know something coming in and you'll be able to see different bad behaviors across all of the U.S. government. Across the government, we are very much operational. We very much have turned a corner. If I could have one wish, it would have been able to act faster in Heartbleed so that we wouldn't have had to get letters of authorization for every unique organization that we scanned."

Information sharing showing its value

In the absence of legislation that would authorize more information sharing, DHS has moved forward with the Enhanced Cybersecurity Services program, in which a limited number of Internet service providers and other private companies are able to see some of the government's sensitive and classified cyber threat signatures. That information is valuable, officials say, because agencies often have access to information about potential threats long before they emerge in the private sector.