DHS' push for clearer cyber authorities moves to the House

Wednesday - 5/21/2014, 6:10am EDT

The Homeland Security Department is expected Wednesday to make its case once again to lawmakers for clearer cybersecurity authorities to protect federal networks.

Larry Zelvin, the director of the National Cybersecurity and Communications Integration Center in DHS's National Protection and Programs Directorate, is scheduled to testify before the House Homeland Security Subcommittees on Counterterrorism and Intelligence and on Cybersecurity, Infrastructure Protection, and Security Technologies. At the hearing, he is expected to say the implementation of advanced intrusion detection and prevention program known as Einstein is hampered by the need for more clarity about the exact role DHS is allowed to play under the current set of cybersecurity laws.

"EINSTEIN 3 Accelerated (E3A) currently provides Domain Name System and/or email protection services to a total of seven departments and agencies, and we are working with our service providers to bring coverage to the rest of the executive branch," Zelvin's written testimony stated, which was obtained by Federal News Radio. "However, this process has been significantly delayed by the lack of clear authorities for DHS. E3A gives DHS an active role in defending .gov network traffic and significantly reduces the threat vectors available to malicious actors seeking to harm federal networks."

Zelvin also is expected to reiterate DHS's challenges to protect federal networks against the Heartbleed vulnerability.

Delayed response to Heartbleed

Earlier this month, Phyllis Schneck, DHS' deputy undersecretary for cybersecurity, told Senate lawmakers that it took several days longer than it should have to fix the Heartbleed vulnerability.

Zelvin said when Heartbleed became known, the NCCIC created a number of detection signatures for the Einstein system that were shared with agencies and critical infrastructure providers.

"While there was rapid and coordinated federal government response to Heartbleed, the lack of clear and updated laws reflecting the roles and responsibilities of civilian network security caused unnecessary delays in the incident response," his testimony states. "DHS worked with civilian agencies to scan their .gov websites and networks for Heartbleed vulnerabilities, and provided technical assistance for issues of concern identified through this process. Once in place, DHS began notifying agencies that EINSTEIN signatures had detected possible activity, and immediately provided mitigation guidance and technical assistance."

DHS is using the Heartbleed vulnerability to make its case for the need for comprehensive cybersecurity legislation.

Zelvin's testimony said the Obama administration's proposal from May 2011 would give "DHS with clear statutory authority to carry out this operational mission, while reinforcing the fundamental responsibilities of individual agencies to secure their networks, and preserving the policy and budgetary coordination oversight of the Office of Management and Budget and the Executive Office of the President."

No agreement on legislation

House and Senate lawmakers haven't been able to come to an agreement on comprehensive cyber legislation, and other bills, such as those to update the Federal Information Security Management Act, have languished.

But commenters to Federal News Radio's article on May 9 first detailing DHS' delays in responding to Heartbleed said they saw no problems.

One commenter wrote, "The agency I work for did scan our own internal network and remediated everything available outside our firewall in less than five days. There was no 'red tape' that delayed this and no need to wait for information to be provided by DHS. We used the scanning capabilities that we are required to maintain to quickly locate all vulnerable systems. I suspect that most, if not all agencies have similar capabilities and were proceeding as quickly as they could and were not waiting for DHS."

Another commenter said, "The IT department at each agency could have scanned their internal network and applied the patches. Why should they have to wait on DHS? This is so messed up it is embarrassing."

Zelvin said a comprehensive cyber bill that addresses information sharing is essential.

"We continue to seek legislation that clarifies and strengthens DHS responsibilities and allows us to respond quickly to vulnerabilities like Heartbleed," he wrote. "We continue to seek legislation that incorporates privacy, civil liberties and confidentiality safeguards into all aspects of cybersecurity; strengthens our critical infrastructure's cybersecurity by further increasing information sharing and promoting the adoption of cybersecurity standards and guidelines; gives law enforcement additional tools to fight crime in the digital age; and creates a National Data Breach Reporting requirement."

Along with Zelvin, Joseph Demarest, the assistant director of the FBI's cyber division, is expected to testify about the agency's ongoing cybersecurity initiatives.

Demarest is expected to tell the subcommittees about several FBI cyber efforts, including a recently launched Guardian for Cyber application. The Guardian for Cyber application, which the Guardian Victim Analysis Unit (GVAU) is developing, will provide a comprehensive platform that tracks U.S. government coordination and efforts to notify victims or targets of malicious cyber activity.