DHS’s Lessons Learned from Heartbleed
October 9, 2014 Leave a comment
by Tomas O’Keefe, Senior Analyst
At a recent Washington Post event on cybersecurity recognizing National Cybersecurity Awareness Month, Deputy Secretary of Homeland Security, Alejandro Mayorkas, spoke of DHS’s “dire need” for cybersecurity legislation that better enables cyber threat information sharing and helps recruit top cybersecurity talent. While the sky isn’t falling in on Deputy Secretary Mayorkas and DHS, the failure of Congress to pass updated cybersecurity legislation has hindered the department’s ability to meet the rapidly shifting landscape of cyber threats.
DHS’s response to Heartbleed is a perfect example of this. We’re all familiar with Heartbleed, the OpenSSL security vulnerability that was revealed in April of this year, and that DHS is tasked as the executive agent in ensuring the security of all federal civilian networks. A critical issue surfaced when the Heartbleed vulnerability was revealed: while DHS had the ability to scan other civilian .gov networks to see if they were affected by the exploit, they lacked the legal authority to do so without first obtaining a permission slip from other federal departments and agencies; this lengthy process ended up taking DHS days in order to scan all US government networks for the vulnerability at a time when a patch was available and could have been quickly applied. In an October 3rd memo, OMB finally addressed this challenge, but broad security concerns still remain.
The Federal Information Security Management Act (FISMA) remains an adequate blueprint for enabling security across the .gov domain, but it really isn’t enough in an ever-evolving threat landscape. DHS is going to need new legislation to fully address the challenges of securing federal networks, and while approaches like the department’s Continuous Diagnostics and Mitigation (CDM) effort are a step in the right direction, there’s still more work to be done to improve cyber posture.
DHS officials are cognizant of the challenges they face and are certainly going to be receptive to cybersecurity vendors who can function within the already defined cyber information-sharing ecosystem. You’ll
find one of your best methods to help the government is through the CDM contracts. We’ll be addressing CDM opportunities in session: “CDM: Don’t Miss Out on Opportunity Waiting for the Big Bang “at the new Government IT Sales Summit. Find out which agencies have received a Delegation of Procurement Authority (DPA), how it can be used, and the impact it can have on your cybersecurity sales efforts. Register by 10/15 and get $200 off.*
*Rate applies to manufacturers only.