01:51 PM
Connect Directly

SANS Tells Congress: Feds' Checkbook Is Cyberdefense 'Weapon'

Security experts in Senate hearing today debate whether the White House or Department of Homeland Security should head up U.S. cybersecurity strategy and operations

Whether the White House or the Department of Homeland Security should have the lead role in coordinating U.S. cybersecurity operations was the hot-button question during a Senate hearing today, but securing the nation's infrastructure must start by harnessing the federal government's massive IT buying power, according to the testimony.

Alan Paller, director of research for SANS, told the Senate Committee on Homeland Security and Governmental Affairs that Congress can mitigate the cyberthreat by refocusing the government's cybersecurity from "report-writing" to real-time, automated defenses by strategically deploying the feds' $70 billion annual IT budget.

"The idea of [cybersecurity] leadership isn't if it's the White House or DHS. It's whether you use the $70 billion you spend per year to make the nation safer," Paller told members of the Senate Committee on Homeland Security and Governmental Affairs.

Paller was among three witnesses who testified that a White House official, not DHS, should oversee and coordinate the nation's cybersecurity policy and deployment. James Lewis, director and senior fellow for technology and public policy at the Center for Strategic and International Studies, and Tom Kellermann, vice president of security awareness for Core Security Technologies, concurred. A fourth witness on the panel, Stewart Baker, former assistant secretary at DHS, and now partner at law firm Steptoe & Johnson LLP, was the only one who disagreed.

The feds need to flex their buying muscle to pressure security and software vendors to provide more secure products and versions of products, Paller said. Buying more secure systems "trickles down" because software vendors will then offer more secure products, plus it saves money in the end, he said.

Paller gave the example of the Air Force urging Microsoft to build a more secure version of Windows for its use after the National Security Agency's red team discovered major vulnerabilities in the Air Force's systems. The Air Force saved more than $100 million in procurement costs by deploying a more secure configuration of the Microsoft operating system, he said.

"Microsoft now sells a more secure version to utilities and the defense industry," Paller said. "Once hardware and software get built more securely, there's nothing stopping [vendors] to sell them to everyone."

Paller said Congress' biggest job is to ensure that agencies buy IT products with built-in security. "Technology buyers cannot cost-effectively secure the technology they purchase," he said. "Keep telling agencies to buy security baked-in. That's your great weapon."

Meanwhile, former DHS executive Baker told the committee that creating a new National Office for Cyberspace, as recommended by the CSIS Commission on Cybersecurity for the 44th Presidency, would face the same challenges and problems the DHS experienced in its cybersecurity efforts from the get-go. The Cybersecurity Act of 2009, which was recently introduced in the Senate, also would create a new executive-level office for cybersecurity management.

"DHS's execution of its responsibilities has certainly not been perfect, but it has spent much of the last year improving on its record. It has able new leadership and a head start on creating the capabilities it needs. I would be inclined to build on that foundation rather than starting over," he said.

Core's Kellermann, meanwhile, who served on the CSIS Commission on Cybersecurity for the 44th Presidency, told the committee that a common problem across the federal government is that CIOs lead IT spending decisions, rather than CISOs. "A CIO is focused on productivity and access, whereas the CISO's [perspective] is different," he said.

Kellermann also pointed out that the goal of major cyberattackers is not to disrupt service, but to remain under the radar. "The enemy wants to remain persistent and clandestine, infiltrating your systems. He wants to remain on a mission and to control the integrity of your data and to manipulate you," he said.

And a missing link for DHS thus far, SANS' Paller said, is a "red button," or the ability to pull the plug on agencies that don't implement federal IT security regulations. "If the US-CERT says the Department of Commerce is doing a poor job [in security], and Commerce [refuses to do anything], DHS can't do anything about it," Paller said. "You want them to have the ability to pull the plug on agencies' computers. This is something Congress has not yet wanted to do."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.