Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:51 PM
Connect Directly

SANS Tells Congress: Feds' Checkbook Is Cyberdefense 'Weapon'

Security experts in Senate hearing today debate whether the White House or Department of Homeland Security should head up U.S. cybersecurity strategy and operations

Whether the White House or the Department of Homeland Security should have the lead role in coordinating U.S. cybersecurity operations was the hot-button question during a Senate hearing today, but securing the nation's infrastructure must start by harnessing the federal government's massive IT buying power, according to the testimony.

Alan Paller, director of research for SANS, told the Senate Committee on Homeland Security and Governmental Affairs that Congress can mitigate the cyberthreat by refocusing the government's cybersecurity from "report-writing" to real-time, automated defenses by strategically deploying the feds' $70 billion annual IT budget.

"The idea of [cybersecurity] leadership isn't if it's the White House or DHS. It's whether you use the $70 billion you spend per year to make the nation safer," Paller told members of the Senate Committee on Homeland Security and Governmental Affairs.

Paller was among three witnesses who testified that a White House official, not DHS, should oversee and coordinate the nation's cybersecurity policy and deployment. James Lewis, director and senior fellow for technology and public policy at the Center for Strategic and International Studies, and Tom Kellermann, vice president of security awareness for Core Security Technologies, concurred. A fourth witness on the panel, Stewart Baker, former assistant secretary at DHS, and now partner at law firm Steptoe & Johnson LLP, was the only one who disagreed.

The feds need to flex their buying muscle to pressure security and software vendors to provide more secure products and versions of products, Paller said. Buying more secure systems "trickles down" because software vendors will then offer more secure products, plus it saves money in the end, he said.

Paller gave the example of the Air Force urging Microsoft to build a more secure version of Windows for its use after the National Security Agency's red team discovered major vulnerabilities in the Air Force's systems. The Air Force saved more than $100 million in procurement costs by deploying a more secure configuration of the Microsoft operating system, he said.

"Microsoft now sells a more secure version to utilities and the defense industry," Paller said. "Once hardware and software get built more securely, there's nothing stopping [vendors] to sell them to everyone."

Paller said Congress' biggest job is to ensure that agencies buy IT products with built-in security. "Technology buyers cannot cost-effectively secure the technology they purchase," he said. "Keep telling agencies to buy security baked-in. That's your great weapon."

Meanwhile, former DHS executive Baker told the committee that creating a new National Office for Cyberspace, as recommended by the CSIS Commission on Cybersecurity for the 44th Presidency, would face the same challenges and problems the DHS experienced in its cybersecurity efforts from the get-go. The Cybersecurity Act of 2009, which was recently introduced in the Senate, also would create a new executive-level office for cybersecurity management.

"DHS's execution of its responsibilities has certainly not been perfect, but it has spent much of the last year improving on its record. It has able new leadership and a head start on creating the capabilities it needs. I would be inclined to build on that foundation rather than starting over," he said.

Core's Kellermann, meanwhile, who served on the CSIS Commission on Cybersecurity for the 44th Presidency, told the committee that a common problem across the federal government is that CIOs lead IT spending decisions, rather than CISOs. "A CIO is focused on productivity and access, whereas the CISO's [perspective] is different," he said.

Kellermann also pointed out that the goal of major cyberattackers is not to disrupt service, but to remain under the radar. "The enemy wants to remain persistent and clandestine, infiltrating your systems. He wants to remain on a mission and to control the integrity of your data and to manipulate you," he said.

And a missing link for DHS thus far, SANS' Paller said, is a "red button," or the ability to pull the plug on agencies that don't implement federal IT security regulations. "If the US-CERT says the Department of Commerce is doing a poor job [in security], and Commerce [refuses to do anything], DHS can't do anything about it," Paller said. "You want them to have the ability to pull the plug on agencies' computers. This is something Congress has not yet wanted to do."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to rewrite the file of the administrator, which may lead to elevated permissions. Exploitation of this issue requires user interaction.
PUBLISHED: 2021-04-16
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.
PUBLISHED: 2021-04-16
jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be throw...