Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:51 PM
Connect Directly

SANS Tells Congress: Feds' Checkbook Is Cyberdefense 'Weapon'

Security experts in Senate hearing today debate whether the White House or Department of Homeland Security should head up U.S. cybersecurity strategy and operations

Whether the White House or the Department of Homeland Security should have the lead role in coordinating U.S. cybersecurity operations was the hot-button question during a Senate hearing today, but securing the nation's infrastructure must start by harnessing the federal government's massive IT buying power, according to the testimony.

Alan Paller, director of research for SANS, told the Senate Committee on Homeland Security and Governmental Affairs that Congress can mitigate the cyberthreat by refocusing the government's cybersecurity from "report-writing" to real-time, automated defenses by strategically deploying the feds' $70 billion annual IT budget.

"The idea of [cybersecurity] leadership isn't if it's the White House or DHS. It's whether you use the $70 billion you spend per year to make the nation safer," Paller told members of the Senate Committee on Homeland Security and Governmental Affairs.

Paller was among three witnesses who testified that a White House official, not DHS, should oversee and coordinate the nation's cybersecurity policy and deployment. James Lewis, director and senior fellow for technology and public policy at the Center for Strategic and International Studies, and Tom Kellermann, vice president of security awareness for Core Security Technologies, concurred. A fourth witness on the panel, Stewart Baker, former assistant secretary at DHS, and now partner at law firm Steptoe & Johnson LLP, was the only one who disagreed.

The feds need to flex their buying muscle to pressure security and software vendors to provide more secure products and versions of products, Paller said. Buying more secure systems "trickles down" because software vendors will then offer more secure products, plus it saves money in the end, he said.

Paller gave the example of the Air Force urging Microsoft to build a more secure version of Windows for its use after the National Security Agency's red team discovered major vulnerabilities in the Air Force's systems. The Air Force saved more than $100 million in procurement costs by deploying a more secure configuration of the Microsoft operating system, he said.

"Microsoft now sells a more secure version to utilities and the defense industry," Paller said. "Once hardware and software get built more securely, there's nothing stopping [vendors] to sell them to everyone."

Paller said Congress' biggest job is to ensure that agencies buy IT products with built-in security. "Technology buyers cannot cost-effectively secure the technology they purchase," he said. "Keep telling agencies to buy security baked-in. That's your great weapon."

Meanwhile, former DHS executive Baker told the committee that creating a new National Office for Cyberspace, as recommended by the CSIS Commission on Cybersecurity for the 44th Presidency, would face the same challenges and problems the DHS experienced in its cybersecurity efforts from the get-go. The Cybersecurity Act of 2009, which was recently introduced in the Senate, also would create a new executive-level office for cybersecurity management.

"DHS's execution of its responsibilities has certainly not been perfect, but it has spent much of the last year improving on its record. It has able new leadership and a head start on creating the capabilities it needs. I would be inclined to build on that foundation rather than starting over," he said.

Core's Kellermann, meanwhile, who served on the CSIS Commission on Cybersecurity for the 44th Presidency, told the committee that a common problem across the federal government is that CIOs lead IT spending decisions, rather than CISOs. "A CIO is focused on productivity and access, whereas the CISO's [perspective] is different," he said.

Kellermann also pointed out that the goal of major cyberattackers is not to disrupt service, but to remain under the radar. "The enemy wants to remain persistent and clandestine, infiltrating your systems. He wants to remain on a mission and to control the integrity of your data and to manipulate you," he said.

And a missing link for DHS thus far, SANS' Paller said, is a "red button," or the ability to pull the plug on agencies that don't implement federal IT security regulations. "If the US-CERT says the Department of Commerce is doing a poor job [in security], and Commerce [refuses to do anything], DHS can't do anything about it," Paller said. "You want them to have the ability to pull the plug on agencies' computers. This is something Congress has not yet wanted to do."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-17
Adobe Download Manager versions have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.