April 20, 2016–Fourteen “non-federal entities” are participating in the new cyber threat information-sharing network established in March by the Department of Homeland Security, and 82 others are preparing to join, a top DHS cybersecurity official told a House subcommittee today. “We will grow the system incrementally,” Andy Ozment, DHS’s assistant secretary for cybersecurity and communications, told the Oversight and Government Reform’s information technology subcommittee.
“We are not going to reach all of the American economy in just a few months. I’m very happy with our rate of growth,” Mr. Ozment testified. “It does require the participant to build some IT infrastructure on their end.”
DHS’s Automated Indicator Sharing (AIS) portal went live in mid-March, Mr. Ozment said. The portal was authorized by the Cybersecurity Information Sharing Act of 2015, which was enacted late last year. The AIS initiative is designed to enable the timely exchange of cyber threat indicators among the federal government, the private sector, and non-federal entities. “We have shared over 2,000 indicators with the private sector, and we have received additional indicators that the private sector did not allow us to share onward to other companies but that we did share internally within the federal government,” Mr. Ozment told the subcommittee.
The title of today’s hearing, “Federal Cybersecurity Detection, Response, and Mitigation,” led to a wide-ranging discussion of the effects of encryption on law enforcement investigations, the federal government’s use of outdated systems, and agencies’ response to a vulnerability in a Juniper Networks, Inc., system that was reported late last year.
Out of 12 agencies affected by the Juniper vulnerability, three took longer than 50 days to fully patch their systems, Rep. Will Hurd (R., Texas), the subcommittee’s chairman, said. “This is absolutely unacceptable. The inability of federal agencies to maintain a comprehensive view and inventory of their information systems and respond to Congress in a timely manner cannot be the status quo,” he said.
The Treasury Department, which was among the agencies that took more than 50 days to patch the Juniper vulnerability, did not patch all of its Juniper deployments sooner because several of its systems were too old to accept the patch, according to Sanjeev Bhagowalia, the department’s chief information officer.
The patch was applied to 25% of Treasury’s systems within a day, 84% within a week, and 93% within seven weeks, Mr. Bhagowalia said. “After a detailed analysis determined that two bureaus’ configurations posed low risk for exploitation of the vulnerability – because infected devices were not connected to the Internet and thus were not directly affected by the vulnerability and each had multiple compensating controls in place – Treasury completed the remaining 7% of patching in just over eight weeks,” he testified.“A challenge faced by large agencies in complying with government-wide mandates to address particular vulnerabilities is the need to balance operational and security risks,” he told the subcommittee. “Could we have done it a little bit faster? Yes.”
Rep. Hurd noted that Treasury was using software from Juniper and other vendors that was so old that it was no longer supported by the manufacturer. He asked Mr. Bhagowalia what percentage of the department’s software was unsupported and whether the Juniper vulnerability had resulted in Treasury’s networks being breached. “There is no information that we’re aware was taken, and we have looked at it very carefully,” Mr. Bhagowalia replied. Regarding the percentage of unsupported software, he said, “It’s a very small percentage. I’ll have to get back to you on that.” – Tom Leithauser, tom.leithauser@wolterskluwer.com
Courtesy TRDaily