DHS: Lack of cyber law caused 'unnecessary delays' in Heartbleed response

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.federaltimes.com/article/20140521/CYBER/305210015/DHS-Lack-cyber-law-caused-unnecessary-delays-Heartbleed-response

The U.S government was forced to act quickly to fix the Heartbleed
vulnerability that compromised hundreds of thousands of websites last
month, but Homeland Security Department officials say that Congress’
failure to pass cybersecurity legislation slowed their ability to respond
to the weakness.

DHS’ National Cybersecurity and Communications Integration Center was one
of the agencies that spearheaded the government’s response to the pervasive
bug, which created a vulnerability in the widely used OpenSSL encryption
software that protects two-thirds of Internet traffic. According to Larry
Zelvin, NCCIC director, the NCCIC led a coordinated, cross-government
response that could have reacted faster if Congress provided better laws
and clearer authorities related to cybersecurity.

“While there was rapid and coordinated federal government response to
Heartbleed, the lack of clear and updated laws reflecting the roles and
responsibilities of civilian network security caused unnecessary delays in
the incident response,” Zelvin told a joint House Homeland Security
subcommittee meeting on May 21.

Zelvin also provided additional details on DHS’ response to Heartbleed,
which included releasing an alert and mitigation information on the US-CERT
website within 24 hours of learning of the vulnerability on April 7. DHS
worked with the departments of Justice and Defense to create several
compromise detection signatures for the EINSTEIN continuous monitoring
system used by many government agencies, and coordinated with civilian
agencies to scan their networks and with private-sector stakeholders to
provide technical assistance.

Zelvin also said DHS created two information-sharing products, one publicly
available on the US-CERT website and one shared through non-public, secured
channels, to provide incident response recommendations after a “major
retailer” security breach in December 2013.

Across the government, officials do not expect the cyber threat to decline
anytime soon. Joseph Demarest, assistant director of the FBI’s cyber
division, said during the hearing that he worries about terror groups
coordinating with criminal organizations that have cyber capabilities.

For now, most terror-group cyber crimes tend to be “focused against
websites hosted in the U.S. and tend to be low-level type attacks, website
defacement [and distributed denial of service] activities,” Demarest said,
adding that he knows of three principal groups that either have, are
developing or are looking for cyber weapons capable of physical harm. He
did not detail what groups those were, but “we do actively watch for terror
organizations crossing over to criminal groups” that have cyber crime
capabilities.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!