Modern field guide to security and privacy

OPM breach a shadow over Homeland Security's appeals to security pros

The Deputy Homeland Security Secretary urged attendees of the Black Hat conference not to let the massive government breach foil plans for improving information sharing about cybersecurity threats between the private sector and the government. 

|
Courtesy of Black Hat
Deputy Homeland Security Secretary Alejandro Mayorkas promoted a plan for sharing cyberthreat information with the US government during this year's Black Hat security conference in Las Vegas.

The Department of Homeland Security’s No. 2 official came to the Black Hat conference in Las Vegas to urge a crowd of skeptical cybersecurity pros to share more information about the threats they uncover with the US government.

But the massive breaches at the Office of Personnel Management that exposed sensitive personal details stored in its databases from as many as 21 million people did not help his case.

"I’ve heard as recently as this morning – speaking with some of the attendees here – about the OPM breach and its impact on the confidence in sharing with the government," Deputy Homeland Security Secretary Alejandro Mayorkas said Thursday, in response to a question from Passcode.

Despite the breaches that exposed holes in the government’s own cybersecurity, Mr. Mayorkas said companies should still share information so DHS can better synthesize and disseminate that threat intelligence to help the private sector. “To not share the information – or at least, to not start in some way and give it a try – is surrendering the ability to exploit a capability that may, in fact, work in strengthening network security,” he said.

Information sharing has been a major Obama administration priority in the wake of cyberattacks on big companies such as Sony Pictures and Anthem. Yet Congress has not yet united to pass legislation that would, among other things, ensure companies will have liability protection from exposing customer and other potentially sensitive data to government agencies.

The Senate recently left for summer recess without passing the Cybersecurity Information Sharing Act (CISA), a controversial bill opposed by many civil liberties advocates who say it could instead dramatically expand domestic surveillance by enabling companies to share people’s personal information with the government.

That bill, expected to be back on the table again in the fall, also drew fire from some digital rights advocates. In a recent Passcode opinion piece, the Cato Institute’s Patrick Eddington and X-Lab director Sascha Meinrath, for instance, argued CISA could actually worsen cybersecurity.

"By collecting personal information and storing it in a massive government data warehouse, CISA will dramatically increase everyone’s vulnerability in future hacking attacks," they wrote. "Given the federal government’s abysmal track record when it comes to protecting its own data, the likelihood of another serious breach remains high."

Mayorkas himself has some concerns about the privacy implications of CISA as opposed to other information-sharing proposals – including the lack of a sufficiently strong mandate for companies to scrub unrelated personal data before they share threat information with the government. Yet he stressed that the Homeland Security department – which runs the National Cybersecurity and Communications Integration Center – has better security of its own networks and information than many federal agencies.

"Different parts of the government are more advanced in their network security systems than others," he said. "The OPM breach was obviously a significant challenge – but one must address it as an opportunity” to improve cybersecurity throughout the government. The White House, he also noted, recently completed a 30-day "Cybersecurity Sprint" in which federal agencies were charged with patching critical vulnerabilities and restricting the number of people with access to sensitive files.  

But even Mayorkas acknowledges the mistrust between the US government and the country’s security community ran deep well before the OPM hack. "For some, that might have impacted the confidence levels – for others, it’s born of other things. We’ve got to rebuild or strengthen that trust relationship.

"I recognize that trust deficit," he continued.

That said, Mayorkas is looking to improve the relationship. "I don’t come here and say, 'Just trust us, we’re from the government and we're here to help,' " he said.

To one skeptic at Black Hat who expressed concern about sharing information with the government, the DHS official said: "If you suffered an attack, you may say … 'I don’t feel quite comfortable sharing cyberthreat indicators with the government.' And that is your prerogative, and that is your liberty.

"But perhaps there is [another] attack... in which perhaps you’re willing to give it a try,” he continued. “And perhaps our response will actually build a little confidence in you."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to OPM breach a shadow over Homeland Security's appeals to security pros
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0807/OPM-breach-a-shadow-over-Homeland-Security-s-appeals-to-security-pros
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe