Larry Zelvin: Lack of cybersecurity legislation caused some delays in Heartbleed response. (DHS)
The U.S government was forced to act quickly to fix the Heartbleed vulnerability that compromised hundreds of thousands of websites last month, but Homeland Security Department officials say that Congress’ failure to pass cybersecurity legislation slowed their ability to respond to the weakness.
DHS’ National Cybersecurity and Communications Integration Center was one of the agencies that spearheaded the government’s response to the pervasive bug, which created a vulnerability in the widely used OpenSSL encryption software that protects two-thirds of Internet traffic. According to Larry Zelvin, NCCIC director, the NCCIC led a coordinated, cross-government response that could have reacted faster if Congress provided better laws and clearer authorities related to cybersecurity.
“While there was rapid and coordinated federal government response to Heartbleed, the lack of clear and updated laws reflecting the roles and responsibilities of civilian network security caused unnecessary delays in the incident response,” Zelvin told a joint House Homeland Security subcommittee meeting on May 21.
Zelvin also provided additional details on DHS’ response to Heartbleed, which included releasing an alert and mitigation information on the US-CERT website within 24 hours of learning of the vulnerability on April 7. DHS worked with the departments of Justice and Defense to create several compromise detection signatures for the EINSTEIN continuous monitoring system used by many government agencies, and coordinated with civilian agencies to scan their networks and with private-sector stakeholders to provide technical assistance.
Zelvin also said DHS created two information-sharing products, one publicly available on the US-CERT website and one shared through non-public, secured channels, to provide incident response recommendations after a “major retailer” security breach in December 2013.
Across the government, officials do not expect the cyber threat to decline anytime soon. Joseph Demarest, assistant director of the FBI’s cyber division, said during the hearing that he worries about terror groups coordinating with criminal organizations that have cyber capabilities.
For now, most terror-group cyber crimes tend to be “focused against websites hosted in the U.S. and tend to be low-level type attacks, website defacement [and distributed denial of service] activities,” Demarest said, adding that he knows of three principal groups that either have, are developing or are looking for cyber weapons capable of physical harm. He did not detail what groups those were, but “we do actively watch for terror organizations crossing over to criminal groups” that have cyber crime capabilities.