Black Hat 2015: DHS deputy says ‘just trust us’

Security pros say they are reluctant to share security incidents with government because its networks keep getting breached


The deputy head of the Department of Homeland Security implored a group of skeptical security pros at Black Hat 2015 to share information about security incidents and to trust the government to keep it safe.

“We understand the trust deficit that exists in the [security] community,” says Alejandro Mayorkas, deputy secretary of Homeland Security, encouraging attendees to participate in a government program where private businesses share information about cyber threats they encounter.

+ MISS BLACK HAT? Get caught up with our stories from the show +

Part of the trust problem is that businesses lack confidence that government can secure information it receives, Mayorkas says, citing the massive breach at the Office of Personnel Management. (It didn’t help his cause that as the meeting broke up news also broke that unclassified emails for the Joint Chiefs of Staff had been hacked and the email system shut down for two weeks.)

But during his talk he described the OPM breach as an opportunity for government networks to be made safer. He pointed to a 30-day effort to improve security – “a 30-day sprint to be sure other agencies heightened network security to the extent possible in a sprint” – as a hopeful sign. He pointed out that each government agency has its own network with its own level of security, and that DHS is in the midst of a massive effort to improve its own.

Attendees said they were rightly wary of the ability of the government to protect digital data not just because of persistent news about breaches but because it refuses to let them – independent, third-party security experts – penetration-test the networks with a goal toward making them safer. “You need to give us more than, ‘Just trust us,’” one attendee said.

Mayorkas responded that trust is hard to build and you have to start small. Perhaps a business would suffer an attack and, because of its nature, would be reluctant to report it, and that would be fine. But perhaps it would be more willing to report a less worrisome incident. “Find a spot where you’re comfortable and build from there,” he said.

The push by some in government to have access to backdoors to unlock encryption used in communications is a factor in security professionals being wary, especially since there is no workable solution that all parties can agree upon. “That point has been made throughout my visit here,” Mayorkas said, and that he would bring that message back to the ongoing debate in Washington.

He said DHS uses audits by its own Inspector General and by the General Accounting Office for oversight of network security. Publicizing the results might be part of the answer, he said.

His audience questioned whether Homeland Security’s goal to support near-realtime, automated information sharing about cyber threat indicators was safe for their organizations. Commercial security experts are concerned that by sharing threat information they may be admitting their networks were vulnerable. That information could be used, they fear, to establish liability should their networks be broken into and cause harm to customers or business associates.

Mayorkas said the key was that the plan was not for realtime but near-realtime sharing, with the delay being used to determine whether privacy and civil liberty issues need to be addressed. He says DHS plans to announce in October a contract to create best practices for the proposed automated sharing system.

“Anonymity is a cornerstone of our information-sharing protocols,” he said, meaning that it wouldn’t be possible to learn from the shared threat indicators who reported them.

He was asked whether automated collection of indicators was in the cards, giving businesses no choice about submitting reports. “Monitoring is beyond the purview of what we are doing now,” he said.

He said that even threats uncovered through publicly disclosed hacks and leaks of stolen data like those from Edward Snowden would be shared if possible. “We will declassify and release everything we can,” he said.

Expediting security clearances for new government security employees and consultants is a DHS goal, he says, so qualified people don’t take other high-paying jobs before they are vetted. The government has already boosted the salaries of some jobs in order to draw more qualified candidates, he said.

DHS plans to open an office in Silicon Valley to be closer to likely candidates.

He said he hoped candidates would be driven by more than just money in deciding whether to work for the government.

This story, "Black Hat 2015: DHS deputy says ‘just trust us’" was originally published by Network World.