OPM breach a shadow over Homeland Security's appeals to security pros
| LAS VEGAS
The Department of Homeland Security鈥檚 No. 2 official came to the Black Hat conference in Las Vegas to urge a crowd of skeptical cybersecurity pros to share more information about the threats they uncover听with the US government.
But the massive breaches at the Office of Personnel Management that exposed sensitive personal details听stored in its databases听from as many as 21 million people听did not help his case.
"I鈥檝e heard as recently as this morning 鈥 speaking with some of the attendees here 鈥 about the OPM breach and its impact on the confidence in sharing with the government,"听Deputy Homeland Security Secretary听Alejandro Mayorkas said Thursday, in response to a question from Passcode.
Despite the breaches that exposed holes in the government鈥檚 own cybersecurity, Mr. Mayorkas said companies should still share information so DHS can better synthesize and disseminate that threat intelligence to help the private sector. 鈥淭o not share the information 鈥 or at least, to not start in some way and give it a try 鈥 is surrendering the ability to exploit a capability that may, in fact, work in strengthening network security,鈥 he said.
Information sharing has been a major Obama administration priority in the wake of cyberattacks on big companies such as Sony Pictures and Anthem. Yet Congress has not yet united to pass legislation that would, among other things, ensure companies will have liability protection from exposing customer and other potentially sensitive data to government agencies.
The Senate recently left for summer recess without passing the Cybersecurity Information Sharing Act (CISA), a controversial bill opposed by many civil liberties advocates who say it could instead dramatically expand domestic surveillance by enabling companies to share people鈥檚 personal information with the government.
That bill, expected to be back on the table again in the fall, also drew fire from some digital rights advocates. In a recent Passcode opinion piece, the Cato Institute鈥檚 Patrick Eddington and X-Lab director Sascha Meinrath, for instance, argued CISA could actually worsen cybersecurity.
"By collecting personal information and storing it in a massive government data warehouse, CISA will dramatically increase everyone鈥檚 vulnerability in future hacking attacks," they wrote. "Given the federal government鈥檚 abysmal track record when it comes to protecting its own data, the likelihood of another serious breach remains high."
惭补测辞谤办补蝉听丑颈尘蝉别濒蹿听听about the privacy implications听of CISA听as opposed to other information-sharing proposals听鈥撎齣ncluding the lack of a sufficiently strong mandate for companies to scrub unrelated personal data before they share threat information with the government.听Yet he听stressed that听the Homeland Security department听鈥 which runs the National Cybersecurity and Communications Integration Center 鈥 has better security听of its own networks and information听than many federal agencies.
"Different parts of the government are more advanced in their network security systems than others," he said. "The OPM breach was obviously a significant challenge 鈥 but one must address it as an opportunity鈥 to improve cybersecurity throughout the government. The White House, he also noted, recently completed a 30-day "Cybersecurity Sprint" in which federal agencies were charged with patching critical vulnerabilities and restricting the number of people with access to sensitive files. 听
But even Mayorkas acknowledges the mistrust between the US government and the country鈥檚 security community ran deep well before the OPM hack. "For some, that might have impacted the confidence levels 鈥 for others, it鈥檚 born of other things. We鈥檝e got to rebuild or strengthen that trust relationship.
"I recognize that trust deficit," he continued.
That said, Mayorkas is looking to improve the relationship. "I don鈥檛 come here and say, 'Just trust us, we鈥檙e from the government and we're here to help,' " he said.
To one skeptic at Black Hat who expressed concern about sharing information with the government, the DHS official said: "If you suffered an attack, you may say 鈥 'I don鈥檛 feel quite comfortable sharing cyberthreat indicators with the government.' And that is your prerogative, and that is your liberty.
"But perhaps there is [another] attack... in which perhaps you鈥檙e willing to give it a try,鈥 he continued. 鈥淎nd perhaps our response will actually build a little confidence in you."
听
