DHS Inspector General Says Office Has No Idea How New Cybersecurity Act Is Supposed To Be Implemented
from the OIG-to-Congress:-you-made-this-mess,-now-fix-it dept
The reanimated CISA, redubbed The Cybersecurity Act (a.k.a., OmniCISA) and hurried through the legislative process by stapling its 2000 pages to the back of a "must-pass" budget bill, is still in the processes of implementation. Not much is known about what the law is intended to do on the granular level, other than open up private companies to government surveillance so the USA can beat back "the cyber."
Surveillance aficionados were quick to lean on private companies to start sharing information, but the government needs to be taught new tricks as well. There's plenty of info siloing at the federal level, which keeps the DHS, FBI, and others involved in the cyberwar from effectively communicating, much less sharing anything interesting they might have had forwarded to them by the private sector.
The federal government has been less than successful in securing its own information -- something CISA was also supposed to fix. The DHS's Inspector General has performed a follow-up investigation on the department's implementation of CISA's requirements. For the most part, things seem to be moving forward, albeit in a vague, undefined direction.
The OIG notes that the DHS has put together policies and procedures and, amazingly, actually implemented some of them. Better still, it has moved many critical account holders to multi-factor authorization. Unfortunately, the DHS still has a number of standalone systems that can't handle multi-factor authorization, which will make them more vulnerable to being breached.
That's pretty much the end of the good news. There are still holes in the DHS's data systems at a very critical juncture. From the report [PDF]:
Although the Department has established software inventory policies, not all DHS components used data exfiltration protection capabilities to support data loss prevention, forensics and visibility, and digital rights management. Further, the Department had not developed policies and procedures to ensure that contractors implement data protection solutions.
Then there's this part of the report, which shows that no one truly understands the 2000-page law -- not even the DHS's first level of oversight, which can't even tell what the agency is supposed to be doing to comply with the new law. (h/t Eric Geller)
DHS and its Components can benefit from additional data protection capabilities and policy to help ensure sensitive PII and classified information are secure from unauthorized access, use, and disclosure. We are submitting this report for informational purposes to the appropriate Congressional oversight committees, as required by the Act. Due to a lack of specific criteria, this report contains no recommendations.
This explains why the report is so short: the OIG doesn't have anything to work with. Two thousand pages and yet the Cybersecurity Act's demands and goals remain so vague that all the Inspector General can do is take a cursory look at the DHS's security protocols and see if they've improved. Beyond that, the DHS and its Inspector General have no specifics to guide them and no firm goals to reach. So, the Inspector General's office is doing the only thing it can do: kick the problem over to the legislators who created it.
This is already quite the problem considering the DHS is flying blind with achieving its internal directives. What makes matters worse is the DHS is a clearinghouse for the information and data obtained from private companies -- like ISP monitoring of user activity for "cybersecurity purposes" -- and is in charge of determining whether or not any personally-identifiable information needs to "scrubbed" before it is passed on to other government agencies.
If it doesn't have enough guidance to determine what direction it should be going in securing its own systems, it presumably has far less when it comes to the handling of private sector information. Those privacy protections were stripped during CISA's swift push through Congress and replaced with a DOJ judgment call on whether or not the DHS has performed an adequate scrub before handing over data to the FBI, NSA, et al. "Lack of specific criteria" pretty much defines the government's approach to domestic surveillance -- which is enabled by this law: grab it all now; figure it out later.