Homeland Security to scan federal computer networks without prior authorization

Homeland Security to scan federal computer networks without prior authorization
After failing to identify the potentially disastrous Heartbleed bug, the United States Department of Homeland Security has successfully lobbied to have the ability to conduct “regular and proactive scans” of civilian agency systems.

Beth Cobert, the deputy director for management at the White House Office of Management and Budget, wrote on Friday that “growing cybersecurity threats,” including this year’s Heartbleed bug, have prompted the federal government to embrace better tactics aimed at ensuring the computer networks used by agencies stays secure.

“In a rapidly changing technological environment, we must have robust procedures, policies and systems in place to protect our nation’s most sensitive information,” Cobert wrote in a blog post first published last week by the White House. To accomplish as much, her office has announced the establishment of a new process that subjects civilian agency networks to greater scrutiny.

According to the official memorandum published last week by the White House OMB, the new mechanism being rolled out by DHS will see to it that the agency “Scan[s] internet accessible addresses and public facing segments of Federal civilian agency systems for vulnerabilities on an ongoing basis as well as in response to newly discovered vulnerabilities on an urgent basis, to include without prior agency authorization on an emergency basis where not prohibited by law.”

By having the DHS “formalize” this process, the memo continues, critical cybersecurity areas of the federal government will be hopefully be better prepared in the event of a cyberattack or major network issue.

“The Federal Government's response to the ‘Heartbleed’ security vulnerability highlighted the need to formalize this process, and ensure that Federal agencies are proactively scanning networks for vulnerabilities,” the memo reads. “This year's guidance clarifies what is required of DHS and Federal agencies in this area.”

But according to NextGov reporter Aliya Sternstein, the new process unveiled last week by DHS does more than just ensures networks stay safe — it also provides DHS with the unprecedented power to monitor these public-facing civilian agency networks.

“DHS officials Friday toldNextgovthat, in the past, the department would have to obtain essentially permission slips from agencies before using Einstein and scanning their systems,” Sternstein wrote, referring to the diagnostic hardware and software suite currently used to detect and prevent cyberattacks. “Officials added that DHS now has 110 agreements from agencies to scan for vulnerabilities.”

Cobert’s announcement of the new DHS initiative was made just one day after Rep. Mike Rogers (R-Michigan), the chairman of the House Intelligence Committee, said the US lacks solid policies for both protecting its networks and launching cyber offensives.

“As the [US government] writ large, we don’t have the policies down. We debate it a lot — I can’t tell you how much time we spent in the intelligence committee trying to figure out the way forward on what that looks like — and part of the challenge is the government has about 15 percent of the networks, and the private sector holds about 85 percent of the networks,Rogers said. “And, contrary to popular belief, the NSA is not monitoring those networks. It is not on those networks. The only way that they see anything coming in is from the outside, so most of the offensive talk is from the private sector saying, ‘I’ve had enough and I’m going to do something about it.’ Because basically what we’ve done today by doing nothing in Congress is telling the 85 percent of these private networks, ‘You’re on your own. You have nation states who are targeting you; who are raving your networks. But you’re on your own. Good luck.’”

Rogers has twice introduced bills in Congress that would let the government monitor activity on private sector networks, but privacy advocates have opposed the act citing the potential of unnecessary surveillance on those systems.