Former DHS official: Response to USIS hack could have been better coordinated
A former DHS official, 10 days removed from the job, details what went down and why. Meanwhile, U.S. CERT Director Ann Barron-DiCamillo calls for more cyber hygiene in wake of USIS hack.
Chris Cummiskey, who until 10 days ago was acting undersecretary for management at the Department of Homeland Security, thinks DHS's response to the large-scale hack of U.S. Investigations Services could have been more coordinated. "The structure in which we understood what was happening was a little convoluted," he said.
Referring generally to DHS responses to cyberattacks, Cummiskey said at a Nov. 13 cybersecurity conference: "We've seen this a couple times now and unfortunately we act like each iteration is the first time it’s ever occurred."
An estimated 25,000 government employees were affected by the hack of USIS, an attack that was reportedly state-sponsored. The breach came to public light in August, but the firm detected and reported the hack to the Office of Personnel Management in early June, according to Cummiskey, who was on the front lines of DHS’s response to the cyberattack.
At a Washington, D.C., conference hosted by the Center for National Policy and the Council on Cybersecurity, the DHS-official-turned-consultant offered the most clear-cut timeline to date of the USIS hack. The firm conducted the majority of federal background-check investigations until OPM decided not to renew its contracts following the big breach.
USIS notified OPM of the breach in early June, he said. The firm then sent a memo on June 17 notifying the procurement shops of "15 large [federal] agencies," he said.
Homeland Security's procurement office relayed news of the breach to its main security office, which then contacted the department’s U.S. Computer Emergency Readiness Team, Cummiskey said. It took some time for U.S. CERT, which is responsible for alerting industry and other government agencies to cyberattacks, to determine the nature and scope of the breach, he said.
"So we start to lose time," he recalled. "And as they’re investigating that, all of a sudden five weeks go by, and all of the sudden we realize that when the NSA … and others go in and take a look voluntarily, at the request of USIS, they look at this and we realize we’ve got a really big problem on our hands."
U.S. CERT's examination of USIS networks revealed some damage, according to Cummiskey, and OPM's ensuing decision not to renew contracts with USIS threw a roadblock into the hack investigation.
"We had conversations with Sterling Phillips, the [USIS] CEO, that were fairly amicable in the early going. But then when we started to get into a pretty tough spot on this, where it looked like OPM was not going to extend their contract, then the talks pretty much shut down," he said.
A source close to USIS told FCW that OPM reviewed and approved USIS's cybersecurity systems on several occasions.
U.S. CERT Director Ann Barron-DiCamillo spoke earlier at the conference. When asked to assess USIS's response to the attack on its networks, she declined, instead choosing to talk about general trends she has seen in incident response.
"You need to have the ability to detect activity earlier in the attack cycle, and you need to be able to quarantine that to a smaller, containerized space," she advised. "These very open, flat networks that we see are a nightmare for an incident response engagement. It takes weeks of activity to even figure out where the adversaries are within your network and then even more time to mitigate that."
Cummiskey described USIS’s data management system as both open and flat, making the entire system vulnerable once an intrusion occurred. He also said DHS's cybersecurity efforts are at least partially hampered by underfunding.
"When you look at it, [cybersecurity is] really about 2 percent of our overall spend at the department," he said. "So while we talk a good game about being at the forefront, we're not able to do quite as much as I think we would like to because of the budget limitations that exist."
NEXT STORY: Drones and privacy: Rejecting regulation