The Department of Homeland Security’s No. 2 official came to the Black Hat conference in Las Vegas to urge a crowd of skeptical cybersecurity pros to share more information about the threats they uncover with the US government.
But the massive breaches at the Office of Personnel Management that exposed sensitive personal details stored in its databases from as many as 21 million people did not help his case.
"I’ve heard as recently as this morning – speaking with some of the attendees here – about the OPM breach and its impact on the confidence in sharing with the government," Deputy Homeland Security Secretary Alejandro Mayorkas said Thursday, in response to a question from Passcode.
Despite the breaches that exposed holes in the government’s own cybersecurity, Mr. Mayorkas said companies should still share information so DHS can better synthesize and disseminate that threat intelligence to help the private sector. “To not share the information – or at least, to not start in some way and give it a try – is surrendering the ability to exploit a capability that may, in fact, work in strengthening network security,” he said.
Information sharing has been a major Obama administration priority in the wake of cyberattacks on big companies such as Sony Pictures and Anthem. Yet Congress has not yet united to pass legislation that would, among other things, ensure companies will have liability protection from exposing customer and other potentially sensitive data to government agencies.
The Senate recently left for summer recess without passing the Cybersecurity Information Sharing Act (CISA), a controversial bill opposed by many civil liberties advocates who say it could instead dramatically expand domestic surveillance by enabling companies to share people’s personal information with the government.
That bill, expected to be back on the table again in the fall, also drew fire from some digital rights advocates. In a recent Passcode opinion piece, the Cato Institute’s Patrick Eddington and X-Lab director Sascha Meinrath, for instance, argued CISA could actually worsen cybersecurity.
"By collecting personal information and storing it in a massive government data warehouse, CISA will dramatically increase everyone’s vulnerability in future hacking attacks," they wrote. "Given the federal government’s abysmal track record when it comes to protecting its own data, the likelihood of another serious breach remains high."
Mayorkas himself has some concerns about the privacy implications of CISA as opposed to other information-sharing proposals – including the lack of a sufficiently strong mandate for companies to scrub unrelated personal data before they share threat information with the government. Yet he stressed that the Homeland Security department – which runs the National Cybersecurity and Communications Integration Center – has better security of its own networks and information than many federal agencies.
"Different parts of the government are more advanced in their network security systems than others," he said. "The OPM breach was obviously a significant challenge – but one must address it as an opportunity” to improve cybersecurity throughout the government. The White House, he also noted, recently completed a 30-day "Cybersecurity Sprint" in which federal agencies were charged with patching critical vulnerabilities and restricting the number of people with access to sensitive files.
But even Mayorkas acknowledges the mistrust between the US government and the country’s security community ran deep well before the OPM hack. "For some, that might have impacted the confidence levels – for others, it’s born of other things. We’ve got to rebuild or strengthen that trust relationship.
"I recognize that trust deficit," he continued.
That said, Mayorkas is looking to improve the relationship. "I don’t come here and say, 'Just trust us, we’re from the government and we're here to help,' " he said.
To one skeptic at Black Hat who expressed concern about sharing information with the government, the DHS official said: "If you suffered an attack, you may say … 'I don’t feel quite comfortable sharing cyberthreat indicators with the government.' And that is your prerogative, and that is your liberty.
"But perhaps there is [another] attack... in which perhaps you’re willing to give it a try,” he continued. “And perhaps our response will actually build a little confidence in you."