Black Hat 2015: DHS deputy says ‘just trust us'

The deputy head of the Department of Homeland Security implored a group of skeptical security pros at Black Hat 2015 to supply information about security incidents and to trust the government to keep it safe.

The deputy head of the Department of Homeland Security implored a group of skeptical security pros at Black Hat 2015 to share information about security incidents and to trust the government to keep it safe.

"We understand the trust deficit that exists in the [security] community," says Alejandro Mayorkas, deputy secretary of Homeland Security, encouraging attendees to participate in a government program where private businesses share information about cyber threats they encounter.

+ MISS BLACK HAT? Get caught up with our stories from the show +

Part of the trust problem is that businesses lack confidence that government can secure information it receives, Mayorkas says, citing the massive breach at the Office of Personnel Management. (It didn't help his cause that as the meeting broke up news also broke that unclassified emails for the Joint Chiefs of Staff had been hacked and the email system shut down for two weeks.)

But during his talk he described the OPM breach as an opportunity for government networks to be made safer. He pointed to a 30-day effort to improve security "a 30-day sprint to be sure other agencies heightened network security to the extent possible in a sprint" as a hopeful sign. He pointed out that each government agency has its own network with its own level of security, and that DHS is in the midst of a massive effort to improve its own.

Attendees said they were rightly wary of the ability of the government to protect digital data not just because of persistent news about breaches but because it refuses to let them independent, third-party security experts penetration-test the networks with a goal toward making them safer. "You need to give us more than, Just trust us,'" one attendee said.

Mayorkas responded that trust is hard to build and you have to start small. Perhaps a business would suffer an attack and, because of its nature, would be reluctant to report it, and that would be fine. But perhaps it would be more willing to report a less worrisome incident. "Find a spot where you're comfortable and build from there," he said.

The push by some in government to have access to backdoors to unlock encryption used in communications is a factor in security professionals being wary, especially since there is no workable solution that all parties can agree upon. "That point has been made throughout my visit here," Mayorkas said, and that he would bring that message back to the ongoing debate in Washington.

He said DHS uses audits by its own Inspector General and by the General Accounting Office for oversight of network security. Publicizing the results might be part of the answer, he said.

His audience questioned whether Homeland Security's goal to support near-realtime, automated information sharing about cyber threat indicators was safe for their organizations. Commercial security experts are concerned that by sharing threat information they may be admitting their networks were vulnerable. That information could be used, they fear, to establish liability should their networks be broken into and cause harm to customers or business associates.

Mayorkas said the key was that the plan was not for realtime but near-realtime sharing, with the delay being used to determine whether privacy and civil liberty issues need to be addressed. He says DHS plans to announce in October a contract to create best practices for the proposed automated sharing system.

"Anonymity is a cornerstone of our information-sharing protocols," he said, meaning that it wouldn't be possible to learn from the shared threat indicators who reported them.

He was asked whether automated collection of indicators was in the cards, giving businesses no choice about submitting reports. "Monitoring is beyond the purview of what we are doing now," he said.

He said that even threats uncovered through publicly disclosed hacks and leaks of stolen data like those from Edward Snowden would be shared if possible. "We will declassify and release everything we can," he said.

Expediting security clearances for new government security employees and consultants is a DHS goal, he says, so qualified people don't take other high-paying jobs before they are vetted. The government has already boosted the salaries of some jobs in order to draw more qualified candidates, he said.

DHS plans to open an office in Silicon Valley to be closer to likely candidates.

He said he hoped candidates would be driven by more than just money in deciding whether to work for the government.

Join the CSO newsletter!

Error: Please check your email address.

Tags Department of Homeland SecurityOffice of Personnel Managementsecurityblack hatJoint Chiefs of Staff

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place