The Department of Homeland Security will look to “strike a balance” between cybersecurity and counterterrorism through the remainder of the Obama administration, DHS Secretary Jeh Johnson said Wednesday.
Speaking at a Federal Times event, Johnson said his cybersecurity goal for DHS before President Barack Obama leaves office is for civilian agencies to be covered by a common baseline of cybersecurity and to maximize the number of companies that benefit from information sharing.
“The reality is we live in an interconnected, networked world,” Johnson said. “Cybersecurity must strike a balance between basic security, online information and the ability to communicate with and benefit from that networked world.”
Johnson said that while DHS is primarily tasked with keeping the country safe from terrorist attacks, the department is upping its focus on protecting the country’s digital infrastructure. During his remarks, he addressed four areas in which he sees progress in regards to the nation’s cybersecurity stance.
He commended Congress for work done on two bills, including the Senate passage of the Cybersecurity Information Sharing Act and the House passage of the National Cybersecurity Protection Advancement Act. Johnson said the bills “strengthen the role of the Department of Homeland Security and our nation’s cybersecurity efforts.”
“Congress is actually getting stuff done in a bipartisan fashion,” he said.
He also spoke of a new dialogue with China over Beijing’s online plunder of U.S. firms’ trade secrets and intellectual property. An agreement reached earlier this year between President Barack Obama and his Chinese counterpart Xi Jinping would curb Chinese commercial espionage in cyberspace. Johnson said DHS is preparing for “ministerial level dialogue” during talks with Chinese officials to be held in Washington at the beginning of December. He said he doesn’t believe the talks will “resolve all of our challenges’ with China, but they are a step forward to address “one of our sharpest areas of disagreement” in the countries’ relationship.
“Time will tell whether China’s government’s commitments are matched by action,” he said.
With regard to the federal government, Johnson touted the use of DHS’ intrusion prevention system Einstein 3A and the Continuous Diagnostics and Monitoring program. Since being rapidly deployed as part of the White House’s cybersecurity sprint, Einstein, or E3A, has stopped 700,000 possible attempts to steal government data or disrupt government systems. Additionally, CDM phase one has been rolled out to 97 percent of .gov systems, discovering 363 vulnerabilities. Johnson said 99 percent of those vulnerabilities have since been remedied.
Johnson also called for much greater education for IT users about the dangers of spear phishing, the highly targeted email spoofing method malicious actors use to enter networks.
“Whether it be .gov, .mil, .com, .edu, or .org, perhaps the most effective thing we can do for cybersecurity is create awareness among everyone who uses your systems to the damages of spear phishing,” Johnson said.
He detailed how DHS has run training programs within the agency, sending out fake phishing emails offering free Washington Redskins tickets. If employees click through the phony links, they are directed to training programs designed to educate users about the dangers of spear phishing.
Johnson concluded by saying there is “no one silver bullet” for cybersecurity, but the agency is moving to address what he considers a “shared problem” between the government and private industry.
“As the OPM breach painfully demonstrated, our federal cybersecurity efforts are not where they need to be,” he said. “But we are improving and detecting more and more intrusions every day.”