Andy Ozment says DHS has built it. Will they come?

(FEMA / Bill Koplitz)


Written by

Andy Ozment is ready for the rest of the cybersecurity universe to meet him halfway.

The director of the Department of Homeland Security’s National Protection and Programs Directorate detailed where his office stood on key cybersecurity initiatives Thursday, saying that it’s time for the private sector and government agencies to participate in the programs DHS is standing up.

Speaking to the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board, Ozment updated experts on the agency’s Automated Indicator Sharing platform and Continuous Diagnostics and Mitigation program.

Created by the Cybersecurity Act of 2015, the AIS portal launched last week, giving private companies a way to share threat info without being held liable for protections. With all of the legal cover built in, Ozment said it’s time for companies to step up and contribute.

“There is a degree to this that is now going to be on the private sector,” he said. “We’ve built the pipes and are going to start sticking information in. We have liability protection, we have a system for sharing information. Now we need companies to sign up and contribute. Not just sign up and receive indicators, but also sign up and share indicators.”

Ozment went in depth on how indicators will be examined once they are put into the AIS system. Companies can submit indicators that will fit into 300 fields. Most will be examined by machines and then automatically disseminated across the portal. However, if a threat indicator can’t be processed by machines — like the subject line of a phishing email — it will be pulled out for human review.

He also said that indicators are going to come with a reputation score based on whether they have been flagged by a certain company or DHS. However, because companies want this information fast, Ozment said not every indicator will be thoroughly vetted.

“If you are going to share in a timely fashion, we can’t have a human assess every indicator,” he said. “That means if someone gives us garbage, we’re going to push that garbage out. Because what we heard from people was ‘We’re going to vet all this stuff anyway, so please don’t make it slow by you vetting it, then passing to us, where we vet it again.’”

When it comes to the CDM program, there is more input from actual people. Ozment said DHS has divided agencies into buckets — thought he didn’t explain how — and paired them with integrators, which are helping agencies deploy the tools DHS has bought for the effort.

“We did it this way in part because we knew agencies really struggle with capacity,” he said. “We just bought them a bunch of tools and they might never install them or have the know-how on how to install them. We gave them professional support in addition to the tools for the installation and integration of those tools.”

While Ozment said he doesn’t have a timeframe for when those agencies will complete the integration process, the end result will beat the prior process of agencies giving an estimate of their security profile.

“We had no access to understanding what was going on inside agency networks,” he said. “Now we’re buying them tools and deploying them, rather than asking agencies how secure they are, then they come with an Excel spreadsheet and someone licks their finger, holds it to the wind and goes ‘we’re about 80 percent secure,’ and puts it in the spreadsheet. Now we have machines assessing things and giving us data we can count on.”

Ozment expects this phase — known as phase two — to last at least for another year. Phase 3, which will look at event management, and phase four, which will be built around data security, will then begin sometime in fiscal year 2017.

That’s a timeline that Ozment admitted was slow. Yet he told the group that DHS has to press on nonetheless.

“Is it a perfect solution? Absolutely not,” he said. “Would I rather have been secure six years ago? That would be great. This is where we are now.”