Part of the Department of Homeland Security, the Cybersecurity Assessments program offers its services to any public or private organization that requests them, and could be a boon to smaller governments in particular.
At a time when hackers target state and local governments more than ever before, proper cybersecurity practices are crucial. Some recent estimates have put the number of attacks against state governments at 150 million a day, making cyberhygiene — the task of analyzing system infrastructures to test for and correct vulnerabilities — an increasingly vital practice. But the costs of maintaining that hygiene can be out of reach for smaller communities.
That’s why a special team within the Department of Homeland Security (DHS) is helping governments at all levels better secure their systems. The DHS Cybersecurity Assessments program offers its services free of charge to any organization that requests them.
Operated from within DHS’ new Cybersecurity and Infrastructure Security Agency (CISA), the program has grown rapidly over the years from a handful of cyberprofessionals to a large team that provides hundreds of services per year to state, local and tribal government entities, as well as private-sector companies.
Don Benack is the program’s former deputy director (he has since been promoted to another position within the program) who helped guide it from its inception in 2007. Benack said that the services, which are provided both remotely and with in-person technical support, are centered on identifying and analyzing system vulnerabilities.
The program includes cyberhygiene assessments, which analyze potential weak configurations in Internet-facing systems; phishing campaign assessments, which measure human susceptibility to lure emails; and remote penetration testing, which simulates a cyberattack to expose gaps in security. The program also has a red team, which utilizes social engineering efforts to understand intrusion methods and system flaws that adversaries exploit.
Benack said the program initially grew from a fairly limited federal compliance effort in the mid-2000s.
The Trust Internet Connections (TIC) initiative, mandated by the U.S. Office of Management and Budget (OMB) in 2007, was a large effort to reduce the risk of malicious intrusions to the federal government by drastically shrinking its external network connections. OMB authorized what was then called DHS’ National Cyber Security Division to coordinate TIC for the federal civilian executive branch — establishing an assessment team called the Cyber Assurance Branch (CAB). CAB, which would eventually transform into the larger Assessments program, was initially tasked with what were essentially compliance efforts for federal agencies looking to secure their systems.
However, it soon became apparent that the scope of the program could be drastically expanded, Benack said.
“We quickly realized that there was an opportunity to do more than just be a compliance checker for meeting the specific mandate capability,” said Benack, explaining that the focus transitioned to risk assessments and advancement of best practices. “Over time, the capabilities of the assessment team grew to help agencies better understand and manage the risks and vulnerabilities identified.”
The team began to offer federal agencies optional assessments, including two new voluntary services that would eventually become program mainstays. These were the Risk and Vulnerability Assessments (RVA) in 2012 and Cyber Hygiene (CyHy) vulnerability scanning in 2013.
The program’s federal scope was also greatly expanded by the discovery of the Heartbleed vulnerability in 2014, a significant weakness in OpenSSL encryption software on myriad websites and devices. The discovery spurred the OMB to mandate that all federal civilian agencies use the program’s cyberhygiene services. DHS later followed the OMB mandate by issuing its own operational directive that obligated federal civilian agencies to mitigate critical vulnerabilities on their Internet-facing systems identified by CyHy services within 30 days of notification, Benack said.
In late 2013, the program ultimately pivoted from one with a singular federal focus to a national one — offering, for the first time, RVA and CyHy services to state and local governments and all 16 sectors identified by the federal government as “critical infrastructure.”
Not surprisingly, the program continues to grow in popularity. Only 11 cyberhygiene tests were conducted for state and local governments during the first year, but four years later, the number of stakeholders had jumped to 208, before rising to 633 in 2019. Similarly, the phishing campaign assessments — first offered in 2018 — jumped from one test conducted last year to 30 tests conducted this year. The team’s validated architecture design reviews — which help governments understand the relative design strength of their systems and networks — were requested 25 times by different state and local governments so far this year.
“The great thing about these services is that they’re for everybody,” said Erik Avakian, chief information security officer (CISO) of Pennsylvania. For larger organizations, the tests can serve to augment other security testing procedures, while for agencies and communities with more limited funding, they are an alternative to services that would otherwise have to be purchased from the private sector.
Avakian said his agency has been using the services since mid-2016 to complement its own security tests and that the state continues to receive regular reviews from the program. Pennsylvania gets both remote and in-person testing and reviews, he said, adding that the expertise DHS operators bring to the table adds a lot of value.
Similarly, North Dakota’s Information Technology Department, which already conducts its own cyberhygiene tests — including phishing campaign assessments, and risk and vulnerability scans — has been receiving the DHS assessments for a little more than a year. State CISO Sean Wiese thinks of the DHS evaluation as “another set of eyes” on processes his agency is already responsible for.
“It’s somebody else doing it for us — to validate [results] and for us to compare notes, really,” Wiese said.
All of the services that DHS is offering should be a part of an agency’s threat mitigation tactics, Wiese said. Of course, depending on a government’s cybersecurity maturity level, they might not be able to be as thorough as they need to be, he added.
Indeed, the National Association of State Chief Information Officers released a report in 2018 arguing that while states have made significant progress in establishing cybersecurity programs, serious “shortages in both funding and cybertalent continue to exist.” The report notes that risk assessments were one of the most routinely outsourced operations, and are an area where CISOs still have “room to improve.”
Looking to the future, the program’s operators see more clients, wider availability of their services, and the use of emerging technologies and automation to better deliver them.
“We have over 1,200 state and local and critical infrastructure customers leveraging the service and we hope to keep growing,” Benack said. “Our message [over the years] hasn’t changed, and the value statement hasn’t changed. Every year, we get a few more resources,” Benack said, explaining that he hopes there is increased funding in the coming years.
For more information on the DHS Cybersecurity Assessments program, visit www.dhs.gov/cisa/cybersecurity-assessments.