DHS Helping with DDoS Defense

Department Enhances Ability to Share Threat Information

The U.S. Department of Homeland Security over the past few months has enhanced its ability to help financial institutions to defend against distributed-denial-of-service attacks that have temporarily limited access to the online sites of major banks, says DHS Deputy Undersecretary for Cybersecurity Mark Weatherford.

See Also: Move Beyond Passwords

"A year ago, quite frankly, the capability was not there," Weatherford says in an interview with Information Security Media Group [see transcript below]. "We did not have the capacity to collaborate nearly as effectively as we do now. I won't say that it has become almost pro forma, but it's become a lot more routine for how we do this now than it was just a few months ago."

Since Dec. 11, when the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters kicked off its second campaign of DDoS attacks, 14 major U.S. banks have apparently been targeted [see DDoS: Lessons from Phase 2 Attacks]. Some of these banks also were attacked during the group's first campaign, which ran from mid-September through mid-October.

Banks Must Request Help

The primary role DHS performs is to share with banks threat information it amasses from a variety of government, intelligence and private entities. But the department can't help the banks until it receives a request from the financial institution for assistance.

"We get information from the private sector," Weatherford says. "We can bounce that against other information we have that really gives us that better analytical picture of what is actually happening within the environment. It's typically not just sharing with one bank or one financial institution; it's sharing with many, and it's also bringing in the other components from within the government.

"It's not just even NSA and the FBI," he adds. "We get information from all different kinds of government organizations and the sector-specific agencies within each of the critical infrastructures. I know I sound like I'm over-blowing this. I am really personally satisfied with the maturity that we've seen in this information sharing and collaboration over the past year."

Although attackers continue to temporarily limit customer access to bank websites, Weatherford says he believes the situation has improved. In fact, he cites a conversation he recently had with a large bank's chief information security officer, although he declines to name her. She told Weatherford: "While we don't like going through these things, and they really are a pain in the rear, we have learned a lot internally about how to deal with these things, and we've also learned a lot about [how] the other resources, not just from within the government, but other banks and financial institutions in this sector, are dealing with it."

Cross-Pollination of Information, Ideas

Weatherford says within the banking industry a lot of "cross-pollination" of information and ideas on defending against DDoS attacks is occurring that hadn't happened until recently. "It's been pretty rewarding also to see people who are in any other instance competitors collaborating together because they know it's in their own best interest to do so."

Why has DHS intensified its efforts to help banks defend against DDoS attacks? In late 2011, DHS reorganized its National Protection and Programs Directorate to place a greater emphasis on cybersecurity, and in November of that year tapped Weatherford, a former CISO of California and Colorado, as deputy undersecretary for cybersecurity. He spent his first half year at DHS building a team that then executed programs to strengthen cybersecurity [see Building DHS's All-Star Cybersecurity Team].

One benefit of the attention Weatherford and the team brought to cybersecurity is the ability of those seeking help, such as banks, to know where to go to get assistance. "One of the constant complaints I have heard from the private sector when I first got here was that often times they didn't know who to call in the government," Weatherford says. "Do they call DHS? Do they call the FBI? Do they call DoD? Do they call the FCC? Now it's pretty clear, if they call DHS, if they call the NNCIC [National Cybersecurity and Communications Integration Center], then we can get them focused in the right direction because not all issues are DHS issues, quite frankly."

Providing this type of help illustrates the leadership government must have in protecting key institutions upon which the American society depends. "It's been some really focused leadership on everybody's part to say this is important," Weatherford says. "It's a priority that we frame this out as a national priority because it is the only way we're going to be able to deal with these kinds of issues."

Assessing the Nation's IT Security Posture

ERIC CHABROW: How has your assessment changed since joining DHS in November 2011 of the government's and the nation's IT security posture? Where has the IT security posture improved? Where has it deteriorated?

MARK WEATHERFORD: I'm not sure I would say it's deteriorated. We've moved forward quite extensively, and I would say the biggest success story that I've seen is, we have completely tightened up our operations. In the last year, we have realigned the U.S. CERT within the banking organization, so we're much more tightly focused operationally. The internal information sharing, the internal collaboration has really increased exponentially. See, that is the internal piece that has been the big success story. Externally, our relationships across the U.S. government and very specifically with the National Security Agency and the FBI have really, really been pretty profound. We have been very, very close over the last six months or so to put the protocols and then the policies in place for how we interact, not only on a daily basis when we're reacting to an incident in the private sector [but] how we share those responsibilities. Who does what when? To me, it's been personally rewarding to see the level of collaboration between the government and organizations.

CHABROW: Can you provide an example or two of that collaboration and how it works?

WEATHERFORD: It's no surprise and no secret that the banking and finance industry has been under attack for the past several months primarily through these DDoS events. How we as a government respond and work with the individual banks, it was a little bit immature at the beginning of this, but very quickly we put the protocols ... together for how we collaborate and work together to take information that we receive from a variety of different sources and get that information back out to individual banks, and how they can respond and mitigate against these things. A year ago, quite frankly, the capability was not there. We did not have the capacity to collaborate nearly as effectively as we do now. I won't say that it has become almost pro forma, but it's become a lot more routine for how we do this now than it was just a few months ago.

Government's Role in Safeguarding Privately Owned IT

CHABROW: What is the role of government in helping private institutions to defend against these kinds of attacks? Is it just information sharing, or is there a more active role that government can play?

WEATHERFORD: Information sharing is the primary role, but there are a lot of different pieces to what information sharing means. [It goes] back to, "What is the role?" First off, we have to be specifically requested by the private sector to help. They voluntarily ask us, and we can get engaged at that point. The information sharing piece, as I said, there are many layers to information sharing. We get information from the private sector. We can bounce that against other information we have that really gives us that better analytical picture of what is actually happening within the environment. It's typically not just sharing with one bank or one financial institution; it's sharing with many, and it's also bringing in the other components from within the government. Again, it's not just even NSA and the FBI. We get information from all different kinds of government organizations and the sector-specific agencies within each of the critical infrastructures. I know I sound like I'm over-blowing this. I am really personally satisfied with the maturity that we've seen in this information sharing and collaboration over the past year.

CHABROW: Is there anyway that this is helping these institutions, because these attacks seem to continue?

WEATHERFORD: Yes, and I'll give you one example. I won't name the bank, but I talked with the CISO for a very large bank just a couple of weeks ago, and she said, "You know, while we don't like going through these things, and they really are a pain in the rear, we have learned a lot internally about how to deal with these things, and we've also learned a lot about [how] the other resources, not just from within the government, but other banks and financial institutions in this sector, are dealing with it." There is a lot of cross-pollination happening right now within the sector that simply wouldn't have happened before. It's been pretty rewarding also to see people who are in any other instance be competitors collaborating together because they know it's in their own best interest to do so.

Restructuring Emphasizes Cybersecurity

CHABROW: And you are working directly with the banks as well as through the FBI or Secret Service, or even the FS-ISAC [Financial Services Information Sharing and Analysis Center]?

WEATHERFORD: The FS-ISAC, the Treasury - you know, Treasury is the sector's specific industry for banking and finance. I can't even name all the different organizations that are part of this process now that - again and again I sound like a broken record - a year ago simply would not have happened.

CHABROW: So what's changed? Is it this structure at DHS and the creation of your office that propelled these changes?

WEATHERFORD: I think that is a big part of it. A big part of it is that we have focused on this awareness that we could not do this alone and that we required this kind of inter-governmental interaction to be able to address these things. I think I told you this before when we talked. One of the constant complaints I have heard from the private sector when I first got here was that they often times didn't know who to call in the government. Do they call DHS? Do they call the FBI? Do they call DOD? Do they call the FCC? Now it's pretty clear: If they call DHS, if they call the NNCIC [National Cybersecurity and Communications Integration Center] then we can get them focused in the right direction, because not all issues are DHS issues quite frankly. Some things that are specifically law enforcement, we point right to the FBI.

It's been a number of things I think that are a result of this, but it's been some really focused leadership on everybody's part to say this is important. It's a priority that we frame this out as a national priority because it is the only way we're going to be able to deal with these kinds of issues. And it's not just within banking and finance. We've responded to incidents in oil, natural gas and the electricity industry across several of the different sectors.