This post is a follow up to this post on CDM. Since that post I have been watching hearings on the OPM breach.
On Wednesday 24 June a Subcommittee of the House Committee on Homeland Security held a hearing titled DHS’ Efforts to Secure .Gov.
A second panel (starts in the Webcast around 2 hours 20 minutes) featured Dr. Daniel M. Gerstein, a former DHS official now with RAND, as its sole witness.
During his opening statement, and in his written testimony, he made the following comments:
“The two foundational programs of DHS’s cybersecurity program are EINSTEIN (also called EINSTEIN 3A) and CDM. These two systems are designed to work in tandem, with EINSTEIN focusing on keeping threats out of federal networks and CDM identifying them when they are inside government networks.
EINSTEIN provides a perimeter around federal (or .gov) users, as well as select users in the .com space that have responsibility for critical infrastructure. EINSTEIN functions by installing sensors at Web access points and employs signatures to identify cyberattacks.
CDM, on the other hand, is designed to provide an embedded system of sensors on internal government networks. These sensors provide real-time capacity to sense anomalous behavior and provide reports to administrators through a scalable dashboard. It is composed of commercial-off-the-shelf equipment coupled with a customized dashboard that can be scaled for administrators at each level.” (emphasis added)
All of the text in bold is false. CDM is not “identifying [threats] when they are in inside government networks.” CDM is not “an embedded system of sensors on internal government networks” looking for threat actors.
Why does Dr. Gerstein so misunderstand the CDM program? The answer is found in the next section of his testimony, reproduced below.
“CDM operates by providing
federal departments and agencies with capabilities and tools that identify
cybersecurity risks on an ongoing basis, prioritize these risks based upon
potential impacts, and enable cybersecurity personnel to mitigate the
most significant problems first. Congress established the CDM program
to provide adequate, risk-based, and cost-effective cybersecurity and
more efficiently allocate cybersecurity resources.” (emphasis added)
The indented section is reproduced from the DHS CDM Website, as footnoted in Dr. Gerstein’s statement.
The answer to my question of misunderstanding involves two levels of confusion.
The first level of confusion is a result of the the CDM description, which confuses risks with vulnerabilities. Basically, the CDM description should say vulnerabilities instead of risks. CDM, now known as Continuous Diagnostics and Mitigation, is a “find and fix flaws (i.e., vulnerabilities) faster” program.
In other words, the CDM description should say:
“CDM gives federal departments and agencies with capabilities and tools that identify cybersecurity vulnerabilities on an ongoing basis, prioritize these vulnerabilities based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.”
The second level of confusion is a result of Dr. Gerstein confusing risks with threats. It is clear that when Dr. Gerstein reads the CDM description and its mention of “risks,” he thinks CDM is looking for threat actors. CDM does not look for threat actors; CDM looks for vulnerabilities. Vulnerabilities are flaws in software or configuration that make it possible for intruders to gain unauthorized access.
As I wrote in my CDM post, we absolutely need the capability to find and fix flaws faster. We need CDM. However, do not confuse CDM with the operational capability to detect and remove threat actors. CDM could be deployed across the entire Federal government, but it would be an accident if a security analyst noticed an intruder using a CDM tool.
Essentially, the government needs to implement My Federal Government Security Crash Program to detect and remove threat actors.
It is critical that staffers, lawmakers, and the public understand what is happening, and not be lulled into a false sense of security due to misunderstanding these concepts.