TRENDING:

The Public Eye with Eric Chabrow

WH Breach Probe: How Transparent?

Administration Gives Vague Response to Unclassified Net Breach Eric Chabrow (GovInfoSecurity) • November 3, 2014    
WH Breach Probe: How Transparent?
White House hasn't revealed much about a breach of its unclassified network.

The breach of an unclassified White House IT network unveiled last week is disturbing,although not surprising. But the way the Obama administration is informing Congress - and the public - about the cyber-attack is equally unsettling.

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

The administration has not been very transparent about the breach, including how it occurred, how it's being investigated and what it will tell Congress - and the American citizenry - once the probe concludes. The White House did not confirm the hack until it was disclosed by the Washington Post.

When I queried the White House late last week about how transparent its investigation into the breach will be, including how it plans to disclose information to Congress and the public, the White House issued a statement attributed to Bernadette Meehan, a National Security Council spokesperson: "Consistent with sensitive intelligence matters, the director of the FBI notified congressional leadership and the chairs and ranking members of the intelligence committees." That was it, nothing more.

One can only hope the administration will share key, unclassified findings about the breach, not only with Congress, but with the public, too. The White House can't reveal everything about the hack - there are legitimate national security concerns - but it can share many details with the cybersecurity community about the attack. After all, one of the administration's top cybersecurity goals is cyber-threat information sharing. And information sharing goes beyond alerting others of pending threats, but sharing lessons learned from cyber-attacks so others can avoid similar digital assaults.

Importance of Transparency

"I hope they tell us about what happened because that's how other administrators learn, and are able to improve their defenses," says Johannes Ullrich, dean of research at the SANS Technology Institute, in an interview last week with Information Security Media Group. "Other networks, not just government but commercial networks and such, may be affected by the same type of malware," Ullrich says. "It's usually very important ... to actually disseminate some of these details."

But disseminating such information doesn't seem to be in the DNA of many officials in the administration and Congress. The leaders of the committees with government IT security oversight weren't notified by either the White House or apparently by their own congressional leaders. The ranking member of the Senate Homeland Security and Governmental Affairs Committee, Tom Coburn, issued a statement before word surfaced that the "Gang of Eight" - the Democratic and Republican leaders of each house and chairs and ranking members of their respective intelligence committees - were briefed on the breach. The Oklahoma Republican complained about the lack of limpidity from the White House regarding the breach.

"I'm disappointed that the White House decided not to notify Congress of the breach, even as its officials debated with my staff the need for agencies to tell Congress when they've been hacked," Coburn says, in a statement issued Oct. 29.

'Yet to Receive Satisfactory Answers

Coburn says he pressed the administration to share details about what has happened and how the attack succeeded. "I have yet to receive satisfactory answers," he says.

Apparently Coburn's colleagues in the Gang of Eight failed to alert him of the breach, too.

A Senate Homeland Security and Governmental Affairs Committee aide, speaking on background, says the White House did not notify its chairman, Sen. Tom Carper, D-Del., about the intrusion, adding that since the breach the committee staff has been in contact with the administration about the incident.

Carper used the uproar over the breach to call for enactment of a series of cybersecurity bills Coburn and he have sponsored, including the Federal Information Security Modernization Act, a measure that would update the Federal Information Security Management Act, the law known as FISMA that governs federal government IT security (see FISMA Reform Heads to Senate Floor).

"I am committed to continuing to work with my colleagues on both sides of the aisle, the administration and stakeholders to pass our legislation and additional measures that address this critical issue as soon as possible," Carper says.

But we need more than just laws. We need a government that can be as frank as possible about the cyber-vulnerabilities government IT systems experience. Without such transparency, the government and other entities in our society will not be able to develop the proper cyber-defenses.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.