Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:47 AM
Connect Directly

Homeland Security, Defense Sign Cybersecurity Pact

The deal should improve collaboration between the agencies and, in particular, boost DHS' encryption and decryption capabilities.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The Department of Homeland Security and Department of Defense, which together carry out much of the federal government's cybersecurity work, announced a pact Wednesday that aims to improve government defense of private, government, and military networks.

The five-page agreement, signed in late September by defense secretary Robert Gates and homeland security secretary Janet Napolitano, but made public only this week, creates a "framework" within which officials from DHS, DoD, the National Security Agency, and the military's new Cyber Command will work with one another on cyber-related issues. In the process, the deal increases formal ties in a relationship that, until now, has been largely ad hoc.

As part of the pact, a group of NSA cryptologic analysts will be embedded at the National Cybersecurity and Communications Center (DHS' cyber operations center) in Arlington, Va., and DHS will send Adm. Michael Brown, deputy assistant secretary of DHS for cyber security, with a support team of privacy and civil liberties personnel, to NSA's National Threat Operations Center and Cyber Command's headquarters at Fort Meade, Md. The organizations will also create a Joint Coordination Element under Brown at NSA headquarters to do joint operational planning and coordination.

While the agreement does nothing to add to or subtract from the responsibilities of any of the organizations involved, it could, in particular, improve DHS' capabilities to mitigate malware as part of its role to protect government networks and provide cybersecurity support to private companies, said Center for Strategic and International Studies senior fellow Jim Lewis.

"The easiest way to think about this is that malware has encrypted parts, and NSA is best equipped to crack the encryption, so we should give them that ability," Lewis said. "Getting them embedded in DHS will get the [National Cybersecurity and Communications Integration Center] to do a better job."

Embedding NSA officials within DHS is also likely a cheaper and quicker way to increase DHS' encryption capabilities than requiring DHS to ramp up its encryption skills on its own. Gates and Napolitano hinted at this in a joint statement, saying that one of the goals of the deal was to improve "economy and efficiency."

The relationship between DHS and NSA has not always been an easy one, and this deal could signal a bit of progress on that front. The March 2009 resignation letter of DHS' former cyber official Rod Beckstrom criticized the NSA's increasing involvement in cybersecurity, for example, and, while DHS has a primary responsibility over helping to protect critical infrastructure networks (think power plants, air traffic control systems, etc.), both NSA, via its Perfect Citizen project, and Cyber Command have demonstrated an interest in having an increased role there.

"This structure is designed to put the full weight of our combined capabilities and expertise behind every action taken to protect our vital cyber networks, without altering the authorities or oversight of our separate but complementary missions," Gates and Napolitano said in a joint statement. "We will improve economy and efficiency by better leveraging vital technologies and personnel to serve both Departments’ missions in full adherence to U.S. laws and regulation."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...