The Department of Homeland Security is providing weekly vulnerability scorecards to 106 Federal agencies every Monday, said Rob Karas, the agency’s Director of National Cybersecurity Assessments and Technical Services-NCATS, at the Tenable GovEdge 2018 Conference Thursday.
But disputes over the relative accuracy of actively monitored cybersecurity threat data could be preventing real security breakthroughs in Washington, other officials at Thursday’s event said.
“We started the cyber hygiene program at DHS, and we scan 106 Federal Agencies,” Karas said. “We send out report cards to all these Federal agencies every Monday.”
Karas said the use of live dashboards to detect security gaps across agencies is informing conversations that make their way up the chain to the highest office in Washington.
“We would have the White House calling us Tuesday, Wednesday, Thursday,” he said.
In those conversations, DHS provided the administration with up-to-the-minute information on NCATS’ active monitoring of critical vulnerabilities. But the span of just a couple days between report card release and those later discussions was enough to inspire confusion among some agency leaders, Karas said.
“For example, a report would go out and we would tell Agriculture they have three vulnerabilities. On Wednesday, we would tell the White House they have five, because that’s what our dashboard said. People couldn’t process that information, and would spend more time arguing the data was wrong,” he said.
Karas’ fellow panelists were keen to note that a lack of confidence in data sets is obscuring real organizational progress goals.
“The thing that is most debilitating to a command center and to its ability to make decisions is questioning the integrity of the data,” said Robert Schmidle, former deputy commander at U.S. Cyber Command.
The inherent skepticism of some stakeholders has prompted the need to make threat analysis as pain-free as possible, said Wayne Lloyd, Federal CTO at RedSeal.
“Those numbers lead to what you just saw, you’re having arguments about what’s what,” he said, adding, “If we can make it something simple and easy to understand, like a simple metric that says, ‘Am I getting worse today, am I getting better?’ that’s much more useful.”
And still, when it comes to data-doubt prompting the inability to act on accurate threat intelligence, some have found even more innovative solutions.
“I found that my staff operated better if I just pulled the plug out of the wall,” Schmidle said.