Since 2014, the Department of Homeland Security (“DHS”) has been conducting tests on U.S. companies as part of a program aimed at decreasing the United States’ overall susceptibility to cyber threats and impacts.
This program is operated by the National Cybersecurity Assessment and Technical Services (“NCATS”) team, which delivers proactive cyber security prevention, protection, and response services. According to the DHS website, NCATS “provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks.”
NCATS services are offered free–of–charge and initially were limited to government organizations. However, DHS later expanded the program’s scope to include private sector organizations representing critical infrastructure sectors. According to KrebsOnSecurity, in fiscal year 2015, NCATS provided support to 53 private sector partners, primarily in the energy and financial services industries. DHS has published some information on the NCATS program, including a 2014 Year-End Engagement Report and a NCATS fact sheet.
NCATS is primarily composed of two programs: Risk and Vulnerability Assessments (“RVA”) and Cyber Hygiene. Under the RVA program, the DHS provides companies with security experts who conduct online assessments, launch targeted trial attacks, and test incident response plans. The RVA program’s main goals are to “help secure individual stakeholders against known vulnerabilities and threats by providing mitigation strategies to reduce risk” and to “aggregate vulnerability data so policy makers can make informed decisions regarding the security and safety of information systems.”
The Cyber Hygiene program monitors a company’s publicly accessible cyber assets, networks, and systems, and “focuses on the general health and wellness of the cyber perimeter by assessing Internet accessible systems for known vulnerabilities and configuration errors on a persistent basis.” According to DHS, benefits of the Cyber Hygiene program include third-party review, no–cost scanning services, reduced risk, a view of how the assessed network appears to an attacker, and actionable data for quick mitigation/results.
Both the RVA and Cyber Hygiene programs are designed to help businesses or organizations see how their systems and infrastructure appear to hackers. However, questions remain as to whether these programs help or hurt security, which may depend on the existing level of sophistication of the organization. For small organizations without ample resources, the DHS programs could provide valuable resources to better indentify weaknesses and mitigate against common risks. Of course, to be effective, even these companies will need to invest in the changes necessary to address any vulnerabilities (and continue to monitor for new ones). However, if a company has a robust cybersecurity program, the penetration testing may not be such a good idea. Cybersecurity depends on hackers not gaining information to system details, such as configuration and settings, which would be acquired with participation in this program. It is not certain whether details from an RVA or Cyber Hygiene test will produce non-public information and how this information will be protected. Likewise, unlike an internally managed program, there is no means to involve counsel and assert the attorney–client privilege. The misunderstandings caused by false positives have in turn caused companies to endure grief and closer scrutiny from regulators, plaintiff’s counsel, and other third parties. Without some safe harbor, the risks of participation could be great. Finally, it is expected that many companies already include such measures in their information security programs. Indeed, these same risks of involvement may even discourage smaller companies from voluntarily engaging in such system reviews.
These programs are just one way DHS seeks to fulfill its responsibility of protecting the United States’ critical infrastructure from physical and cyber threats. DHS also provides other cyber security tools, information, and guidance on its website. In addition, the government and lawmakers continue searching for other ways to bolster the nation’s cybersecurity. Last October, the Senate passed the Cybersecurity Information Sharing Act, which was enacted into law as part of the omnibus spending measure passed by Congress and approved by President Obama in December. As long as an adversarial enforcement environment persists, the full efficacy of such efforts unfortunately will not be realized.
Troutman Sanders LLP has extensive experience in helping businesses understand, prepare for, and respond to cyber attacks.