DHS hacks businesses for free to test cybersecurity

The Department of Homeland Security (DHS) is peppering U.S. businesses — mostly banks and energy firms — with cyberattacks to test their digital defenses.

The little-known program, offered to companies free of charge, is part of an ongoing effort to help critical infrastructure companies bolster their cybersecurity.

ADVERTISEMENT
Independent security journalist Brian Krebs first reported on the program, know as National Cybersecurity Assessment and Technical Services (NCATS). He reported that many in the private sector had never heard of NCATS.

But the program is no secret.

According to the DHS website, “NCATS provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks.”

The agency’s site also mentions that the service is free.

“NCATS security services are available at no-cost to stakeholders and can range from one day to two weeks depending on the security services required,” it says.

NCATS is mainly composed of two programs. One, known as Cyber Hygiene, is an automated scan of a company’s network to suss out any known vulnerabilities. Another, called the Risk and Vulnerability Assessment (RVA), loans companies four to five security experts for a two-week period during which they conduct onsite assessments, launch targeted trial attacks and test incident response plans.

The RVA program also orchestrates a spear phishing campaign on employees to see how often they fall for the fraudulent emails that attempt to lure people into clicking on a malicious link or attachment.

An NCATS report from the 2014 fiscal year found that one quarter of employees were duped.

“The Department of Homeland Security (DHS) works closely with public and private sector partners to strengthen the security and resilience of their systems against evolving threats in cyberspace,” said DHS spokesperson Sy Lee in an email.

NCATS, Lee added, “focuses on proactively engaging with federal, state, local, tribal, territorial and private sector stakeholders to assist them in improving their cybersecurity posture, limit exposure to risks and threats, and reduce rates of exploitation.”

Krebs reported that NCATS had provided its services to 53 companies in 2015.

Government and lawmakers have been searching for ways to bolster cyber defenses within the critical infrastructure sectors, generally defined as the industries vital to maintaining the necessary networks in the U.S. That includes power grid companies, emergency services, financial services and communications providers, among others.

Researchers and top intelligence officials have warned that many of these industries are dangerously lagging in cybersecurity, leaving critical services exposed to hackers.

National Security Agency Director Adm. Michael Rogers recently told Congress that, on a scale of 1 to 10, the U.S. was at a “5 or 6” in its preparedness to defend its critical infrastructure against a major cyberattack.

The Senate in October passed a cybersecurity bill, known as the Cybersecurity Information Sharing Act, which would encourage businesses to share more data on hacking threats with the government.

The bill also includes a clause that would require DHS to assess the cybersecurity readiness at roughly 65 companies behind the nation’s infrastructure, and develop a plan for preventing a “catastrophic” cyberattack.

It’s not clear whether this provision will make it into the final bill, which is currently being hammered out in a conference with the House. The lower chamber passed its companion cybersecurity bills in April.