14 DAY TRIAL // The US Department of Homeland Security (DHS) is secretly providing free security audits to companies across the US that actively request it.
The program called National Cybersecurity Assessment and Technical Services (NCATS) consists of two types of services, a basic vulnerabilities scan dubbed Cyber Hygiene and a more complex security analysis and penetration service named Risk and Vulnerability Assessment (RVA).
While US firms knew about the DHS' Cyber Hygiene program since 2014, news about the RVA initiative was only brought to light by former Washington Post reporter and current security blogger Brian Krebs.
"The RVA program [...] scans the target’s operating systems, databases, and Web applications for known vulnerabilities," explains Mr. Krebs, "and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems."
The Cyber Hygiene program only included automated scans of a company's IT architecture. According to initial reports, the RVA program is carried out by DHS' cyber-security experts, also including manual tests like "social engineering" attempts against the company's employees.
Both programs, put together, provide a full-on security audit service that theoretically rivals similar services offered by cyber-security vendors from the private sector.
NCATS, a controversy waiting to happen
NCATS itself may soon be under a lot of criticism for various reasons. First, the program is funded by taxpayers and benefits private companies. This argument can be easily dismissed since taxpayers indirectly profit from these security audits.
Secondly, the program may be contested by cyber-security vendors for unfair competition. While there's an argument for both sides, Mr. Krebs explained that the level of detail from a DHS NCATS scan is not up to par with what the private sector can provide, so technically, NCATS is just a cheaper alternative. Take NCATS as the GIMP image editor and compare it to Photoshop as the offer of private security vendors.
Third and probably the most contested aspect is how DHS handles the private data of companies it manages to hack. Many can argue that the DHS may restrain from including all security holes in its reports and keeps a hidden backdoor for other purposes.
According to a DHS report, 53 US firms used the NCATS free DHS offering in 2014. Most companies were from the financial and energy sectors.