The Register reports on a recent and pretty embarrassing Department of Homeland Security IT security audit:
The report also scolds DHS for continuing to use unsupported operating systems. DHS, the Coast Guard, and the Secret Service were all found to be using Windows Server 2003 after Microsoft’s July 2015 discontinuation of support.
The OIG also noted that Windows workstations at DHS, the Federal Emergency Management Agency (FEMA), and the Coast Guard were missing a variety of patches.
“Windows 2008 and 2012 operating systems were missing security patches for Oracle Java, an unsupported version of Internet Explorer, and a vulnerable version of Microsoft’s Sidebar and Gadgets applications,” the report says. “Some of the missing security patches dated back to July 2013.”
A number of Windows 8.1 and Windows 7 workstations were missing key security patches, including the WannaCry fix, various browser updates, and patches for Adobe Flash, Shockwave, and Acrobat flaws.
The report concludes that the observed deficiencies run contrary to the President’s Cybersecurity Executive Order and demonstrate the need for stronger security oversight.
Unfortunate yet likely these agencies rely on some legacy code requiring these extremely dated operating systems. Welcome to the wonderful world of government contracting, where there are a lot of custom built applications running in extremely insecure environments. The question: are these vulnerabilities an acceptable risk required to complete the mission?
Since Russian hackers breached the computers of the Democratic National Committee last summer, federal officials have been practically pleading with states and localities to take the free help the U.S. government offers, including scans of state and local computer networks to check for security weaknesses or signs that hackers may have already gotten in.
This election cycle has drawn more attention than any other to the threat of hackers changing votes and sowing chaos and confusion, and claims of rigged elections—by computerized or other means. Nearly two dozen states have seen their voter registration files probed. And following a major cyber attack last month that disrupted core components of the internet, experts are concerned that such denial of service attacks on Election Day could make it difficult for people to find their polling location or for precincts to transmit voting results.
This year, more than any Presidential election cycle in the past, has seen more cyber activity. Expect to see this increase in the future, especially as we come to rely more on the internet to help us locate polling stations, find out how to vote, and even submit actual votes themselves. If you think things are scary today, just wait until the 2020 election.
The White House has come up with a severity scheme ranging from Level Zero for an inconsequential event to Level 5 for an emergency — or an attack that poses an “imminent threat” to critical systems such as the power grid, federal government stability or people’s lives. Level 2 is reserved for an incident that may affect public safety or national security. Level 3 moves into the realm of significant, for high-severity events that are likely to have a “demonstrable” impact on public safety or national security.
There has been no known incident that would be considered a Level 5, senior officials said. The suspected Russian cyberattack on Ukraine’s electric grid in December that caused widespread power outages probably would have been a Level 4 — a “severe” event that likely would result in “significant” harm to public safety or national security — if it had happened in the United States, the official said.
Level indicator sounds easy for the layman to comprehend, but likely far too onerous for practitioners to easily determine which level is appropriate for a given incident.
The Department of Homeland Security is likely to expand its role and profile as the lead agency in the federal government for cybersecurity. A bill approved by the House Homeland Security Committee could create a new DHS cyber defense agency that would be called the Cybersecurity and Infrastructure Protection Agency. The transformation would reorganize and optimize key cybersecurity roles and functions currently in DHS’s National Protection and Programs Directorate. The change may take place as early as 2017 as it has strong bi-partisan support.
The prospective agency would replace NPPD and put a stronger focus on DHS’s integral role in cyber preparedness, response and resilience. More importantly, it would reorganize the agency into an operational role to help protect against targeted cyber intrusions of the nation’s critical infrastructure, such as financial systems, chemical plants, water and electric utilities, hospitals, communication networks, commercial and critical manufacturing, pipelines, shipping, dams, bridges, highways and buildings.
The technology powering the devices potentially could identify the user’s walking style, for example. Officials would be alerted if the gait does not match the authorized user’s walk – a red flag the phone might have fallen into the wrong hands, officials said.
The “secret sauce” of the mobile device is a so-called neuromorphic computer chip that simulates human learning, Vincent Sritapan, the program manager for DHS’ mobile device security program, told Nextgov.
Gait recognition — driven by the phone’s accelerometer, GPS and the chip — is but one of many kinds of continuous ID verification intended to tighten access controls on mobile devices.
Boeing and HRL Laboratories, a software firm jointly owned by Boeing and General Motors, are partnering under a DHS project worth $2.2 million over 2.5 years.
The companies “pretty much are leveraging user behavior information” from data gathered by sensors found on any standard consumer smartphone, Sritapan said. Those feelers could include microphones, cameras and touchpads, he added. The artificial intelligence could help agencies determine, “Are you who you say you are, and do we give you access to enterprise resources like email?” he said.
“The department has persisted in its ‘go it alone’ mentality and has ignored Congress’ requests for information despite a record that demonstrates its need for oversight and accountability,” added Rep. John Ratcliffe (R-Texas), who chairs the panel’s subcommittee on cybersecurity, infrastructure protection and security technologies.
The DHS has played an increasingly important role in the government’s cybersecurity effort over the last year.
Congress late last year passed a series of bills that strengthened the agency’s cyber workforce and codified certain aspects of the DHS cybersecurity mission.
Lawmakers are currently considering more bills that would further clarify the agency’s cyber role while strengthening its authority to proactively investigate and defend federal networks across the government.
The House Homeland Security Committee is also drafting a bill that would transform the NPPD.
McCaul said the committee would soon hold hearings as lawmakers work to draft the legislation.
“We welcome the department’s input and look forward to working closely with them on streamlining NPPD’s structure,” he said.
The committee’s bill would rename the NPPD to Cybersecurity and Infrastructure Protection. It would also create two positions to oversee the new wing: a deputy undersecretary for cybersecurity and a deputy undersecretary for infrastructure protection.
As the public notice makes clear, however, DHS still isn’t sure how best to oversee the government’s response to cyberattacks, which have multiplied in recent years. Among the best-known examples are the late 2014 attack on Sony Pictures Entertainment and the 2014-2015 breach at the Office of Personnel Management (OPM).
The new cyber subcommittee will be responsible for determining the government’s readiness to “meet the emerging cyber threat” and offering guidance on “building cross-sector capabilities to rapidly restore critical functions and services following a significant cyber event,” the notice says.
It’s likely that the subcommittee’s work will including assessing the viability of cyber counterattacks, a suggestion put forth by leading Republicans in the wake of the OPM hack. The Obama administration has been reticent to deploy its considerable cyber tools offensively, although the president did say after the Sony hack that the U.S. would respond “proportionally” and “in a place and time and manner that we choose.”
Andy Ozment, currently the assistant secretary of the DHS Office of Cybersecurity and Communication, will assume the top role. John Felker will run day-to-day operations, moving over from a senior private sector cyber position at HP Enterprise Services.
The DHS cyber center — known as the National Cybersecurity and Communications Integration Center (NCCIC) — is the government’s main intake facility for private sector cyber threat information. The center analyzes the data, dishing out warnings and advice to other government agencies, as well as to private companies.
“Dr. Ozment and Mr. Felker will provide a combination of operational experience, leadership, and strategic insight needed to take the NCCIC to the next level for our cybersecurity,” Homeland Security Secretary Jeh Johnson said in a statement.
Sounds like a wonderful, much needed addition to the DHS cyber security team.
A threat analyst who helped establish US-CERT criticized the alert’s paucity of information on what infected computer systems look like.
DHS would not comment on whether there is any relationship between the advisory for federal offices and private companies and the apparent military data breach. A DHS spokesman said Friday he had no comment regarding the Joint Staff incident, in general.
FBI officials, as of Friday late afternoon, had no information to offer about the Joint Staff situation.
The warning said some of the spearphishing emails are tailored to copy sensitive government and business information. Others can roil an organization’s entire network.
“US-CERT is aware of three phishing campaigns targeting U.S. government agencies and private organizations across multiple sectors,” DHS officials said in the notice, which posted Aug.1. “Most of the websites involved are legitimate corporate or organizational sites that were compromised” by the attackers.
Over the past two months, there have been reports of “multiple, ongoing and likely evolving” attacks that unfold when an employee clicks a link to a website in the email, according to US-CERT.
Why did it take days after the attack discovery for DHS CERT to warn US government agencies? I expect hours at the most, not days.
What do numerous privacy groups, civil liberties organizations, open government advocates, free market proponents, technologists, and the Department of Homeland Security have in common? Deep concern about the Cybersecurity Information Sharing Act, or “CISA,” a bill expected to come to a vote this week in the Senate.
As we’ve said before, CISA is the latest attempt to pass a bill that would give companies broad legal protections when they share personal information with the government and then allow the government to use that information for surveillance.
Now even DHS is joining the chorus of experts who agree that CISA is terrible. In a letter responding to questions from Sen. Al Franken (D-Minn.), DHS warned of the ways CISA could harm privacy and increase “complexity and difficulty” in responding to cybersecurity threats. In fact, the letter confirmed virtually all of our concerns about the bill:
CISA won’t improve cybersecurity
DHS already has a central hub created to promote sharing of cyber threats between private industry and the government. CISA would make this system less effective.
Because CISA bypasses all privacy laws and allows companies to share cyber threat information, which could include personal data and communications, with “any federal entity,” it would actually make the job of keeping track of real cyber threats difficult. CISA would “limit the ability of DHS to connect the dots and proactively recognize emerging risks,” according to the letter.
Add this to the already overwhelming evidence that CISA makes Americans’ online data less secure by making the government an even more tempting target for hackers.
“US-CERT is aware of phishing campaigns masquerading as emails from the Office of Personnel Management (OPM) or the identity protection firm CSID. For those affected by the recent data breach, the legitimate domain used for accessing identity protection services is https://opm.csid.com,” yesterday’s advisory states.
Those two sentences are the extent of the government’s description of the schemes.
Analysts say the threat could be a broad-brush campaign spamming people who have dot-gov email addresses or people identified as government workers on mailing lists. The phishing emails then bait them to reply with personal information or visit a website that steals their credentials.
“It would be pretty easy to target these emails to dot-gov email addresses,” said Johannes Ullrich, dean of research at the SANS Technology Institute, a cybersecurity training center.
It’s unclear whether ID thieves are preying on feds fearful that they have been victimized by the OPM breach or whether the OPM cyberspies are at it again.
“Could be either,” Ullrich said. “But more likely ID thieves.”
It was only a matter of time before this happened.
A cyber repository, according to the white paper, would share information between sectors “about the financial and operational impacts of cyber events, the effectiveness of existing cyber risk controls in addressing them and the new kinds of products and services that cybersecurity solutions providers should develop.”
DHS’ National Protection and Programs Directorate established the “Cyber Incident Data and Analysis Working Group” to determine the value of such a repository and how to incentivize participation in the repository, among other logistical details. The group includes chief information security officers, academic experts and cyber professionals. Their opinions are outlined in the white paper.
Other potential benefits of a cyber repository include helping companies assess how their cyber precautions measure up to their peers, which could “help propel internal discussions about an organization’s cyber risk.”
Several working group participants “asserted that if a company discovers that it falls in the bottom 50 percent as compared to its peers when it comes to cyber risk preparedness, that knowledge could motivate the company to increase its cybersecurity budget and related mitigation efforts,” according to the paper. But some claimed “that they have only limited knowledge about what their peers are doing regarding the implementation of cyber risk controls, their scope, and how those controls fit within overall cybersecurity strategies.”
A repository could also help groups in different industries share information about potential future threats, according to DHS.
They key is how motivation plays into the psychology for a system like this proposal. If a company perceives itself as being viewed by its counterparts as not doing enough, that peer pressure will likely push them to strengthen their capabilities, in turn increasing the overall posture of the industry and government.
This is absolutely a good thing. But, will it work?
On February 13, 2015, President Obama signed Executive Order 13691 intended to enable and facilitate “private companies, nonprofit organizations, and executive departments and agencies . . . to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.” The order addresses two concerns the private sector has raised:
How can companies share information if they do not fit neatly into the sector-based structure of the existing Information Sharing and Analysis Centers (ISACs)?
If a group of companies wants to start an information sharing organization, what model should they follow? What are the best practices for such an organization?
ISAOs may allow organizations to robustly participate in DHS information sharing programs even if they do not fit into an existing critical infrastructure sector, seek to collaborate with other companies in different ways (regionally, for example), or lack sufficient resources to share directly with the government. ISAOs may participate in existing DHS cybersecurity information sharing programs and contribute to near-real-time sharing of cyber threat indicators.
This effort in support of President Obama’s recent Executive Order 13691 with the goal of creating a public/private industry/government information sharing partnership. The only way to fight malicious attackers is to share threat data.
Hopefully the government comes to their senses and restrains from classifying every last little iota of cyber threat information they touch. Like a young child who can reach the cookie jar when Mom isn’t looking, sadly, I doubt the US government will keep the data unclassified.
CSIS says any cyber threat information sharing effort must build upon existing structures, limit personal information and take advantage of existing peer-to-peer relationships, while also recognizing there is a cost-benefit analysis for these processes and agreements. Nix said part of the reason STIX and TAXII are attractive is the fact both specifications don’t replace existing standards, but works within them.
As part of this effort to implement STIX and TAXII, U.S.-CERT will open access to servers running these specifications to promote cyber information sharing with its public and private sector partners.
“We want to set up an environment that is risk rated at the right level to facilitate the sharing of information, but still provides the appropriate levels of confidentiality, integrity and availability controls that would be required for an organization that actually depends on the information,” Nix said. “The idea behind the use of the cloud for the STIX/TAXII server is to enable the access to the information with the appropriate level of control so that organizations can submit information but also can retrieve information that is relevant to them. We want to protect the anonymity of information that is shared from the partners who are actually sharing the information, but also make sure that when we set up the actual information it’s getting back to the people that it needs to.”