U.S. government cybersecurity
2015-07-22
A key reference document concerning this subject is
Handing Over the Keys to the Castle:
OPM Demonstrates that Antiquated Security Practices Harm National Security
published by the Institute for Critical Infrastructure Technology
on 2015-07-14.
This really is a must-read for those interested in this subject.
It contains the following statement
(emphasis added by the author of the current blog):
to get this point across.
And the White House spokesman has the audacity to claim that
cyber security has been a priority of Obama.
Yeah, right, but well below getting his health care expansion passed
and forcing the military to take homosexuals and the gender insane,
i.e., the agenda of the Democratic Party.
In other words:
Democratic Party agenda #1,
cyber security, who cares?
Am I right or wrong?
By MICHAEL D. SHEAR and NICOLE PERLROTH
New York Times, 2015-07-19
WASHINGTON —
In the month since a devastating computer systems breach at the Office of Personnel Management, digital Swat teams have been racing to plug the most glaring security holes in government computer networks and prevent another embarrassing theft of personal information, financial data and national security secrets.
But senior cybersecurity officials, lawmakers and technology experts said in interviews that the 30-day “cybersprint” ordered by President Obama after the attacks is little more than digital triage on federal computer networks that are cobbled together with out-of-date equipment and defended with the software equivalent of Bubble Wrap.
In an effort to highlight its corrective actions, the White House will announce shortly that teams of federal employees and volunteer hackers have made progress over the last month. At some agencies, 100 percent of users are, for the first time, logging in with two-factor authentication, a basic security feature, officials said. Security holes that have lingered for years despite obvious fixes are being patched. And thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.
But officials and experts acknowledge that the computer networks of many federal agencies remain highly vulnerable to sophisticated cybercriminals, who are often sponsored by other countries. Another breach like the one in June, which exposed information on 21 million people, remains a threat — despite repeated alarms over the years that government computer systems were vulnerable to exactly that kind of attack. Asked in congressional testimony this month to grade the federal government’s cybersecurity efforts on a scale of A to F, a senior government auditor gave the government a D.
Even senior White House officials acknowledge how much remains to be done. “It’s safe to say that federal agencies are not where we want them to be across the board,” Michael Daniel, Mr. Obama’s top cybersecurity adviser, said in an interview. He said the bureaucracy needed a “mind-set shift” that would put computer security at the top of a long list of priorities. “We clearly need to be moving faster.”
Despite high-profile incidents, including the theft of secrets by the national security contractor Edward J. Snowden, many government agencies have demonstrated little commitment to making cybersecurity a priority.
After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks.
As recently as this year, officials showed little urgency in confronting dangers from the bits and bytes flying across their networks.
A January audit of the Federal Aviation Administration cited “significant security control weaknesses” in the agency’s network, “placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.” But that agency had been warned for years that its computer networks were wide open to attack. In 2009, hackers stole personal information for 48,000 agency employees, prompting an investigation that found 763 high-risk vulnerabilities — any one of which, auditors said, could give attackers access to the computers that run the air traffic control system.
This glacial pace of change, former Federal Aviation Administration officials said, was not for their lack of trying. Michael Brown, who served as the agency’s chief information security officer for a decade, called the 2009 episode his “scariest moment” and said he had frequently been frustrated by the government’s failure to address the obvious security holes in the most important networks.
“You come up with binders full of documentation, and then at the end of the day, you don’t have any money to go back and ameliorate,” Mr. Brown said. “The system could be hanging out there for a long time with a vulnerability.”
The story has been much the same at other agencies. At the Department of Energy, after other breaches there, a hacker spent a month stealing personnel records from an unencrypted database in the summer of 2013. By the time Robert F. Brese, the department’s top cybersecurity official, was notified, the hacker had drained 104,000 names, addresses and Social Security numbers from its systems.
“It was just this sickening feeling in my stomach,” Mr. Brese, now a consultant, recalled.
In the days that followed, investigators found numerous holes in the Energy Department’s network that contained sensitive information on nuclear propulsion and critical infrastructure. Government auditors slammed the department for lax security controls, lack of encryption and a failure to patch known vulnerabilities.
And while that could have served as an early warning, the breach was met with a shrug at other agencies. At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency’s networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved.
“That’s been a recurring theme,” said Gregory C. Wilshusen, the Government Accountability Office’s top computer systems investigator. “They believe they’ve taken corrective actions, but when one goes back to check, we find that they haven’t. It just perpetuates the vulnerability and gives I.R.S. a false sense of security.” In May, the agency was forced to concede that hackers had gained access to the tax returns of some 100,000 citizens.
The dangers are accelerating as hackers repeatedly target computer networks used to collect taxes, secure ports and airports, run air traffic control systems, process student loans, oversee the nation’s nuclear stockpile, monitor the Federal Reserve and support the armed services. Last year, officials say, there were more than 67,000 computer-related incidents at federal agencies, up from about 5,000 in 2006.
Officials at all levels may finally be paying attention in the wake of the Office of Personnel Management hacking. Lawmakers are considering legislation to require sharing of information about malicious hacks and to set cybersecurity standards for federal systems.
“This is going to have to be an area of much greater focus,” said Senator Mark R. Warner, Democrat of Virginia, a supporter of the legislation.
Tony Scott, the federal government’s chief information officer, who arrived this year from Microsoft and VMware, vowed to make sure they did.
“I’m not going to let up,” he promised in an interview. “We are going to bring every bit of pressure we can bring.”
Across the government, there is evidence of new anxiety. On the “watch floor” of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, dozens of specialists monitor potential intrusions on government networks. Large screens flash yellow or red to warn of potential surges in network traffic or attempts to breach systems by known hackers.
But the most advanced defenses have yet to be fully installed. Major agencies will not have them for a year, and smaller ones could take longer, officials said. And legal, political and bureaucratic roadblocks still make it difficult for officials to cajole their colleagues to take action quickly.
Department of Homeland Security officials must continually trek to Capitol Hill for approval of the most mundane organizational shifts. “I thought my head would blow off when I had to get approval from people who had no idea what we were doing,” said Mark Weatherford, the former deputy under secretary for cybersecurity at the Department of Homeland Security.
He noted that such bureaucratic obstacles made it difficult for the department to compete in the cutthroat war for talented security specialists. “It takes far too long,” said Mr. Weatherford, now a principal at the Chertoff Group, an advisory firm in Washington. “I can’t tell you how many good people we lost at D.H.S. because they couldn’t wait four to six months for the hiring process.”
The agency has had a hard time competing with the likes of Google, start-ups and other agencies for top talent.
The Office of Personnel Management runs a program
that offers grants to students who specialize in cybersecurity
in exchange for their help defending government networks.
Between 2002 and 2014,
55 of the program’s 1,500 graduates went to work for the Department of Homeland Security,
compared with 407 who worked for the National Security Agency.
Eric Cornelius, an graduate of the program
who served as Homeland Security’s deputy director
and chief technical analyst for its control systems security program,
stayed only 18 months before leaving for Cylance, a security start-up.
He said hiring was only half the problem.
‘The other half of the problem is the need to address firing reform,”
Mr. Cornelius said.
“In my experience, complacency is the enemy of competency.”
[It is hard to avoid reading his statement as an assertion of
a government culture unable to weed out non-performers and incompetents.
Is that the case?]
But Mr. Scott said the sprint was just a prelude to a complete cultural overhaul.
“We need to dramatically change how we’re thinking about this,” he said.
“Just because there’s a sprint doesn’t mean this is the end.”
Nextgov.com,
Before falling victim to the massive breach of federal employee records announced last month,
the Office of Personnel Management’s inspector general had repeatedly raised red flags about the agency’s outdated security practices.
OPM stored most of its data on uncertified systems
and failed to implement multifactor authentication on any of its systems,
which would have made it more difficult for hackers access sensitive data.
But the “greatest failure” at OPM?
That would be the lack of a “comprehensive governing policy” for cybersecurity at the agency
that would have proactively controlled system access
and mandated regular patches and upgrades.
That’s according to the Institute for Critical Infrastructure Technology,
which published an analysis last week of the OPM hack.
Members of the nonprofit say they plan to circulate the 29-page brief,
titled
“Handing Over the Keys to the Castle:
OPM Demonstrated that Antiquated Security Practices Harm National Security,”
on Capitol Hill and among federal chief information officers.
The OPM breach has been the subject of extensive media coverage,
painstakingly describing every detail of the agency’s inadequacies,
proposing mitigation options and attempting to pin down responsibility,
according to the brief.
However,
"very little focus has been dedicated to learning from this calamitous event
and proactively utilizing that information to prevent such occurrences in the future,”
the study stated.
OPM is far from the only agency that has struggled to remediate well-known cybersecurity gaps called out by auditors, according to the report.
For example, the Department of Veterans Affairs has 6,000 outstanding security risks,
and the Transportation Department doesn’t have sufficient system level controls.
“The single most significant recommendation
that agencies like OPM could heed is to
actually listen to the advice of the inspector general
and do everything within their power to meet or exceed regulatory measures,”
the report stated.
Another key takeaway?
Cyberthreats are advancing far faster than the aging security model --
known as defense-in-depth -- agencies rely on.
So-called advanced persistent threats increasingly tailor sophisticated intrusions
to specific victims or organizations.
“Novel malware can bypass detection, avoid run-time analysis and prevent post-incident traces
in a number of ways undetectable to current defense-in-depth norms,”
the report stated.
The report added,
“it is as effective as trying to stop a laser pointer with a chain link fence."
Relying only on antiquated cyber defense systems,
such as firewalls and antivirus programs,
should be replaced by more innovative programs
that can adapt and respond to the specific situation at hand.
The brief recommended agency cyber personnel
institute a user behavioral analytics system,
which creates a baseline profile of a user
and detects and reports anomalous behavior.
Some of the measures agencies need to take now are not all that high tech.
“Training remains the easiest and best strategy
to mitigate adverse effects of the OPM breach
such as insider threats, spear phishing emails,
social engineering or future breaches,”
the report stated.
Although President Barack Obama recently called for a 30-day sprint
to improve governmentwide cybersecurity performance,
it seems unlikely agencies can solve in a month a problem
that’s been festering below the radar for years.
“Without a sudden, significant influx of funding,
most agencies cannot accomplish much within this time constraint,”
the report stated.
by Jack Moore, interviewing U.S. CIO Tony Scott
Nextgov.com, 2015-08-26
Shortly after Tony Scott became the federal government’s chief information officer in February, some of the Obama administration’s keystone tech policies -- including cybersecurity and cloud computing -- “felt like they were languishing a little bit and maybe had lost a sense of urgency,” the former corporate IT executive says.
There had been no shortage of guidance, strategies and memos issued by the Office of Management and Budget.
But particularly with cybersecurity, “What we didn't have was, I think, any kind of good cadence and sort of sense of urgency about that,” Scott said Wednesday during a presentation at the Digital Government Institute’s 930Gov conference. “And so, even prior to OPM, I was thinking about: What are the things that we could do to sort of accelerate our progress on this?"
Scott is referring, of course, to the devastating data breach at the Office of Personnel Management, in which personal information culled from background investigation files of more than 21 million federal employees and contractors was stolen by hackers purportedly as part of a Chinese espionage operation.
Following the breach, Scott’s office ordered a “30-day cybersecurity sprint,” directing agencies to take immediate steps to plug security gaps, an effort that has boosted the use of more secure log-in methods and faster patching of critical vulnerabilities, according to the White House.
...
Overall, the percentage of federal employees required to use a smart card in addition to a password to log on to federal computer networks increased from about 42 percent to more than 72 percent during the time period, according to OMB. Two-factor authentication stats were even higher for privileged users -- those with expanded access to federal networks -- growing from 33 percent to nearly 75 percent.
...
By Jim Sciutto
CNN, 2015-09-01
...
"Individually, the OPM breach and the Ashley Madison breach both present significant dangers to U.S. personnel, including intelligence personnel, but taken together, they really ratchet up the level of harm," said Marc Zwillinger, a lawyer handling data breach and privacy cases. "The OPM breach has confidential information about U.S. personnel and people that have applied for security clearances, and the Ashley Madison breach reveals people's most intimate secrets about the affairs they might be having, and together, it provides a lot of leverage that could be used to blackmail and possibly influence U.S. personnel."
...
However, internal reports have repeatedly found that U.S. government systems remain vulnerable.
Many U.S. government agencies still lack urgency in addressing the problem,
leaving U.S. systems open to further attacks.
[And whose fault is that?
One man's: Barack Obama.
Everyone in his administration serves at the pleasure of the president.
If he wants to get his officials to make cybersecurity a priority,
all he has to do is start firing people who are not performing in that regard.
The message would get across.
As it is, what are the consequences for all those agency chiefs
who fail to bring their IT operations up to a standard
that yields a clean IG annual audit?
What are the consequences for failing, year after year,
to resolve those IG-identified discrepancies?
All Obama has to do is make clear that failing grades from those IG audits
will have real consequences.
As it is, when have you ever heard of an agency head
being fired over cybersecurity failures, other than the OPM Director?
This is clearly Obama's fault, and Obama's responsibility to fix.]
The U.S. official described as "likely" the prospect of additional successful cyberattacks on sensitive U.S. government systems.
"What the OPM breach really revealed is that government cybersecurity isn't even up to the par of the private sector, and the private sector suffers security breaches all the time," said Zwillinger. "So it's a wake-up call both for the government networks and commercial networks."
...
By John Sellers
FCW (Federal Computer Week), 2015-10-02
With the fallout of the data breach at the Office of Personnel Management still in the news cycle, now is a good time for federal organizations to reflect on the state of their own security and the sophistication of their enemies.
There are many security analysts out there who are more than willing to give their two cents on what the OPM did wrong, but we can all agree that the department was woefully ill prepared to address the tactics of their adversary.
The reality is that most attackers are not breaking into networks; they are just logging in. Defenders are waiting for threat actors to hack through the firewall, but it is easier and more effective for attackers to compromise the credentials and access privileges of organization insiders, then operate with all of the privileges of legitimate users. They are turning innocent users into insider threats.
OPM, which handles security clearances and houses sensitive information on millions of current, former and potential government employees, is no exception to this trend. The attackers gained access to the OPM network by compromising and stealing credentials from KeyPoint Government Solutions, a contractor used to conduct background checks. This gave the attackers the insider privileges needed to persist on the OPM network and steal critical information such as Social Security numbers and medical records of federal employees.
The moral of the story is that traditional perimeter security is no longer adequate. Organizations of all kinds need to be prepared to address insider threats, whether it is a malicious employee or their compromised credentials. The attackers will get past the gate eventually. The only way to stop them then is to monitor internal network activity – leaving the threats with no place to hide – and respond to security events before they become breaches.
OPM became a victim because they had minimal internal security. A report from the Inspector General in November 2014 outlined some of the security shortcomings of the office:
Furthermore, the critical data, including Social Security numbers, were not encrypted because it was not feasable on systems as old as OPM's, according to agency CIO Donna Seymour.
Today's advanced threats have adapted to traditional security measures by focusing on compromising legitimate access credentials. If OPM had been prepared to deal with a threat from inside the network, this breach may have been prevented.
What is behind this shift in tactics?
Over the past few decades, organizations have been pumping billions of dollars into strengthening their perimeters and managing vulnerabilities. Meanwhile, the rise of remote access and personal mobile devices have broadened the threat surface and brought more sensitive data in contact with the internet.
Instead of focusing on breaching the perimeter, attackers have just shifted to compromising the human layer, which is more reachable now than ever before. In many organizations, employees have generous access privileges and the ability to log into the network remotely, which means attackers have ample opportunities to utilize compromised credentials. Additionally, personal information about employees is widely accessible via social media sites like Facebook or LinkedIn, which gives attackers better insight into how to fool them.
Here's a hypothetical scenario: An attacker has managed to track down an employee named Mark on social media. Mark likes to talk about his job and his favorite online poker site. The attacker sends Mark an email posing as a representative from the poker site with an attached brochure on new services, complete with malware.
Mark opens the attachment without a second thought, and a few days later
the malware sends keystroke information –
including his VPN login credentials –
back to the attacker.
Now Mark has effectively become an insider threat. Unfortunately, no matter how strong our castle walls are, users who appear legitimate are able to walk right through the front gate.
...
By Mark Rockwell
FCW (Federal Computer Week), 2015-10-02
A new bill in the House would tap the National Institute of Standards and Technology and the Federal Trade Commission to come up with voluntary standards to blunt opportunistic cyber infections on U.S. networks, personal computers and mobile devices.
Rep. Anna Eshoo (D-Calif.), ranking member of the Communications and Technology Subcommittee of the House Energy and Commerce Committee introduced legislation on Oct. 1 aimed at combatting cyberattacks and cybercrime against U.S. computer networks.
Eshoo said in an Oct. 1statement that the Promoting Good Cyber Hygiene Act builds on President Obama's 2013 Executive Order instructing NIST, in consultation with the FTC, to establish voluntary best practices for network security, such as not using a default password and regularly applying software updates.
The bill aims to help network administrators, as well as everyday computer users, plug the most common computer and network infection points that let most conventional cyber thieves steal identities, financial information and more.
Specifically, the legislation would establish a baseline set of voluntary best practices; ensure the practices are reviewed and updated annually; make the established best practices available in a clear and concise manner on a publicly accessible website; and instruct the Department of Homeland Security to study cybersecurity threats relating to mobile devices.
[My comments:
Nothing against this bill, but:
First: Aren't such laundry lists of "best practices" already widely available from NIST, DHS, DOD, all the IGs, etc.?
Second: This is serious business. Why should applying these standards be voluntary?
We have seen how OPM let the complaints of its IG, in its annual FISMA audit,
go ignored for year after year.
In general, FISMA requires annual audits.
Standardizing the criteria for those audits may be a good idea,
but it misses the most important point:
Putting some teeth in those audits.
The man who could have made that happen was Barack Obama.
He is, after all, responsible for the performance of the U.S. government.
He seems more than happy to punish men for what some consider deplorable sexual conduct
(e.g., David Petraeus, various Secret Service agents),
yet, aside from forcing out Katherine Archuleta,
where else has he held someone's feet to the fire
over their failure to upgrade their agencies cybersecurity?
It's his job to care.
And it's the job of Congress and the nation's editorial writers and columnists
to let him know that they care about this issue.
That not just "Black Lives", but also Cybersecurity, Matters.]
...
Newsday, The Associated Press, 2015-10-19 5:37 AM
[It will be interesting to see how the New York Times and Washington Post
play this story.
If I were editor, this would be front page news for sure.
We'll see what they do with it.
Note added 2015-10-20:
Well, after perusing the WP Washington print edition,
I could find no mention of this story.
On the other hand, the front page did have a story about the "right-to-die" in California.
On their web site,
they did publish this story; here is part of its URL
(I've omitted the lengthy hex number in the full URL):
http://www.washingtonpost.com/business/technology/ap-exclusive-under-clinton-states-cybersecurity-suffered/2015/10/19/...story.html
(You can find it by inserting the following line
AP Exclusive: Under Clinton, State’s cybersecurity suffered site:washingtonpost.com
in the search box at news.google.com)
As you can see, the Post filed this under "business/technology"
(the Post web page for the story,
which seems to include the entire AP story verbatim,
has the section heading "Technology").
WTF!
Why was the case of Secret Service agents patronizing prostitutes a NATIONAL story,
and this is only a "business/technology" or "Technology" story???
What a dirtbag newspaper the Post is,
to not recognize that cybersecurity in critical parts of the government,
such as the State Department,
is a vital national interest.
Think they gave this such minor play to help the Hillary Clinton campaign?]
WASHINGTON - The State Department was among the worst agencies in the federal government at protecting its computer networks while Hillary Rodham Clinton was secretary from 2009 to 2013, a situation that continued to deteriorate as John Kerry took office and Russian hackers breached the department's email system, according to independent audits and interviews.
The State Department's compliance with federal cybersecurity standards was below average when Clinton took over but grew worse in each year of her tenure, according to an annual report card compiled by the White House based on audits by agency watchdogs. Network security continued to slip after Kerry replaced Clinton in February 2013, and remains substandard, according to the State Department inspector general.
In each year from 2011 to 2014, the State Department's poor cybersecurity was identified by the inspector general as a "significant deficiency" that put the department's information at risk. The latest assessment is due to be published in a few weeks.
Clinton, the front-runner for the Democratic presidential nomination, has been criticized for her use of a private email server for official business while she was secretary of state. Her private email address also was the recipient of malware linked to Russia, and her server was hit with malware from China, South Korea and Germany. The FBI is investigating whether her home server was breached.
State Department officials don't dispute the compliance shortcomings identified in years of internal audits, but argue that the audits paint a distorted picture of their cybersecurity, which they depict as solid and improving. They strongly disagree with the White House ranking that puts them behind most other government agencies. Senior department officials in charge of cybersecurity would speak only on condition of anonymity.
"We have a strong cybersecurity program, successfully defeating almost 100 percent of the 4 billion attempted intrusions we experience each year," spokesman Mark Toner said.
Two successive inspectors general haven't seen it that way. In December 2013, IG Steve Linick issued a "management alert" warning top State Department officials that their repeated failure to correct cybersecurity holes was putting the department's data at risk.
Based on audits by Linick and his predecessor, Harold Geisel, State scored a 42 out of 100 on the federal government's latest cybersecurity report card, earning far lower marks than the Office of Personnel Management, which suffered a devastating breach last year. State's scores bested only the Department of Health and Human Services and the Department of Housing and Urban Development. State Department officials complain the grades are subjective.
[Really? Sounds like an issue worth exploring, and explaining.]
In late 2014, cyber intruders linked to Russia were able to break into the State Department's email system, infecting it so thoroughly that it had to be cut off from the Internet in March while experts worked to eliminate the infestation.
@Newsday
Clinton approved significant increases in the State Department' information technology budgets while she was secretary, but senior State Department officials say she did not spend much time on the department's cyber vulnerabilities. She was aware of State's technological shortcomings but was focused more on diplomacy, her emails show.
Clinton's campaign staff did not respond to repeated and detailed requests for comment.
Emails released by the State Department from her private server show Clinton and her top aides viewed the department's information technology systems as substandard and worked to avoid them.
"State's technology is so antiquated that NO ONE uses a State-issued laptop and even high officials routinely end up using their home email accounts to be able to get their work done quickly and effectively," top Clinton aide Ann-Marie Slaughter wrote in an email to Clinton on June 3, 2011.
Slaughter suggested that someone write an article to point out the deficiencies, but Clinton aide Cheryl Mills argued that doing so might alert hackers to their use of private email.
[Okay, how about a CLASSIFIED article?
Was even the classified system at risk for hacking?
How about fixing that problem?
Or is that the sort of problem that Democrats really aren't interested in, or able to, fix?]
Under Clinton and Kerry, the State Department's networks were a ripe target for foreign intelligence services, current and former government officials say, echoing the situation at OPM, which last year saw sensitive personnel data on 21 million people stolen by hackers linked to China.
The Russian hackers who broke into State's email system also infiltrated networks at the Defense Department and the White House, officials say, and no clear line can be drawn between their success and State's dismal security record.
But as with OPM, State's inspector general identified many of the same basic cybersecurity shortcomings year after year, and the department failed to correct them, records show.
Officials in the inspector general's office believe the department's cybersecurity shortcomings played a role in the email breach, said two officials familiar with their thinking.
Senior State Department officials disagree. They say the Russian hack was the result of a "well-crafted intelligence operation" designed to look normal to the employee who clicked on the attachment, and it was unrelated to other cybersecurity deficiencies.
No technology can completely thwart the most sophisticated of such hacks, but one official familiar with State's cyber deficiencies argues that the department's sloppy security means officials can't be sure other breaches haven't gone undetected.
State Department officials say that only email was taken in the hack, and that no sensitive databases were breached. The National Security Agency conducted a classified assessment and deemed the breach significant and severe, two officials say. A State Department official said the assessment concluded there was no way to be sure what the hackers accessed.
Those officials, and many others interviewed for this story, declined to be quoted because they were not authorized to address the matter publicly.
Although the hacked email system was unclassified, State Department personnel regularly use it to communicate very sensitive information, some of which is routinely withheld on national security grounds when the emails are made public. It would be valuable intelligence for a foreign adversary, officials say.
Sen. Patrick Leahy, the ranking Democrat on the committee that funds the State Department, is concerned about cybersecurity problems "that have existed for several years," a senior Leahy aide said, speaking on condition of anonymity because he wasn't authorized to discuss the matter publicly.
While many of the details have been blacked out of the audits, the inspector general has criticized State for not implementing an effective risk management program. Without one, "the department cannot prioritize, assess, respond to, and monitor information security risk, which leaves the department vulnerable to attacks and threats," the IG wrote in the latest report, issued last October.
There are also examples of sloppy management. For example, in 2012, the IG reported that of 116,821 unclassified email accounts, 5,717 had not been used, 529 had passwords set not to expire, 19,335 had been set not to require passwords, and 6,269 users had not logged into their accounts between 2005 and 2011. Such a large volume of unattached accounts makes it easier for hackers to co-opt one of them without anyone noticing.
In 2013, an inspection by the IG into State's cybersecurity office — the Bureau of Information Resource Management's Office of Information Assurance — found waste, mismanagement and dysfunction. The office required State Department agencies to fill out paper spreadsheets to track system updates, and was "unable to locate information in a timely manner," the report found.
State Department officials responsible for cybersecurity acknowledged that the department had gotten behind in its compliance with standards in the Federal Information Security Management Act, known as FISMA, which requires, for example, that agency systems be certified as secure. Many of the State Department systems had not been certified for many years. Officials say they have made great strides in the last year.
"FISMA is very important, but it is process-oriented, and compliance is judged on meeting the process," not whether data is actually protected, Toner said.
State Department officials argue that their system for continually monitoring its networks for threats, known as iPost, exceeds FISMA's security standards.
The inspector general and the Government Accountability Office concluded, however, that iPost did not provide a true picture of the risk to State's networks.
[Let's see.
The HHS Obamacare web site debacle.
Hillary's ignorance of, or indifference to,
the risks posed by her use of a private email server.
The State Department's overall deteriorating cybersecurity posture
while Hillary was secretary.
Is there a pattern here?]
by "The Twisted Genius"
Sic Semper Tyrannis (Col. Patrick Lang's blog), 2016-07-25
I was as surprised as most when FBI Director Comey
recommended no charges for Clinton over her email server shenanigans.
...
A key reference document concerning this subject is
Handing Over the Keys to the Castle:
OPM Demonstrates that Antiquated Security Practices Harm National Security
published by the Institute for Critical Infrastructure Technology
on 2015-07-14.
This really is a must-read for those interested in this subject.
It contains the following statement
(emphasis added by the author of the current blog):
“The OPM breach was a wake-up call for the federal communityI am surprised and disgusted that it took the disaster he describes as a "wake-up call"
that they can no longer selectively comply with
the findings of security audits which show security flaws in their network.
If Congress, the Executive Branch and Agencies can come together
to fund and execute a new security paradigm within the government,
we are capable today of preventing these incidents
and protecting our nation from falling victim to these attacks.”
said ICIT Sr. Fellow Parham Eftekhari.
to get this point across.
And the White House spokesman has the audacity to claim that
cyber security has been a priority of Obama.
Yeah, right, but well below getting his health care expansion passed
and forcing the military to take homosexuals and the gender insane,
i.e., the agenda of the Democratic Party.
In other words:
Democratic Party agenda #1,
cyber security, who cares?
Am I right or wrong?
Miscellaneous Articles
2015-07-19-NYT-us-vs-hackers-still-lopsided-despite-years-of-warnings-and-a-recent-push
U.S. vs. Hackers: Still Lopsided Despite Years of Warnings and a Recent PushBy MICHAEL D. SHEAR and NICOLE PERLROTH
New York Times, 2015-07-19
WASHINGTON —
In the month since a devastating computer systems breach at the Office of Personnel Management, digital Swat teams have been racing to plug the most glaring security holes in government computer networks and prevent another embarrassing theft of personal information, financial data and national security secrets.
But senior cybersecurity officials, lawmakers and technology experts said in interviews that the 30-day “cybersprint” ordered by President Obama after the attacks is little more than digital triage on federal computer networks that are cobbled together with out-of-date equipment and defended with the software equivalent of Bubble Wrap.
In an effort to highlight its corrective actions, the White House will announce shortly that teams of federal employees and volunteer hackers have made progress over the last month. At some agencies, 100 percent of users are, for the first time, logging in with two-factor authentication, a basic security feature, officials said. Security holes that have lingered for years despite obvious fixes are being patched. And thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.
But officials and experts acknowledge that the computer networks of many federal agencies remain highly vulnerable to sophisticated cybercriminals, who are often sponsored by other countries. Another breach like the one in June, which exposed information on 21 million people, remains a threat — despite repeated alarms over the years that government computer systems were vulnerable to exactly that kind of attack. Asked in congressional testimony this month to grade the federal government’s cybersecurity efforts on a scale of A to F, a senior government auditor gave the government a D.
Even senior White House officials acknowledge how much remains to be done. “It’s safe to say that federal agencies are not where we want them to be across the board,” Michael Daniel, Mr. Obama’s top cybersecurity adviser, said in an interview. He said the bureaucracy needed a “mind-set shift” that would put computer security at the top of a long list of priorities. “We clearly need to be moving faster.”
Despite high-profile incidents, including the theft of secrets by the national security contractor Edward J. Snowden, many government agencies have demonstrated little commitment to making cybersecurity a priority.
After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks.
As recently as this year, officials showed little urgency in confronting dangers from the bits and bytes flying across their networks.
A January audit of the Federal Aviation Administration cited “significant security control weaknesses” in the agency’s network, “placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.” But that agency had been warned for years that its computer networks were wide open to attack. In 2009, hackers stole personal information for 48,000 agency employees, prompting an investigation that found 763 high-risk vulnerabilities — any one of which, auditors said, could give attackers access to the computers that run the air traffic control system.
This glacial pace of change, former Federal Aviation Administration officials said, was not for their lack of trying. Michael Brown, who served as the agency’s chief information security officer for a decade, called the 2009 episode his “scariest moment” and said he had frequently been frustrated by the government’s failure to address the obvious security holes in the most important networks.
“You come up with binders full of documentation, and then at the end of the day, you don’t have any money to go back and ameliorate,” Mr. Brown said. “The system could be hanging out there for a long time with a vulnerability.”
The story has been much the same at other agencies. At the Department of Energy, after other breaches there, a hacker spent a month stealing personnel records from an unencrypted database in the summer of 2013. By the time Robert F. Brese, the department’s top cybersecurity official, was notified, the hacker had drained 104,000 names, addresses and Social Security numbers from its systems.
“It was just this sickening feeling in my stomach,” Mr. Brese, now a consultant, recalled.
In the days that followed, investigators found numerous holes in the Energy Department’s network that contained sensitive information on nuclear propulsion and critical infrastructure. Government auditors slammed the department for lax security controls, lack of encryption and a failure to patch known vulnerabilities.
And while that could have served as an early warning, the breach was met with a shrug at other agencies. At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency’s networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved.
“That’s been a recurring theme,” said Gregory C. Wilshusen, the Government Accountability Office’s top computer systems investigator. “They believe they’ve taken corrective actions, but when one goes back to check, we find that they haven’t. It just perpetuates the vulnerability and gives I.R.S. a false sense of security.” In May, the agency was forced to concede that hackers had gained access to the tax returns of some 100,000 citizens.
The dangers are accelerating as hackers repeatedly target computer networks used to collect taxes, secure ports and airports, run air traffic control systems, process student loans, oversee the nation’s nuclear stockpile, monitor the Federal Reserve and support the armed services. Last year, officials say, there were more than 67,000 computer-related incidents at federal agencies, up from about 5,000 in 2006.
Officials at all levels may finally be paying attention in the wake of the Office of Personnel Management hacking. Lawmakers are considering legislation to require sharing of information about malicious hacks and to set cybersecurity standards for federal systems.
“This is going to have to be an area of much greater focus,” said Senator Mark R. Warner, Democrat of Virginia, a supporter of the legislation.
Tony Scott, the federal government’s chief information officer, who arrived this year from Microsoft and VMware, vowed to make sure they did.
“I’m not going to let up,” he promised in an interview. “We are going to bring every bit of pressure we can bring.”
Across the government, there is evidence of new anxiety. On the “watch floor” of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, dozens of specialists monitor potential intrusions on government networks. Large screens flash yellow or red to warn of potential surges in network traffic or attempts to breach systems by known hackers.
But the most advanced defenses have yet to be fully installed. Major agencies will not have them for a year, and smaller ones could take longer, officials said. And legal, political and bureaucratic roadblocks still make it difficult for officials to cajole their colleagues to take action quickly.
Department of Homeland Security officials must continually trek to Capitol Hill for approval of the most mundane organizational shifts. “I thought my head would blow off when I had to get approval from people who had no idea what we were doing,” said Mark Weatherford, the former deputy under secretary for cybersecurity at the Department of Homeland Security.
He noted that such bureaucratic obstacles made it difficult for the department to compete in the cutthroat war for talented security specialists. “It takes far too long,” said Mr. Weatherford, now a principal at the Chertoff Group, an advisory firm in Washington. “I can’t tell you how many good people we lost at D.H.S. because they couldn’t wait four to six months for the hiring process.”
The agency has had a hard time competing with the likes of Google, start-ups and other agencies for top talent.
The Office of Personnel Management runs a program
that offers grants to students who specialize in cybersecurity
in exchange for their help defending government networks.
Between 2002 and 2014,
55 of the program’s 1,500 graduates went to work for the Department of Homeland Security,
compared with 407 who worked for the National Security Agency.
Eric Cornelius, an graduate of the program
who served as Homeland Security’s deputy director
and chief technical analyst for its control systems security program,
stayed only 18 months before leaving for Cylance, a security start-up.
He said hiring was only half the problem.
‘The other half of the problem is the need to address firing reform,”
Mr. Cornelius said.
“In my experience, complacency is the enemy of competency.”
[It is hard to avoid reading his statement as an assertion of
a government culture unable to weed out non-performers and incompetents.
Is that the case?]
But Mr. Scott said the sprint was just a prelude to a complete cultural overhaul.
“We need to dramatically change how we’re thinking about this,” he said.
“Just because there’s a sprint doesn’t mean this is the end.”
2015-07-07-21-nextgov-security-experts-point-opms-biggest-cybersecurity-failure
Security Experts Point to OPM’s Biggest Cybersecurity FailureNextgov.com,
Before falling victim to the massive breach of federal employee records announced last month,
the Office of Personnel Management’s inspector general had repeatedly raised red flags about the agency’s outdated security practices.
OPM stored most of its data on uncertified systems
and failed to implement multifactor authentication on any of its systems,
which would have made it more difficult for hackers access sensitive data.
But the “greatest failure” at OPM?
That would be the lack of a “comprehensive governing policy” for cybersecurity at the agency
that would have proactively controlled system access
and mandated regular patches and upgrades.
That’s according to the Institute for Critical Infrastructure Technology,
which published an analysis last week of the OPM hack.
Members of the nonprofit say they plan to circulate the 29-page brief,
titled
“Handing Over the Keys to the Castle:
OPM Demonstrated that Antiquated Security Practices Harm National Security,”
on Capitol Hill and among federal chief information officers.
The OPM breach has been the subject of extensive media coverage,
painstakingly describing every detail of the agency’s inadequacies,
proposing mitigation options and attempting to pin down responsibility,
according to the brief.
However,
"very little focus has been dedicated to learning from this calamitous event
and proactively utilizing that information to prevent such occurrences in the future,”
the study stated.
OPM is far from the only agency that has struggled to remediate well-known cybersecurity gaps called out by auditors, according to the report.
For example, the Department of Veterans Affairs has 6,000 outstanding security risks,
and the Transportation Department doesn’t have sufficient system level controls.
“The single most significant recommendation
that agencies like OPM could heed is to
actually listen to the advice of the inspector general
and do everything within their power to meet or exceed regulatory measures,”
the report stated.
Another key takeaway?
Cyberthreats are advancing far faster than the aging security model --
known as defense-in-depth -- agencies rely on.
So-called advanced persistent threats increasingly tailor sophisticated intrusions
to specific victims or organizations.
“Novel malware can bypass detection, avoid run-time analysis and prevent post-incident traces
in a number of ways undetectable to current defense-in-depth norms,”
the report stated.
The report added,
“it is as effective as trying to stop a laser pointer with a chain link fence."
Relying only on antiquated cyber defense systems,
such as firewalls and antivirus programs,
should be replaced by more innovative programs
that can adapt and respond to the specific situation at hand.
The brief recommended agency cyber personnel
institute a user behavioral analytics system,
which creates a baseline profile of a user
and detects and reports anomalous behavior.
Some of the measures agencies need to take now are not all that high tech.
“Training remains the easiest and best strategy
to mitigate adverse effects of the OPM breach
such as insider threats, spear phishing emails,
social engineering or future breaches,”
the report stated.
Although President Barack Obama recently called for a 30-day sprint
to improve governmentwide cybersecurity performance,
it seems unlikely agencies can solve in a month a problem
that’s been festering below the radar for years.
“Without a sudden, significant influx of funding,
most agencies cannot accomplish much within this time constraint,”
the report stated.
2015-08-26-Nextgov-Tony-Scott-federal-cio-cybersecurity-policies-lacked-urgency-opm-hack
Federal CIO: Cybersecurity Policies Lacked ‘Urgency’ Before OPM Hackby Jack Moore, interviewing U.S. CIO Tony Scott
Nextgov.com, 2015-08-26
Shortly after Tony Scott became the federal government’s chief information officer in February, some of the Obama administration’s keystone tech policies -- including cybersecurity and cloud computing -- “felt like they were languishing a little bit and maybe had lost a sense of urgency,” the former corporate IT executive says.
There had been no shortage of guidance, strategies and memos issued by the Office of Management and Budget.
But particularly with cybersecurity, “What we didn't have was, I think, any kind of good cadence and sort of sense of urgency about that,” Scott said Wednesday during a presentation at the Digital Government Institute’s 930Gov conference. “And so, even prior to OPM, I was thinking about: What are the things that we could do to sort of accelerate our progress on this?"
Scott is referring, of course, to the devastating data breach at the Office of Personnel Management, in which personal information culled from background investigation files of more than 21 million federal employees and contractors was stolen by hackers purportedly as part of a Chinese espionage operation.
Following the breach, Scott’s office ordered a “30-day cybersecurity sprint,” directing agencies to take immediate steps to plug security gaps, an effort that has boosted the use of more secure log-in methods and faster patching of critical vulnerabilities, according to the White House.
...
Overall, the percentage of federal employees required to use a smart card in addition to a password to log on to federal computer networks increased from about 42 percent to more than 72 percent during the time period, according to OMB. Two-factor authentication stats were even higher for privileged users -- those with expanded access to federal networks -- growing from 33 percent to nearly 75 percent.
...
2015-09-01-CNN-china-russia-cyberattacks-military
China, Russia amassing personal info seized in hacks for counter-intelligenceBy Jim Sciutto
CNN, 2015-09-01
...
"Individually, the OPM breach and the Ashley Madison breach both present significant dangers to U.S. personnel, including intelligence personnel, but taken together, they really ratchet up the level of harm," said Marc Zwillinger, a lawyer handling data breach and privacy cases. "The OPM breach has confidential information about U.S. personnel and people that have applied for security clearances, and the Ashley Madison breach reveals people's most intimate secrets about the affairs they might be having, and together, it provides a lot of leverage that could be used to blackmail and possibly influence U.S. personnel."
...
However, internal reports have repeatedly found that U.S. government systems remain vulnerable.
Many U.S. government agencies still lack urgency in addressing the problem,
leaving U.S. systems open to further attacks.
[And whose fault is that?
One man's: Barack Obama.
Everyone in his administration serves at the pleasure of the president.
If he wants to get his officials to make cybersecurity a priority,
all he has to do is start firing people who are not performing in that regard.
The message would get across.
As it is, what are the consequences for all those agency chiefs
who fail to bring their IT operations up to a standard
that yields a clean IG annual audit?
What are the consequences for failing, year after year,
to resolve those IG-identified discrepancies?
All Obama has to do is make clear that failing grades from those IG audits
will have real consequences.
As it is, when have you ever heard of an agency head
being fired over cybersecurity failures, other than the OPM Director?
This is clearly Obama's fault, and Obama's responsibility to fix.]
The U.S. official described as "likely" the prospect of additional successful cyberattacks on sensitive U.S. government systems.
"What the OPM breach really revealed is that government cybersecurity isn't even up to the par of the private sector, and the private sector suffers security breaches all the time," said Zwillinger. "So it's a wake-up call both for the government networks and commercial networks."
...
2015-10-02-FCW-sellers-insider-threat
Every threat is an insider threatBy John Sellers
FCW (Federal Computer Week), 2015-10-02
With the fallout of the data breach at the Office of Personnel Management still in the news cycle, now is a good time for federal organizations to reflect on the state of their own security and the sophistication of their enemies.
There are many security analysts out there who are more than willing to give their two cents on what the OPM did wrong, but we can all agree that the department was woefully ill prepared to address the tactics of their adversary.
The reality is that most attackers are not breaking into networks; they are just logging in. Defenders are waiting for threat actors to hack through the firewall, but it is easier and more effective for attackers to compromise the credentials and access privileges of organization insiders, then operate with all of the privileges of legitimate users. They are turning innocent users into insider threats.
OPM, which handles security clearances and houses sensitive information on millions of current, former and potential government employees, is no exception to this trend. The attackers gained access to the OPM network by compromising and stealing credentials from KeyPoint Government Solutions, a contractor used to conduct background checks. This gave the attackers the insider privileges needed to persist on the OPM network and steal critical information such as Social Security numbers and medical records of federal employees.
The moral of the story is that traditional perimeter security is no longer adequate. Organizations of all kinds need to be prepared to address insider threats, whether it is a malicious employee or their compromised credentials. The attackers will get past the gate eventually. The only way to stop them then is to monitor internal network activity – leaving the threats with no place to hide – and respond to security events before they become breaches.
OPM became a victim because they had minimal internal security. A report from the Inspector General in November 2014 outlined some of the security shortcomings of the office:
- There was no comprehensive and maintained list of servers, databases and network devices.
- Not all OPM systems were adequately monitored.
- Multi-factor authentication was not required to access OPM systems.
Furthermore, the critical data, including Social Security numbers, were not encrypted because it was not feasable on systems as old as OPM's, according to agency CIO Donna Seymour.
Today's advanced threats have adapted to traditional security measures by focusing on compromising legitimate access credentials. If OPM had been prepared to deal with a threat from inside the network, this breach may have been prevented.
What is behind this shift in tactics?
Over the past few decades, organizations have been pumping billions of dollars into strengthening their perimeters and managing vulnerabilities. Meanwhile, the rise of remote access and personal mobile devices have broadened the threat surface and brought more sensitive data in contact with the internet.
Instead of focusing on breaching the perimeter, attackers have just shifted to compromising the human layer, which is more reachable now than ever before. In many organizations, employees have generous access privileges and the ability to log into the network remotely, which means attackers have ample opportunities to utilize compromised credentials. Additionally, personal information about employees is widely accessible via social media sites like Facebook or LinkedIn, which gives attackers better insight into how to fool them.
Here's a hypothetical scenario: An attacker has managed to track down an employee named Mark on social media. Mark likes to talk about his job and his favorite online poker site. The attacker sends Mark an email posing as a representative from the poker site with an attached brochure on new services, complete with malware.
Mark opens the attachment without a second thought, and a few days later
the malware sends keystroke information –
including his VPN login credentials –
back to the attacker.
Now Mark has effectively become an insider threat. Unfortunately, no matter how strong our castle walls are, users who appear legitimate are able to walk right through the front gate.
...
2015-10-02-FCW-cyber-house-eshoo-bill
New bill looks to NIST, FTC for cyber hygieneBy Mark Rockwell
FCW (Federal Computer Week), 2015-10-02
A new bill in the House would tap the National Institute of Standards and Technology and the Federal Trade Commission to come up with voluntary standards to blunt opportunistic cyber infections on U.S. networks, personal computers and mobile devices.
Rep. Anna Eshoo (D-Calif.), ranking member of the Communications and Technology Subcommittee of the House Energy and Commerce Committee introduced legislation on Oct. 1 aimed at combatting cyberattacks and cybercrime against U.S. computer networks.
Eshoo said in an Oct. 1statement that the Promoting Good Cyber Hygiene Act builds on President Obama's 2013 Executive Order instructing NIST, in consultation with the FTC, to establish voluntary best practices for network security, such as not using a default password and regularly applying software updates.
The bill aims to help network administrators, as well as everyday computer users, plug the most common computer and network infection points that let most conventional cyber thieves steal identities, financial information and more.
Specifically, the legislation would establish a baseline set of voluntary best practices; ensure the practices are reviewed and updated annually; make the established best practices available in a clear and concise manner on a publicly accessible website; and instruct the Department of Homeland Security to study cybersecurity threats relating to mobile devices.
[My comments:
Nothing against this bill, but:
First: Aren't such laundry lists of "best practices" already widely available from NIST, DHS, DOD, all the IGs, etc.?
Second: This is serious business. Why should applying these standards be voluntary?
We have seen how OPM let the complaints of its IG, in its annual FISMA audit,
go ignored for year after year.
In general, FISMA requires annual audits.
Standardizing the criteria for those audits may be a good idea,
but it misses the most important point:
Putting some teeth in those audits.
The man who could have made that happen was Barack Obama.
He is, after all, responsible for the performance of the U.S. government.
He seems more than happy to punish men for what some consider deplorable sexual conduct
(e.g., David Petraeus, various Secret Service agents),
yet, aside from forcing out Katherine Archuleta,
where else has he held someone's feet to the fire
over their failure to upgrade their agencies cybersecurity?
It's his job to care.
And it's the job of Congress and the nation's editorial writers and columnists
to let him know that they care about this issue.
That not just "Black Lives", but also Cybersecurity, Matters.]
...
2015-10-19-Associated-Press-hillary-clinton-s-state-department-grew-more-vulnerable-to-hackers-audit-says
Under Clinton, State Department among worst agencies to protect computer networks, audits findNewsday, The Associated Press, 2015-10-19 5:37 AM
[It will be interesting to see how the New York Times and Washington Post
play this story.
If I were editor, this would be front page news for sure.
We'll see what they do with it.
Note added 2015-10-20:
Well, after perusing the WP Washington print edition,
I could find no mention of this story.
On the other hand, the front page did have a story about the "right-to-die" in California.
On their web site,
they did publish this story; here is part of its URL
(I've omitted the lengthy hex number in the full URL):
http://www.washingtonpost.com/business/technology/ap-exclusive-under-clinton-states-cybersecurity-suffered/2015/10/19/...story.html
(You can find it by inserting the following line
AP Exclusive: Under Clinton, State’s cybersecurity suffered site:washingtonpost.com
in the search box at news.google.com)
As you can see, the Post filed this under "business/technology"
(the Post web page for the story,
which seems to include the entire AP story verbatim,
has the section heading "Technology").
WTF!
Why was the case of Secret Service agents patronizing prostitutes a NATIONAL story,
and this is only a "business/technology" or "Technology" story???
What a dirtbag newspaper the Post is,
to not recognize that cybersecurity in critical parts of the government,
such as the State Department,
is a vital national interest.
Think they gave this such minor play to help the Hillary Clinton campaign?]
WASHINGTON - The State Department was among the worst agencies in the federal government at protecting its computer networks while Hillary Rodham Clinton was secretary from 2009 to 2013, a situation that continued to deteriorate as John Kerry took office and Russian hackers breached the department's email system, according to independent audits and interviews.
The State Department's compliance with federal cybersecurity standards was below average when Clinton took over but grew worse in each year of her tenure, according to an annual report card compiled by the White House based on audits by agency watchdogs. Network security continued to slip after Kerry replaced Clinton in February 2013, and remains substandard, according to the State Department inspector general.
In each year from 2011 to 2014, the State Department's poor cybersecurity was identified by the inspector general as a "significant deficiency" that put the department's information at risk. The latest assessment is due to be published in a few weeks.
Clinton, the front-runner for the Democratic presidential nomination, has been criticized for her use of a private email server for official business while she was secretary of state. Her private email address also was the recipient of malware linked to Russia, and her server was hit with malware from China, South Korea and Germany. The FBI is investigating whether her home server was breached.
State Department officials don't dispute the compliance shortcomings identified in years of internal audits, but argue that the audits paint a distorted picture of their cybersecurity, which they depict as solid and improving. They strongly disagree with the White House ranking that puts them behind most other government agencies. Senior department officials in charge of cybersecurity would speak only on condition of anonymity.
"We have a strong cybersecurity program, successfully defeating almost 100 percent of the 4 billion attempted intrusions we experience each year," spokesman Mark Toner said.
Two successive inspectors general haven't seen it that way. In December 2013, IG Steve Linick issued a "management alert" warning top State Department officials that their repeated failure to correct cybersecurity holes was putting the department's data at risk.
Based on audits by Linick and his predecessor, Harold Geisel, State scored a 42 out of 100 on the federal government's latest cybersecurity report card, earning far lower marks than the Office of Personnel Management, which suffered a devastating breach last year. State's scores bested only the Department of Health and Human Services and the Department of Housing and Urban Development. State Department officials complain the grades are subjective.
[Really? Sounds like an issue worth exploring, and explaining.]
In late 2014, cyber intruders linked to Russia were able to break into the State Department's email system, infecting it so thoroughly that it had to be cut off from the Internet in March while experts worked to eliminate the infestation.
@Newsday
Clinton approved significant increases in the State Department' information technology budgets while she was secretary, but senior State Department officials say she did not spend much time on the department's cyber vulnerabilities. She was aware of State's technological shortcomings but was focused more on diplomacy, her emails show.
Clinton's campaign staff did not respond to repeated and detailed requests for comment.
Emails released by the State Department from her private server show Clinton and her top aides viewed the department's information technology systems as substandard and worked to avoid them.
"State's technology is so antiquated that NO ONE uses a State-issued laptop and even high officials routinely end up using their home email accounts to be able to get their work done quickly and effectively," top Clinton aide Ann-Marie Slaughter wrote in an email to Clinton on June 3, 2011.
Slaughter suggested that someone write an article to point out the deficiencies, but Clinton aide Cheryl Mills argued that doing so might alert hackers to their use of private email.
[Okay, how about a CLASSIFIED article?
Was even the classified system at risk for hacking?
How about fixing that problem?
Or is that the sort of problem that Democrats really aren't interested in, or able to, fix?]
Under Clinton and Kerry, the State Department's networks were a ripe target for foreign intelligence services, current and former government officials say, echoing the situation at OPM, which last year saw sensitive personnel data on 21 million people stolen by hackers linked to China.
The Russian hackers who broke into State's email system also infiltrated networks at the Defense Department and the White House, officials say, and no clear line can be drawn between their success and State's dismal security record.
But as with OPM, State's inspector general identified many of the same basic cybersecurity shortcomings year after year, and the department failed to correct them, records show.
Officials in the inspector general's office believe the department's cybersecurity shortcomings played a role in the email breach, said two officials familiar with their thinking.
Senior State Department officials disagree. They say the Russian hack was the result of a "well-crafted intelligence operation" designed to look normal to the employee who clicked on the attachment, and it was unrelated to other cybersecurity deficiencies.
No technology can completely thwart the most sophisticated of such hacks, but one official familiar with State's cyber deficiencies argues that the department's sloppy security means officials can't be sure other breaches haven't gone undetected.
State Department officials say that only email was taken in the hack, and that no sensitive databases were breached. The National Security Agency conducted a classified assessment and deemed the breach significant and severe, two officials say. A State Department official said the assessment concluded there was no way to be sure what the hackers accessed.
Those officials, and many others interviewed for this story, declined to be quoted because they were not authorized to address the matter publicly.
Although the hacked email system was unclassified, State Department personnel regularly use it to communicate very sensitive information, some of which is routinely withheld on national security grounds when the emails are made public. It would be valuable intelligence for a foreign adversary, officials say.
Sen. Patrick Leahy, the ranking Democrat on the committee that funds the State Department, is concerned about cybersecurity problems "that have existed for several years," a senior Leahy aide said, speaking on condition of anonymity because he wasn't authorized to discuss the matter publicly.
While many of the details have been blacked out of the audits, the inspector general has criticized State for not implementing an effective risk management program. Without one, "the department cannot prioritize, assess, respond to, and monitor information security risk, which leaves the department vulnerable to attacks and threats," the IG wrote in the latest report, issued last October.
There are also examples of sloppy management. For example, in 2012, the IG reported that of 116,821 unclassified email accounts, 5,717 had not been used, 529 had passwords set not to expire, 19,335 had been set not to require passwords, and 6,269 users had not logged into their accounts between 2005 and 2011. Such a large volume of unattached accounts makes it easier for hackers to co-opt one of them without anyone noticing.
In 2013, an inspection by the IG into State's cybersecurity office — the Bureau of Information Resource Management's Office of Information Assurance — found waste, mismanagement and dysfunction. The office required State Department agencies to fill out paper spreadsheets to track system updates, and was "unable to locate information in a timely manner," the report found.
State Department officials responsible for cybersecurity acknowledged that the department had gotten behind in its compliance with standards in the Federal Information Security Management Act, known as FISMA, which requires, for example, that agency systems be certified as secure. Many of the State Department systems had not been certified for many years. Officials say they have made great strides in the last year.
"FISMA is very important, but it is process-oriented, and compliance is judged on meeting the process," not whether data is actually protected, Toner said.
State Department officials argue that their system for continually monitoring its networks for threats, known as iPost, exceeds FISMA's security standards.
The inspector general and the Government Accountability Office concluded, however, that iPost did not provide a true picture of the risk to State's networks.
[Let's see.
The HHS Obamacare web site debacle.
Hillary's ignorance of, or indifference to,
the risks posed by her use of a private email server.
The State Department's overall deteriorating cybersecurity posture
while Hillary was secretary.
Is there a pattern here?]
2016
2016-07-25-TTG-ghosts-in-the-system
Ghosts in the System - TTGby "The Twisted Genius"
Sic Semper Tyrannis (Col. Patrick Lang's blog), 2016-07-25
I was as surprised as most when FBI Director Comey
recommended no charges for Clinton over her email server shenanigans.
I thought there would be more comments about
the way she had the email server sterilized
before it was handed over to the FBI.
Smells like obstruction of justice to me.
To make matters worse, the sterilization sabotaged efforts to investigate
the massive 2014 breach of the State Department email system.
...
posted by KHarbaugh at 10:00
<< Home