Digital telecommunications represent a real danger today for governments, as their systems are being probed for weaknesses daily by a number of potential intruders. Cyberspace is a great means to convey information and allow sharing of resources, but it is also an open door for computer-savvy hackers who exploit security vulnerabilities to gain unauthorized access to information from sensitive to critical, to wreak havoc or disrupt systems with viruses and malware, or to alter system resources to affect operations.
A recent report by the United States Government Accountability Office highlights how, although much has been done by the U.S. Government in terms of cybersecurity, there are still critical weaknesses to be corrected. Without a doubt, end users are one of the weakest links in cybersecurity, and government agencies were found not to have done enough yet to raise awareness and implement security programs to assist users in their role of systems’ protectors. All users need to be aware of certain vulnerabilities and risks in order to adopt or change behaviors and habits and minimize online threats or fend off ever-present cyber-attacks.
To counteract the new, sophisticated assaults that are targeting all agencies, government is now devising new strategies that include a renewed focus on technology but also an investment on people, especially through focus on awareness, a simple but powerful solution for entities to protect their assets and interests in the cyber-domain.
Major Government Breaches
There have been a number of breaches of U.S. federal agencies to date. The most recent case involved the Office of Personnel Management (OPM) – the agency that also handles security clearances and employee records – that was hacked in June 2015. It suffered an intrusion through the use of hacking malware and methods that was carried out to target personnel records of federal employees, former workers, or government contractors and might have led to the compromising of personally identifiable information (PII). There is concern that malicious cyber-attackers would somehow use or share that information.
- Pentagon incident (August 2015) – Adversaries hacked an unclassified email server of the Pentagon.
- Defense Department (April 2015) – An incident occurred on DoD’s unclassified military networks. Now, a new DoD cyber mission and strategy includes more transparency about its mission and operations.
- State Department (November 2014) – The unclassified e-mail system of the U.S. State Department (DoS) had to be shut down in response to a suspected cyber-attack.
- White House (October 2014) – The network at the White House used by President Obama’s staff was breached by external hackers.
Others incidents included attacks at the U.S. Internal Revenue Service (2015), the U.S. Department of Veterans Affairs (2014) and the U.S. Postal Service (2014). On January 2014, another cyber-attack involved the Pentagon Force Protection Agency (PFPA); according to Defense officials, the agency experienced a “catastrophic network technological outage.” The Life Safety System Network (LSSN) and Life Safety Backbone (LSB) were targeted and dropped offline; as a result of the system failures, defense officials were left “without access to the mission-critical systems needed to properly safeguard personnel and facilities, rendering the agency blind across the national capital region,” said Lt. Col. Damien Pickart, Defense Department spokesman, as reported by Bob Brewin in a Defense One post.
Government’s Cyber-Preparedness or Lack Thereof
As one can see, the U.S. government has suffered several major cyber-attacks in recent times. In fact, the U.S. Government Accountability Office (GAO) report actually found an increase in cybersecurity incidents among federal agencies that were exposed to computer attacks. The number of information security incidents affecting systems supporting the federal government continued to increase from 5,503 in FY 2006 to 67,168 in FY 2014. “Of the incidents occurring in 2014 (not including those reported as non-cyber-incidents), 18 scans/probes/attempted access was the most widely reported type of incident across the federal government. This type of incident can involve identifying a federal agency computer, open ports, protocols, service, or any combination of these for later exploit.”
In particular, zero-day exploits have been used in cyber-attacks, among others, which have been identified by security researchers. Typically, governments and intelligence agencies are more interested in these hacks because they can be used for operations such as cyber-espionage campaigns or exploiting target infrastructures, explains Pierluigi Paganini, a cybersecurity expert. For this reason, security specialists and government agencies constantly monitor the zero-day market, its evolution and exploits per day.
“Recent events underscore the need to accelerate the administration’s cyber strategy and confront aggressive, persistent malicious actors that continue to target our nation’s cyber infrastructure,” mentioned officials of the Office of Management and Budget in a statement. The number of incidents reported by federal agencies to the United States Computer Emergency Readiness Team (US-CERT), which is part of DHS’ National Cybersecurity and Communications Integration Center (NCCIC), is excessive. Consequently, the government has been under pressure to re-evaluate the effectiveness of information security policies, procedures, and practices, in addition to increasing security training for all involved.
The investigation team of GAO found deficiencies in 24 federal agencies’ InfoSec controls and weaknesses in their programs. “Most agencies continue to have weaknesses in (1) limiting, preventing, and detecting inappropriate access to computer resources; (2) managing the configuration of software and hardware; (3) segregating duties to ensure that a single individual
does not have control over all key aspects of a computer-related operation; (4) planning for continuity of operations in the event of a disaster or disruption; and (5) implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.” These deficiencies make U.S. federal government and agencies systems and networks vulnerable and, according to GAO, “place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk.”
In particular, the report found vulnerabilities such as the IRS failure to install appropriate security updates on all databases and servers. The Federal Aviation Administration “had significant security control weaknesses” in five air-traffic control systems GAO reviewed; these systems are extremely important for safe and continuous operations through recording precise aircraft location and streaming flight information to aircrafts. The Department of Veterans
Affairs also showed vulnerabilities in web applications and actual workstations. According to GAO, most agencies still showed weaknesses in access controls and did not implement appropriate controls for configuration management.
As the government becomes aware of how much still needs to be done in terms of cybersecurity, it has begun to meet the next generation of threats by reviewing its security posture in details, explains U.S. CIO Tony Scott, who launched a 30-day Cybersecurity Sprint back in June, that prompted a review of the Federal Government’s cybersecurity policies, procedures, and practices.
The Government’s Threat Level and Deterrence Plans
Why are U.S. government systems so vulnerable? First of all, government systems are a prime target for an incredible number of malicious hackers for different reasons. From foreign governments to hired organization of spies to disgruntled employees and mythomaniacs, the number of attacks on government agencies is extremely high. It is also easier to target government employees with phishing and, above all, spear phishing campaign as their names, positions, supervisors’ names as well as general information and e-mail addresses are widely available to the public due to the nature of their jobs.
Memorandum 15-13 of the Executive office of the President has finally established that, by December 31, 2016, “all publicly accessible Federal websites and web services only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).” This is a first step towards making browsing of sensitive government resources private by providing encryption safety and prevent man-in-the-middle attacks.
In addition, the vulnerabilities of the government, sometime, are the reflection of the vulnerabilities of the critical civilian infrastructures created by contractors that work with or support government operations; this is an extra layer of difficulty added to the protection of government systems.
As attackers continue to find devious ways of bypassing security controls, it depends on defenders to raise their level of security practices, in this case the government. With cyber-threats on the rise, as mentioned in a White House Fact Sheet, comes the need for a strong information security strategy in place.
Government agencies are now reporting to OMB (Office of Management and Budget) that they spend almost 13 billion dollars (FY2014) in information security. As the number of reported federal cybersecurity incidents has now increased, there is sure to be further spending to strengthen government agencies’ protection, detection, and reporting capabilities. According to a Homeland Security News Wire editorial piece, “Defense and deterrence are two of the highest priorities for bolstering the nation’s cybersecurity capabilities,” top officials from the Defense Department and the intelligence community told a Senate panel recently.
In the last three or four years, the U.S. Government has concentrated on a number of measures to strengthen its security posture. Agencies are increasing their investments in knowledge and technology to counteract the growing sophistication of cyber-attacks. For example, they have come to rely on the use of a system known as Einstein, “an intrusion detection and prevention system that screens federal Internet traffic to identify potential cyber-threats,” states the Department of Homeland Security. The Einstein (US-CERT program), which is used by multiple U.S. agencies, helps beef up their network security.
The government has also increased the use of trusted internet connections (TIC), increased monitoring activities, and visibility into systems operations to help IT administrators make better decision through higher awareness. It also began implementing measures for stronger authentication using common access cards, digital signatures and encryption. Basically, it switched focus from a defensive strategy to an offensive one.
However, in spite of improvements in defense mechanisms and the increased level of awareness of the organization’s cybersecurity, the recent U.S. government data breaches emphasize that federal systems are not safe from cyber-attacks. End users have a shared responsibility to secure the information stored in networked systems to protect the data and much more; something needs to be done in terms of protecting systems and information.
Remediation plans devised after the latest breaches have required using new security tools to discover any potential network flaws, but have also shed light on the need to address employee behaviors and information systems security awareness. Government not only called for increased cybersecurity education at all levels (from K-12 to universities), but it also better defined cybersecurity jobs responsibilities and needed competencies.
It also began concentrating on thorough and persistent cybersecurity training for all employees and contractors having access to government systems. The lack of cybersecurity knowledge for those in the field is unacceptable, especially those in the government. A new research by cybersecurity company Sophos found “a low level of awareness of cybersecurity and cybercrime across the general local government workforce.” With cybercrime at an all-time high and several critical infrastructure organizations under attack, this is appalling.
National Cyber Security Awareness Month is observed in October and it sees multitude of industries (including the government) and individuals engaged in activities to increase their awareness about today’s ever-evolving cybersecurity landscape. There is no better time to improve staff awareness of IT threats.
October’s National Cyber Security Awareness Month (NCSAM), which is co-led by the U.S. Department of Homeland Security (DHS) and the National Cyber Security Alliance (NCSA), is an ideal occasion to become familiar with the national NCSAM campaign. This is a period for the United States citizens (and others) to recognize the importance of cybersecurity with activities, events, and training.
The national campaign reminds us to STOP. THINK. CONNECT. Yet there is still a lot to do in terms of involving users. As John Oltsik, Senior Principal Analyst at ESG, wrote in a post, the National Security Awareness Month is a “half-hearted awareness month that few pay attention to.”
Ethical Hacking Training – Resources (InfoSec)
End users’ risky behaviors are often responsible for many of the cyber-incidents and enable criminals to hack into their systems (networks and devices). Proper staff training can lower significantly the risk of infection, while effectively implementing cyber-technologies and tools that can anticipate possible attacks.
The coordinating of national response to significant cyber-incidents is carried out in accordance with the National Cyber Incident Response Plan (NCIRP) – a blueprint directed by President Barack Obama, for cybersecurity incident response. This is done in compliance with risk management requirements under the Federal Information Security Management Act (FISMA).
Today, “raising the level of individual cybersecurity awareness and performance is critical,” said Robert O. Work, the 32nd Deputy Secretary of Defense, who testified on cybersecurity policy and threats before the Senate Armed Services Committee on Sept. 29, 2015.
Without hesitation, all government agencies are now fully onboard, having finally recognized in full how important it is to involve employees in every department and at every level in the protection of the IT systems. Classroom and online training are becoming mandatory and annual refresher courses are being made mandatory in most cases. A variety of tools (from daily messages to game-like awareness tools) is being deployed so that even the most non-cyber-savvy employees can learn and embrace safe IT practices and online behaviors.
The risks of cyber-insecurities today are astonishing, as mentioned in the Global Risks report 2015 from the World Economic Forum. Unfortunately, the study revealed that a great number of risks just happen to be with state and federal government agencies who are actually supposed to lead by example in the fight to protect against data breaches. Like so many U.S. organizations, federal agencies have significant weaknesses in their information security controls and show weaknesses in such efforts to improve any incident response practices.
Overall, how cyber-safe is the government today? Security technologist Bruce Schneier told The Wall Street Journal that the “U.S. government cybersecurity is an insecure mess, and fixing it is going to take considerable attention and resources.” Largely, it all comes down to better situational awareness and cybersecurity proficiency and government is taking actions to increase both. And that is, at the moment, the best possible approach.
Homeland Security News Wire. (2015, October 2). Cybersecurity: Strengthening U.S. cybersecurity capabilities by bolstering cyber defense, deterrence. Retrieved from http://www.homelandsecuritynewswire.com/dr20151002-strengthening-u-s-cybersecurity-capabilities-by-bolstering-cyber-defense-deterrence?page=0,0
Kanowitz, S. (2015, June 15). White House orders federal agencies to tighten networks in ‘cybersecurity sprint’. Retrieved from http://www.fiercegovernmentit.com/story/white-house-orders-federal-agencies-tighten-networks-cybersecurity-sprint/2015-06-15
Oltsik, J. (2014, October 14). Time to Embrace or Terminate National Cybersecurity Awareness Month. Retrieved from http://www.networkworld.com/article/2826004/cisco-subnet/time-to-embrace-or-terminate-national-cybersecurity-awareness-month-ncsam.html
Nelson, R. (2013, February 1). Homeland Security at a Crossroads: Evolving DHS to Meet the Next Generation of Threats. Retrieved from http://csis.org/publication/homeland-security-crossroads-evolving-dhs-meet-next-generation-threats
Office of Management and Budget. (n.d.). Improving Cybersecurity Protections in Federal Acquisitions Public Comment Space. Retrieved from https://policy.cio.gov/
Pomerleau, M. (2015, April 29). DOD’s cyber evolution, four years later. Retrieved from https://defensesystems.com/articles/2015/04/29/dod-cyber-startegy-four-year-evolution.aspx
Schneier, B. (2009, March 31). Who Should Be in Charge of Cybersecurity? Retrieved from http://www.wsj.com/articles/SB123844579753370907
Scott, T. (2015, June 17). FACT SHEET: Enhancing and Strengthening the Federal Government’s Cybersecurity. Retrieved from https://www.whitehouse.gov/blog/2015/06/17/fact-sheet-enhancing-and-strengthening-federal-government-s-cybersecurity
Sophos (2015, July 28). Sophos Press Release: New Sophos research reveals state of IT security in local government organisations. Retrieved from https://www.sophos.com/en-us/press-office/press-releases/2015/07/new-sophos-research-reveals-state-of-it-security.aspx
TechTarget. (n.d.). The Global Risk Report 2015. Retrieved from http://pro.techtarget.com/global-risk-2015_lb-ma-content?Offer=mn_lh020515CPWKBANR_GlobalRiskReportEUSec300
U.S. Department of Defense. (n.d.). The Department of Defense Cyber Strategy. Retrieved from http://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy
U.S. Department of Homeland Security. (2013, April 19). Privacy Impact Assessment for EINSTEIN 3 – Accelerated (E. 3. A). Retrieved from http://www.dhs.gov/sites/default/files/publications/privacy/PIAs/PIA%20NPPD%20E3A%2020130419%20FINAL%20signed.pdf
U.S. Government Accountability Office. (2013, February 14). CYBERSECURITY: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented. (GAO Publication No. 13-187). Washington, D.C.: U.S. Government Printing Office. Retrieved from http://www.gao.gov/products/GAO-13-187
U.S. Government Accountability Office. (2015, September). FEDERAL INFORMATION SECURITY – Agencies Need to Correct Weaknesses and Fully Implement Security Programs. (GAO Publication No. 15-714). Washington, D.C.: U.S. Government Printing Office. Retrieved from http://www.gao.gov/assets/680/672801.pdf