US vs Hackers: Still Losing

Uploaded on 2015-07-27 in NEWS-Cybersecurity News, INTELLIGENCE--USA, FREE TO VIEW

NCCIC_Org-Chart_20140404-01%20(3).png

U.S. Department of Homeland Security’s National Cybersecurity and Communications : Part of A Complex Structure
 
In the month since a devastating computer systems breach at the Office of Personnel Management, digital Swat teams have been racing to plug the most glaring security holes in government computer networks and prevent another embarrassing theft of personal information, financial data and national security secrets.
But senior cybersecurity officials, lawmakers and technology experts said in interviews that the 30-day “cybersprint” ordered by President Obama after the attacks is little more than digital triage on federal computer networks that are cobbled together with out-of-date equipment and defended with the software equivalent of Bubble Wrap.
In an effort to highlight its corrective actions, the White House will announce shortly that teams of federal employees and volunteer hackers have made progress over the last month. At some agencies, 100 percent of users are, for the first time, logging in with two-factor authentication, a basic security feature, officials said. Security holes that have lingered for years despite obvious fixes are being patched. And thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.
But officials and experts acknowledge that the computer networks of many federal agencies remain highly vulnerable to sophisticated cybercriminals, who are often sponsored by other countries. Another breach like the one in June, which exposed information on 21 million people, remains a threat — despite repeated alarms over the years that government computer systems were vulnerable to exactly that kind of attack. Asked in congressional testimony this month to grade the federal government’s cybersecurity efforts on a scale of A to F, a senior government auditor gave the government a D.
Even senior White House officials acknowledge how much remains to be done. “It’s safe to say that federal agencies are not where we want them to be across the board,” Michael Daniel, Mr. Obama’s top cybersecurity adviser, said in an interview. He said the bureaucracy needed a “mind-set shift” that would put computer security at the top of a long list of priorities. “We clearly need to be moving faster.”
Despite high-profile incidents, including the theft of secrets by the national security contractor Edward J. Snowden, many government agencies have demonstrated little commitment to making cybersecurity a priority.
After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks.
As recently as this year, officials showed little urgency in confronting dangers from the bits and bytes flying across their networks.
A January audit of the Federal Aviation Administration cited “significant security control weaknesses” in the agency’s network, “placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.” But that agency had been warned for years that its computer networks were wide open to attack. In 2009, hackers stole personal information for 48,000 agency employees, prompting an investigation that found 763 high-risk vulnerabilities — any one of which, auditors said, could give attackers access to the computers that run the air traffic control system.

This glacial pace of change, former Federal Aviation Administration officials said, was not for their lack of trying. Michael Brown, who served as the agency’s chief information security officer for a decade, called the 2009 episode his “scariest moment” and said he had frequently been frustrated by the government’s failure to address the obvious security holes in the most important networks.
“You come up with binders full of documentation, and then at the end of the day, you don’t have any money to go back and ameliorate,” Mr. Brown said. “The system could be hanging out there for a long time with a vulnerability.”
The story has been much the same at other agencies. At the Department of Energy, after other breaches there, a hacker spent a month stealing personnel records from an unencrypted database in the summer of 2013. By the time Robert F. Brese, the department’s top cybersecurity official, was notified, the hacker had drained 104,000 names, addresses and Social Security numbers from its systems.
“It was just this sickening feeling in my stomach,” Mr. Brese, now a consultant, recalled.
In the days that followed, investigators found numerous holes in the Energy Department’s network that contained sensitive information on nuclear propulsion and critical infrastructure. Government auditors slammed the department for lax security controls, lack of encryption and a failure to patch known vulnerabilities.
And while that could have served as an early warning, the breach was met with a shrug at other agencies. At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency’s networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved.
“That’s been a recurring theme,” said Gregory C. Wilshusen, the Government Accountability Office’s top computer systems investigator. “They believe they’ve taken corrective actions, but when one goes back to check, we find that they haven’t. It just perpetuates the vulnerability and gives I.R.S. a false sense of security.” In May, the agency was forced to concede that hackers had gained access to the tax returns of some 100,000 citizens.
The dangers are accelerating as hackers repeatedly target computer networks used to collect taxes, secure ports and airports, run air traffic control systems, process student loans, oversee the nation’s nuclear stockpile, monitor the Federal Reserve and support the armed services. Last year, officials say, there were more than 67,000 computer-related incidents at federal agencies, up from about 5,000 in 2006.
Officials at all levels may finally be paying attention in the wake of the Office of Personnel Management hacking. Lawmakers are considering legislation to require sharing of information about malicious hacks and to set cybersecurity standards for federal systems.
“This is going to have to be an area of much greater focus,” said Senator Mark R. Warner, Democrat of Virginia, a supporter of the legislation.
Tony Scott, the federal government’s chief information officer, who arrived this year from Microsoft and VMware, vowed to make sure they did.
“I’m not going to let up,” he promised in an interview. “We are going to bring every bit of pressure we can bring.”
Across the government, there is evidence of new anxiety. On the “watch floor” of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, dozens of specialists monitor potential intrusions on government networks. Large screens flash yellow or red to warn of potential surges in network traffic or attempts to breach systems by known hackers.
But the most advanced defenses have yet to be fully installed. Major agencies will not have them for a year, and smaller ones could take longer, officials said. And legal, political and bureaucratic roadblocks still make it difficult for officials to cajole their colleagues to take action quickly.
Department of Homeland Security officials must continually trek to Capitol Hill for approval of the most mundane organizational shifts. “I thought my head would blow off when I had to get approval from people who had no idea what we were doing,” said Mark Weatherford, the former deputy under secretary for cybersecurity at the Department of Homeland Security.
He noted that such bureaucratic obstacles made it difficult for the department to compete in the cutthroat war for talented security specialists. “It takes far too long,” said Mr. Weatherford, now a principal at the Chertoff Group, an advisory firm in Washington. “I can’t tell you how many good people we lost at D.H.S. because they couldn’t wait four to six months for the hiring process.”
The agency has had a hard time competing with the likes of Google, start-ups and other agencies for top talent. The Office of Personnel Management runs a program that offers grants to students who specialize in cybersecurity in exchange for their help defending government networks. Between 2002 and 2014, 55 of the program’s 1,500 graduates went to work for the Department of Homeland Security, compared with 407 who worked for the National Security Agency.
Eric Cornelius, an graduate of the program who served as Homeland Security’s deputy director and chief technical analyst for its control systems security program, stayed only 18 months before leaving for Cylance, a security start-up. He said hiring was only half the problem. ‘The other half of the problem is the need to address firing reform,” Mr. Cornelius said. “In my experience, complacency is the enemy of competency.”
But Mr. Scott said the sprint was just a prelude to a complete cultural overhaul. “We need to dramatically change how we’re thinking about this,” he said. “Just because there’s a sprint doesn’t mean this is the end.”
NYT: http://nyti.ms/1VhL39f

« Internet of Things: A Mass Surveillance Infrastructure
Cyber Threats to Civilian Flights »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

IPVanish

IPVanish

IPVanish has its roots in over 15 years of network management, IP services, and content delivery services. Now we're bringing these finely honed skills to VPN.

Micro Focus

Micro Focus

Micro Focus is one of the world’s largest enterprise software providers. We deliver trusted and proven mission-critical software that keeps the digital world running.

Cybertech

Cybertech

Cybertech Conference & Exhibition presents commercial problem solving strategies and solutions for the global cyber threat that meet the diverse challenges for a wide range of sectors.

Qatar Computing Research Institute (QCRI)

Qatar Computing Research Institute (QCRI)

QCRI perform cutting-edge research in such areas as Arabic language technologies, social computing, data analytics, distributed systems, cyber security and computational science and engineering.

Avatao

Avatao

Avatao is an online training platform for building secure software, offering a rich library of hands-on IT security exercises for software engineers to teach secure programming.

Redstor

Redstor

Redstor's complete data management helps you discover, manage and control your data from a single control centre, unifying backup and recovery, disaster recovery, archiving and search and insight.

Gorodissky IP Security

Gorodissky IP Security

Gorodissky IP Security is a comprehensive approach to protecting your intellectual property on the Internet and beyond.

Software Diversified Services (SDS)

Software Diversified Services (SDS)

SDS provides the highest quality mainframe software and award-winning, expert service with an emphasis on security, encryption, monitoring, and data compression.

HARMAN International

HARMAN International

HARMAN designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide.

TryHackMe

TryHackMe

TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. We have content for both complete beginners and seasoned hackers.

BitTrap

BitTrap

BitTrap helps companies worldwide detect attackers and put an early end to breaches, preventing data exfiltration and ransomware altogether.

Shorebreak Security

Shorebreak Security

Shorebreak Securioty specialize in conducting highly accurate, safe, and reliable Information Security tests to determine the risks posed to your business.

VC3

VC3

VC3 provides a full range of Information Technology Solutions and Services to hundreds of municipalities and organizations throughout the USA.

Eleviant Tech (CTG Group)

Eleviant Tech (CTG Group)

Eleviant Tech (CTG Group) is a USA based digital transformation company with expertise in Mobile, Cloud, Web, IoT, AR, RPA, Cyberseurity and AI Technologies.

Planisys

Planisys

Planisys is a cybersecurity leader specializing in cutting-edge DNS security and email security solutions.