US vs Hackers: Still Losing

NCCIC_Org-Chart_20140404-01%20(3).png

U.S. Department of Homeland Security’s National Cybersecurity and Communications : Part of A Complex Structure
 
In the month since a devastating computer systems breach at the Office of Personnel Management, digital Swat teams have been racing to plug the most glaring security holes in government computer networks and prevent another embarrassing theft of personal information, financial data and national security secrets.
But senior cybersecurity officials, lawmakers and technology experts said in interviews that the 30-day “cybersprint” ordered by President Obama after the attacks is little more than digital triage on federal computer networks that are cobbled together with out-of-date equipment and defended with the software equivalent of Bubble Wrap.
In an effort to highlight its corrective actions, the White House will announce shortly that teams of federal employees and volunteer hackers have made progress over the last month. At some agencies, 100 percent of users are, for the first time, logging in with two-factor authentication, a basic security feature, officials said. Security holes that have lingered for years despite obvious fixes are being patched. And thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.
But officials and experts acknowledge that the computer networks of many federal agencies remain highly vulnerable to sophisticated cybercriminals, who are often sponsored by other countries. Another breach like the one in June, which exposed information on 21 million people, remains a threat — despite repeated alarms over the years that government computer systems were vulnerable to exactly that kind of attack. Asked in congressional testimony this month to grade the federal government’s cybersecurity efforts on a scale of A to F, a senior government auditor gave the government a D.
Even senior White House officials acknowledge how much remains to be done. “It’s safe to say that federal agencies are not where we want them to be across the board,” Michael Daniel, Mr. Obama’s top cybersecurity adviser, said in an interview. He said the bureaucracy needed a “mind-set shift” that would put computer security at the top of a long list of priorities. “We clearly need to be moving faster.”
Despite high-profile incidents, including the theft of secrets by the national security contractor Edward J. Snowden, many government agencies have demonstrated little commitment to making cybersecurity a priority.
After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks.
As recently as this year, officials showed little urgency in confronting dangers from the bits and bytes flying across their networks.
A January audit of the Federal Aviation Administration cited “significant security control weaknesses” in the agency’s network, “placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.” But that agency had been warned for years that its computer networks were wide open to attack. In 2009, hackers stole personal information for 48,000 agency employees, prompting an investigation that found 763 high-risk vulnerabilities — any one of which, auditors said, could give attackers access to the computers that run the air traffic control system.

This glacial pace of change, former Federal Aviation Administration officials said, was not for their lack of trying. Michael Brown, who served as the agency’s chief information security officer for a decade, called the 2009 episode his “scariest moment” and said he had frequently been frustrated by the government’s failure to address the obvious security holes in the most important networks.
“You come up with binders full of documentation, and then at the end of the day, you don’t have any money to go back and ameliorate,” Mr. Brown said. “The system could be hanging out there for a long time with a vulnerability.”
The story has been much the same at other agencies. At the Department of Energy, after other breaches there, a hacker spent a month stealing personnel records from an unencrypted database in the summer of 2013. By the time Robert F. Brese, the department’s top cybersecurity official, was notified, the hacker had drained 104,000 names, addresses and Social Security numbers from its systems.
“It was just this sickening feeling in my stomach,” Mr. Brese, now a consultant, recalled.
In the days that followed, investigators found numerous holes in the Energy Department’s network that contained sensitive information on nuclear propulsion and critical infrastructure. Government auditors slammed the department for lax security controls, lack of encryption and a failure to patch known vulnerabilities.
And while that could have served as an early warning, the breach was met with a shrug at other agencies. At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency’s networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved.
“That’s been a recurring theme,” said Gregory C. Wilshusen, the Government Accountability Office’s top computer systems investigator. “They believe they’ve taken corrective actions, but when one goes back to check, we find that they haven’t. It just perpetuates the vulnerability and gives I.R.S. a false sense of security.” In May, the agency was forced to concede that hackers had gained access to the tax returns of some 100,000 citizens.
The dangers are accelerating as hackers repeatedly target computer networks used to collect taxes, secure ports and airports, run air traffic control systems, process student loans, oversee the nation’s nuclear stockpile, monitor the Federal Reserve and support the armed services. Last year, officials say, there were more than 67,000 computer-related incidents at federal agencies, up from about 5,000 in 2006.
Officials at all levels may finally be paying attention in the wake of the Office of Personnel Management hacking. Lawmakers are considering legislation to require sharing of information about malicious hacks and to set cybersecurity standards for federal systems.
“This is going to have to be an area of much greater focus,” said Senator Mark R. Warner, Democrat of Virginia, a supporter of the legislation.
Tony Scott, the federal government’s chief information officer, who arrived this year from Microsoft and VMware, vowed to make sure they did.
“I’m not going to let up,” he promised in an interview. “We are going to bring every bit of pressure we can bring.”
Across the government, there is evidence of new anxiety. On the “watch floor” of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, dozens of specialists monitor potential intrusions on government networks. Large screens flash yellow or red to warn of potential surges in network traffic or attempts to breach systems by known hackers.
But the most advanced defenses have yet to be fully installed. Major agencies will not have them for a year, and smaller ones could take longer, officials said. And legal, political and bureaucratic roadblocks still make it difficult for officials to cajole their colleagues to take action quickly.
Department of Homeland Security officials must continually trek to Capitol Hill for approval of the most mundane organizational shifts. “I thought my head would blow off when I had to get approval from people who had no idea what we were doing,” said Mark Weatherford, the former deputy under secretary for cybersecurity at the Department of Homeland Security.
He noted that such bureaucratic obstacles made it difficult for the department to compete in the cutthroat war for talented security specialists. “It takes far too long,” said Mr. Weatherford, now a principal at the Chertoff Group, an advisory firm in Washington. “I can’t tell you how many good people we lost at D.H.S. because they couldn’t wait four to six months for the hiring process.”
The agency has had a hard time competing with the likes of Google, start-ups and other agencies for top talent. The Office of Personnel Management runs a program that offers grants to students who specialize in cybersecurity in exchange for their help defending government networks. Between 2002 and 2014, 55 of the program’s 1,500 graduates went to work for the Department of Homeland Security, compared with 407 who worked for the National Security Agency.
Eric Cornelius, an graduate of the program who served as Homeland Security’s deputy director and chief technical analyst for its control systems security program, stayed only 18 months before leaving for Cylance, a security start-up. He said hiring was only half the problem. ‘The other half of the problem is the need to address firing reform,” Mr. Cornelius said. “In my experience, complacency is the enemy of competency.”
But Mr. Scott said the sprint was just a prelude to a complete cultural overhaul. “We need to dramatically change how we’re thinking about this,” he said. “Just because there’s a sprint doesn’t mean this is the end.”
NYT: http://nyti.ms/1VhL39f

« Internet of Things: A Mass Surveillance Infrastructure
Cyber Threats to Civilian Flights »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Senetas

Senetas

Senetas is a leading developer and manufacturer of certified high-assurance encryption solutions, dedicated to protecting network transmitted data without compromising performance.

Serena

Serena

Serena Software helps increase speed of the software development lifecycle while enhancing security, compliance, and performance.

CipherPoint Software

CipherPoint Software

CipherPoint Software provides data-centric auditing and protection solutions for securing unstructured information

Astra

Astra

Astra's website security solution provides real-time protection against malware, hackers, SQLi, XSS, DDoS, LFI and RFI.

AdNovum Informatik

AdNovum Informatik

AdNovum Informatik provides a full set of IT services, ranging from consulting, the conception and implementation of customized business and security solutions to maintenance and support.

Egerie

Egerie

EGERIE's RiskManager solution provides a Global, Centralized, and Updated view of risk maps and security measures for your company.

Department of Justice - Office of Cybercrime (DOJ-OOC)

Department of Justice - Office of Cybercrime (DOJ-OOC)

The Office of Cybercrime within the Philippines Department of Justice is the Central Authority in all matters relating to international mutual assistance and extradition for cybercrime.

SensorHound

SensorHound

SensorHound’s mission is to improve the security and reliability of the Internet of Things (IoT).

Inspira Enterprise

Inspira Enterprise

Inspira Enterprise is a leading digital transformation company with expertise in Cyber Security, Internet of Things (IOT), Blockchain, Big Data & Analytics, Intelligent Automation and Cloud Computing.

Acora

Acora

Acora provide a range of best-in-class managed services, Microsoft-centric business software, and cloud solutions designed to help mid-market organisations succeed in the digital economy.

Occentus Network

Occentus Network

Occentus Network is a telecommunications service provider specialized in High Availability Servers & managed Cloud services.

Tidal Cyber

Tidal Cyber

We formed Tidal for one simple reason—we believe that defenders need and deserve tools and services that make achieving the benefits of threat-informed defense practical and sustainable.

Pistachio

Pistachio

Pistachio is the new evolution of cybersecurity awareness training and attack simulations.

RapidSpike

RapidSpike

RapidSpike is the only website monitoring solution that focuses all three key aspects of website health: performance, reliability AND security.

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs are a group of IT security specialists, ethical hackers, and researchers driven to identify security flaws before cyber threat actors does.

ArmorX AI

ArmorX AI

ArmorX AI (formerly Kapalya) operates an encryption management platform designed to encrypt all data in transit and at rest on mobile end-points, corporate servers, and cloud servers.