US vs Hackers: Still Losing

Uploaded on 2015-07-27 in NEWS-Cybersecurity News, INTELLIGENCE--USA, FREE TO VIEW

NCCIC_Org-Chart_20140404-01%20(3).png

U.S. Department of Homeland Security’s National Cybersecurity and Communications : Part of A Complex Structure
 
In the month since a devastating computer systems breach at the Office of Personnel Management, digital Swat teams have been racing to plug the most glaring security holes in government computer networks and prevent another embarrassing theft of personal information, financial data and national security secrets.
But senior cybersecurity officials, lawmakers and technology experts said in interviews that the 30-day “cybersprint” ordered by President Obama after the attacks is little more than digital triage on federal computer networks that are cobbled together with out-of-date equipment and defended with the software equivalent of Bubble Wrap.
In an effort to highlight its corrective actions, the White House will announce shortly that teams of federal employees and volunteer hackers have made progress over the last month. At some agencies, 100 percent of users are, for the first time, logging in with two-factor authentication, a basic security feature, officials said. Security holes that have lingered for years despite obvious fixes are being patched. And thousands of low-level employees and contractors with access to the nation’s most sensitive secrets have been cut off.
But officials and experts acknowledge that the computer networks of many federal agencies remain highly vulnerable to sophisticated cybercriminals, who are often sponsored by other countries. Another breach like the one in June, which exposed information on 21 million people, remains a threat — despite repeated alarms over the years that government computer systems were vulnerable to exactly that kind of attack. Asked in congressional testimony this month to grade the federal government’s cybersecurity efforts on a scale of A to F, a senior government auditor gave the government a D.
Even senior White House officials acknowledge how much remains to be done. “It’s safe to say that federal agencies are not where we want them to be across the board,” Michael Daniel, Mr. Obama’s top cybersecurity adviser, said in an interview. He said the bureaucracy needed a “mind-set shift” that would put computer security at the top of a long list of priorities. “We clearly need to be moving faster.”
Despite high-profile incidents, including the theft of secrets by the national security contractor Edward J. Snowden, many government agencies have demonstrated little commitment to making cybersecurity a priority.
After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks.
As recently as this year, officials showed little urgency in confronting dangers from the bits and bytes flying across their networks.
A January audit of the Federal Aviation Administration cited “significant security control weaknesses” in the agency’s network, “placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.” But that agency had been warned for years that its computer networks were wide open to attack. In 2009, hackers stole personal information for 48,000 agency employees, prompting an investigation that found 763 high-risk vulnerabilities — any one of which, auditors said, could give attackers access to the computers that run the air traffic control system.

This glacial pace of change, former Federal Aviation Administration officials said, was not for their lack of trying. Michael Brown, who served as the agency’s chief information security officer for a decade, called the 2009 episode his “scariest moment” and said he had frequently been frustrated by the government’s failure to address the obvious security holes in the most important networks.
“You come up with binders full of documentation, and then at the end of the day, you don’t have any money to go back and ameliorate,” Mr. Brown said. “The system could be hanging out there for a long time with a vulnerability.”
The story has been much the same at other agencies. At the Department of Energy, after other breaches there, a hacker spent a month stealing personnel records from an unencrypted database in the summer of 2013. By the time Robert F. Brese, the department’s top cybersecurity official, was notified, the hacker had drained 104,000 names, addresses and Social Security numbers from its systems.
“It was just this sickening feeling in my stomach,” Mr. Brese, now a consultant, recalled.
In the days that followed, investigators found numerous holes in the Energy Department’s network that contained sensitive information on nuclear propulsion and critical infrastructure. Government auditors slammed the department for lax security controls, lack of encryption and a failure to patch known vulnerabilities.
And while that could have served as an early warning, the breach was met with a shrug at other agencies. At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency’s networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved.
“That’s been a recurring theme,” said Gregory C. Wilshusen, the Government Accountability Office’s top computer systems investigator. “They believe they’ve taken corrective actions, but when one goes back to check, we find that they haven’t. It just perpetuates the vulnerability and gives I.R.S. a false sense of security.” In May, the agency was forced to concede that hackers had gained access to the tax returns of some 100,000 citizens.
The dangers are accelerating as hackers repeatedly target computer networks used to collect taxes, secure ports and airports, run air traffic control systems, process student loans, oversee the nation’s nuclear stockpile, monitor the Federal Reserve and support the armed services. Last year, officials say, there were more than 67,000 computer-related incidents at federal agencies, up from about 5,000 in 2006.
Officials at all levels may finally be paying attention in the wake of the Office of Personnel Management hacking. Lawmakers are considering legislation to require sharing of information about malicious hacks and to set cybersecurity standards for federal systems.
“This is going to have to be an area of much greater focus,” said Senator Mark R. Warner, Democrat of Virginia, a supporter of the legislation.
Tony Scott, the federal government’s chief information officer, who arrived this year from Microsoft and VMware, vowed to make sure they did.
“I’m not going to let up,” he promised in an interview. “We are going to bring every bit of pressure we can bring.”
Across the government, there is evidence of new anxiety. On the “watch floor” of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, dozens of specialists monitor potential intrusions on government networks. Large screens flash yellow or red to warn of potential surges in network traffic or attempts to breach systems by known hackers.
But the most advanced defenses have yet to be fully installed. Major agencies will not have them for a year, and smaller ones could take longer, officials said. And legal, political and bureaucratic roadblocks still make it difficult for officials to cajole their colleagues to take action quickly.
Department of Homeland Security officials must continually trek to Capitol Hill for approval of the most mundane organizational shifts. “I thought my head would blow off when I had to get approval from people who had no idea what we were doing,” said Mark Weatherford, the former deputy under secretary for cybersecurity at the Department of Homeland Security.
He noted that such bureaucratic obstacles made it difficult for the department to compete in the cutthroat war for talented security specialists. “It takes far too long,” said Mr. Weatherford, now a principal at the Chertoff Group, an advisory firm in Washington. “I can’t tell you how many good people we lost at D.H.S. because they couldn’t wait four to six months for the hiring process.”
The agency has had a hard time competing with the likes of Google, start-ups and other agencies for top talent. The Office of Personnel Management runs a program that offers grants to students who specialize in cybersecurity in exchange for their help defending government networks. Between 2002 and 2014, 55 of the program’s 1,500 graduates went to work for the Department of Homeland Security, compared with 407 who worked for the National Security Agency.
Eric Cornelius, an graduate of the program who served as Homeland Security’s deputy director and chief technical analyst for its control systems security program, stayed only 18 months before leaving for Cylance, a security start-up. He said hiring was only half the problem. ‘The other half of the problem is the need to address firing reform,” Mr. Cornelius said. “In my experience, complacency is the enemy of competency.”
But Mr. Scott said the sprint was just a prelude to a complete cultural overhaul. “We need to dramatically change how we’re thinking about this,” he said. “Just because there’s a sprint doesn’t mean this is the end.”
NYT: http://nyti.ms/1VhL39f

« Internet of Things: A Mass Surveillance Infrastructure
Cyber Threats to Civilian Flights »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Omerta

Omerta

Omerta is a global security technology and services company. We advise, consult, design, build, mitigate, protect, manage, provide and train to protect from increasing cyber threats.

Bishop Fox

Bishop Fox

Bishop Fox is a leading authority in offensive security, providing solutions ranging from continuous penetration testing and attack surface management to product and application security assessments.

Global Knowledge Training

Global Knowledge Training

Global Knowledge is a worldwide leader in IT and business training, featuring Cisco, Microsoft, VMware, IBM, security, cloud computing, and project management.

CyTech Services

CyTech Services

CyTech provides unique services and solutions complemented with professional subject matter experts to both the Federal and Commercial sectors.

FireMon

FireMon

FireMon is the only agile network security policy platform for firewalls and cloud security groups providing the fastest way to streamline network security policy management.

Brainloop

Brainloop

Brainloop's security architecture enables you to work on and distribute strictly confidential documents both within and beyond the firewall.

CryptoTec

CryptoTec

CryptoTec is a provider of security concepts and encryption solutions for secure communication between decentralized computerized systems.

LinOTP

LinOTP

LinOTP is an enterprise level, innovative, flexible and versatile OTP-platform for strong authentication.

TitanHQ

TitanHQ

TitanHQ offers ultimate protection from internet based threats and powerful Web filtering functionalities to SMBs, Service Providers and Education sectors around the World.

Ensurity Technologies

Ensurity Technologies

Ensurity is a deep-tech cybersecurity engineering company; designs and manufactures specialized secure hardware, software, and mobile application solutions.

Intraprise Health

Intraprise Health

Intraprise Health is a Certified HITRUST Assessor and award-winning provider of health information security products and services.

Tehtris

Tehtris

TEHTRIS XDR Platform was developed to control and improve the IT security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities.

SpeQtral

SpeQtral

SpeQtral offers commercial space-based Quantum Key Distribution (QKD) founded on technology developed at the National University of Singapore.

SHI International

SHI International

SHI International deliver against your IT and business needs, helping you build strategies and solutions that will drive innovation, collaboration and security.

Sasken Technologies

Sasken Technologies

Sasken’s Cybersecurity Services enables enterprises to develop, maintain, and take digital products to the market with security postures that empower operational excellence.

Securitribe

Securitribe

Securitribe provides cybersecurity and compliance solutions, including vCISO services, ISO27001, and ASD Essential 8 advisory, helping businesses and government strengthen security & compliance.