Breaches Fixed Quickly without Total Shutdown, Say Agencies

Chmn. Langevin (D-R.I.) noted that Commerce and State got Fs on a new Federal Information Security Management Act (FISMA) report card from the House Govt. Reform Committee (WID April 16 p5). Commerce can’t say how long Chinese hackers had access to its Bureau of Industry & Security (BIS) systems in a July breach, and “complete machine rebuilds have not occurred” at the agency, Langevin said. He slammed “temporary wrappers” -- hasty computer fixes made in the absence of a vendor patch -- jerry-rigged at State after an E. Asia bureau employee clicked on a malicious file in a “socially engineered” e-mail.

Networks and supervisory control & data acquisition systems could be shut down in cyberattacks, said Ranking Member McCaul (R-Tex.). If the U.S. military can bring down grids, “imagine the capability in the hands of a rogue nation or a terrorist state,” he said. The govt. would “grind to a halt” in a big breach, even if nothing appears to have been taken, McCaul said, noting that potentially compromised IRS or Medicare records would be an “administrative nightmare” to verify for integrity.

DHS can’t be trusted to run cybersecurity governmentwide, as some want, “when it can’t even secure its own networks,” Langevin said, citing the agency’s latest FISMA score of D: “Not only are these grades embarrassing, they're dangerous.” He accused NCSD of not sharing “commonalities of attack” it sees with all agencies, asking the division to “fuse” reports of attacks and vulnerabilities and send them throughout govt. McCaul wants comments on whether to have DHS handle security of all agencies’ networks or just be a “point of coordination” for agency actions, he said. Rep. Lofgren (D-Cal.) said she wants to hear more about the risk of cyber attacks coupled with physical attacks, perhaps in a “more discreet setting” than a public hearing.

“Even basic controls” for security on agencies’ computer systems were missing in a recent GAO review, said Greg Wilshusen, information security issues dir. Those include changing vendor-supplied passwords, encryption and access privileges too high for personnel. Inspectors general and outside auditors found “significant weaknesses” at 21 of 24 agencies; these included poor safeguarding of laptops, he said. Inconsistencies are rampant, Wilshusen said, citing an agency that reported 800 incidents to multiple authorities -- but failed to tell DHS’s response center, the U.S. Computer Emergency Readiness Team (US-CERT).

State’s cybersecurity team won a 2005 NSA award for “information assurance,” said Donald Reid, Bureau of Diplomatic Security senior coordinator-security infrastructure. The troublesome e-mail to the E. Asia bureau employee “appeared to be legitimate” -- containing a file with a congressional speech on a “germane” topic -- but once clicked was “immediately detected” as a Trojan, Reid said. State told US-CERT, blocked communications to suspicious IP addresses and took the whole foreign bureau offline for 3 weeks, during which time it found another flaw and urged Microsoft to whip up a patch, he said. “We were successful here until a newspaper article telegraphed what we were dealing with,” Reid added.

Commerce has 7 teams dealing with cybersecurity, said Dave Jarrell, mgr.-critical infrastructure protection program. The agency learned of the BIS hack when the BIS system noted unauthorized login attempts from an official’s computer and locked it out, he said. Commerce told US-CERT, handed over infected files to its service provider and started a Web blocklist that’s still in use, Jarrell said.

Cybersecurity is among DHS Secy. Michael Chertoff’s “highest priorities,” NCSD Dir. Jerry Dixon said. In 2006 NCSD tracked 23,000 cyber incidents, including “home users” calling the unit, and has fielded 20,000 this year, he told Langevin, attributing the rise to new OMB rules. Dixon said NCSD worked with IT staff in both houses of Congress, but didn’t directly answer Langevin’s question about hacking targeted at Congress. Sourcing attacks definitively is next to impossible, Reid told McCaul. State traced the attacks to Chinese servers, which doesn’t prove state involvement, he said. “We can’t definitively say the source of the attack” on BIS either, Jarrell said.

Langevin asked why DHS’s top cybersecurity official, Asst. Secy. Greg Garcia, didn’t testify. “I was pretty heavily involved with these situations,” so the agency felt Garcia couldn’t add anything, Dixon replied. Langevin said Garcia better show up next time. The chairman also criticized Commerce, State and GAO witnesses for missing the deadline to turn in prepared testimony 2 days before the hearing, but acknowledged that White House clearance probably slowed them.

“We're in unknown territory. We're trying to learn as we're going along,” Reid said in response to Langevin’s questions about why all affected systems weren’t taken offline immediately, and why no “full” inspection was done. Microsoft typically takes 2 months to complete a patch and “we needed something before then,” Reid said, noting that Microsoft’s patch came out in Aug. Visa processing and other State functions could “come to a screeching halt” if State took all potentially compromised systems offline, he said: “We felt that the risks were worth it. We had a solution that would work.” Langevin said the agency didn’t err on the side of national security, but gave Reid permission to furnish a written response to the accusation.

Hackers had no way to get to classified data through unclassified networks -- the 2 are physically separate and the larger security community hasn’t reported any breaches, Reid told Langevin. Commerce disagrees with its IG’s claim that 1/2 its systems aren’t “inventoried,” he said, citing regular scanning that pulls up 50,000 connected devices. Wilshusen agreed with Langevin that unclassified information, if “aggregated,” could raise its level of sensitivity.

McCaul asked Wilshusen if DHS could act as a chief information security officer for the federal govt. “That would present some challenges,” Wilshusen said, noting that FISMA gives that responsibility to the OMB dir. and agency chiefs. Authorizing DHS to compel other agencies to act “could be somewhat problematic from the organizational placement” of such a rule, Wilshusen said, also noting DHS’s continuing network security problems.

Commerce can’t tell how long the intruders had access to BIS because it didn’t retain audit logs long enough, but it’s changing protocols, Jarrell told Rep. Etheridge (D-N.C.). The agency is testing 2-factor authentication, he added. It has a vendor and hopes to be finished this fiscal year, with rollout through fiscal 2008, Jarrell said. Wilshusen said intruders could alter network logs to obscure their tracks and create “rogue tunnels,” as Etheridge posited.

Attacks aimed at specific agencies’ vulnerabilities will be publicized faster than attacks that are “wormable,” or easily altered to affect broader vulnerabilities, Dixon told Rep. Green (D-Tex.). “We would have quickly gone public with” the attack on Commerce, but the rootkit used was wormable, Dixon said. Dynamic addressing and onion routing complicate the tracing of attackers’ locations, he added. Dixon stood up for ISPs, accused cryptically by Green of releasing material “antithetical to our best interest.” ISPs have helped make denial-of-service traffic “disappear” and keep e-commerce sites from going down, Dixon said. Relationship with ISPs built through the Internet Disruption Working Group have been “essential” to NCSD’s work, he added.