Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
In a follow-up to a 2019 report that found major cybersecurity vulnerabilities at eight government agencies, the U.S. Senate Committee on Homeland Security and Governmental Affairs has released a 2021 updated report. Entitled Federal Cybersecurity: America’s Data Still at Risk, the update does not mince words: “This report revisits those same eight agencies two years later. What this report finds is stark.”
Identifying the problems and vulnerabilities seems to be the first step toward improving the U.S. cyber-defenses. What is impressive is that the report has sophisticated recommendations and shared government-wide offerings which should be implemented to bolster specific agency defenses. These recommendations and shared services are instructional for all cybersecurity professionals, public and private sector alike, when considering your organization’s cybersecurity efforts moving forward.
According to the report, especially concerning to the Senate investigative subcommittee which filed the report are the unprecedented scale of recent state sponsor hacker activity, including the December 2020 SolarWinds supply chain hack by the Russian SVR (Government agencies are still trying to understand the severity of the SVR attack, which went undetected for 9 months and is amongst the “largest and most damaging cyber-attacks in our history”) and the breach of federal agencies in April 2021 by a Chinese state-sponsored hacking group using remote access product Pulse Connect Secure, dodging password and multifactor authentication to access multiple agency’s data. The volume of incidents is also troubling: 30,819 in 2020, up 8% from the prior year.
What is further striking is that these unprecedented attacks occurred even after the 2019 report itemized in detail the agencies that were vulnerable to attack and how they were failing to secure data. Only DHS made significant improvements to its information security based on the findings and recommendations of the initial 2019 report. The other agencies only scarce improvements.
The scope of the 2019 investigation was impressive: the examination of ten years of inspector general audits reports, with a focus on the compliance by the agencies with Federal statutory cybersecurity standards. The eight agencies evaluated included: the Department of Homeland Security, the Department of State, The Department of Transportation, the Department of Housing and Urban Development, the Department of Agriculture, the Department of Health and Human Services, the Department of Education, and the Social Security Administration.
The most common vulnerabilities identified by the 2019 report will be familiar to private sector cybersecurity professionals as dogged, perennial issues impacting the speed and effectiveness of implementing cybersecurity update programs:
It is in this climate that state sponsored hacking groups attacked federal information systems to the tune of over 30,000 information security incidents in 2020. Of the eight agencies named in the report, only two (State and DHS) are confirmed as having been breached as part of the 2020 Russian SVR attack. What does that say about other three agencies that were penetrated as part of that attack (Treasury, Commerce, and the National Institutes of Health)? Do they have a similar understanding of their baseline vulnerabilities to that of the eight agencies from the report? Is it safe to say that the finding and recommendations from the initial report and the update this month are scalable and potable to all government agencies?
Further sobering are the specific details of the problems discovered by the 2021 report update at various agencies: user account and identification management issues on classified and non-classified networks; non-exist IT asset management records for over 14,000 devices and computers; high risk, public facing website security issues easily susceptible to attack; the undetected acquisition of sensitive PII files, including financial information of users; an unauthorized “Shadow IT” presence which would not have otherwise been revealed unless it failed or was breached; and inadequate PII protection and application of the appropriate access management controls.
It is clear that the Committee on Homeland Security and Governmental Affairs is taking the problems and vulnerabilities revealed by their investigative subcommittee very seriously. What is vital to understand is that these Government-wide issues are endemic cybersecurity problems for companies big and small. The scale of the Federal Government’s cybersecurity problems acts a huge window into the private sector cybersecurity challenges ahead, potentially impacting the broader economy.
Systemic problems which the report encourages the government to immediately address include:
Legacy systems: Systems or applications no longer supported by the vendor with security updates. What’s more, funding is used on these costly, tough to secure legacy systems at the expense of funding other security efforts.
Failure to install: Security patches and controls for remediation are not installed quickly enough and with a regularity.
Asset inventories: Accurate and comprehensive information technology inventories are simply not done.
In the end, it is about the PII: Personally identifiable information is, more often than not, inadequately protected.
Who is in charge? Cybersecurity responsibilities are highly distributed, across the government and within the agencies themselves, making broad cybersecurity initiatives very difficult to implement. The one shared service offered by DHS, the National Cybersecurity Protection System (NCPS), also known as EINSTEIN, was found by the investigation committee to be woefully inadequate.
What is the plan? The Federal Government remains without a standardized cybersecurity strategy.
Table stakes: Encryption of sensitive data, user access management, multi-factor authentication and systems certification need to be implemented and maintained agency wide.
The higher order recommendations of the report are also illustrative of strategies organizations should consider:
For some, the central argument is that the U.S. is woefully unprepared to wage a “war of the future,” especially in cyber, where until recently the governmental response (based on publicly available reports) to cyber-attacks has been inaction, tepid warnings and/or heavy sanctions. The depth and breadth of the U.S. offensive posture in cyber is largely classified, potentially underutilized based on public reports, and has still not been subjected to the court of global opinion based on a mainstream media-driven, news cycle grabbing U.S. offensive cyber-attack of another country (Stuxnext notwithstanding) of any significance or scale.
What has been clear, at least since July of 2019, is that the U.S. has actually has a weak cyber-defense. And, to extend the sports analogy further: in American football – unforced errors, special teams, and a solid defense wins games.
The technology of ransomware has evolved in sophistication and the business models of the criminal groups behind it have as well. The result: The threat from ransomware has reached pandemic proportions.
This post provides an executive level overview of the nature of this threat. It is designed to be read as an introduction to our accompanying post on how to mitigate the threat of ransomware to your organization. See: Ransomware, an update on the nature of the threat
In an article entitled “The international environment and countermeasures of network governance during the “14th Five-Year Plan” period” by Xu Xiujun (徐秀军) in the February 27, 2021 edition of China Information Security, we see the continuation of China’s concerns over Weaponized Interdependence and China’s desire to shape a global technology and economic environment that is less influenced by Western power. Xiujun identifies concerns in several interconnected areas including cybersecurity, economic centralization, and advancement in technologies like AI, Quantum, and 5G. See: China’s Plan for Countering Weaponized Interdependence
As the U.S. government parses through the Solar Winds software supply chain breach, many questions still remain as to the motive, the entities targeted, and length of time suspected nation state attackers remained intrenched unseen by the victims. The attack stands at the apex of similar breaches in not only the breadth of organizations compromised (~18,000), but how the attack was executed.
See: If SolarWinds Is a Wake-Up Call, Who’s Really Listening?
While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? See: Solar Sunrise to Solar Winds
The SolarWinds hacks have been described in every media outlet and new source, making this incident perhaps the most widely reported cyber incident to date. This report provides context on this incident, including the “so-what” of the incident and actionable insights into what likely comes next.
Russian Espionage Campaign: SolarWinds
NASA is enabling another giant leap for humanity. With the Artemis program, humans will return to the Moon in a way that will enable establishment of gateways to further exploration of not just the Moon but eventually the entire solar system. The initial expenses of the program will return significant advances for scientific understanding and tangible economic returns. As Artemis continues, the project will eventually deliver improvements for humanity that as of yet have only been dreamed of. But there are huge threats. For more see: The Cyber Threat To Artemis
The last decade has seen an incredible increase in the commercial use of space. Businesses and individual consumers now leverage space solutions that are so integrated into our systems that they seem invisible. Some of these services include: Communications, including very high-speed low latency communications to distant and mobile users. Learn more at: OODA Research Report: What Business Needs To Know About Security In Space Also see: Is Space Critical Infrastructure, and the special report on Cyber Threats to Project Artemis, and Mitigating Threats To Commercial Space Satellites
This panel at OODAcon brought together pioneering experts with ideas we believe hold the potential to cause order of magnitude improvements in cybersecurity posture. We the ensuing discussion resulted in actionable insights you can put in place in your organization immediately to kickstart your journey in mitigating cyber risk.
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence