U.S. Government Plays Cyber Catch-Up
It’s been a rough year for those responsible for U.S. government network security. First, cybersecurity operators were notified that SolarWinds—a popular service used by government agencies and contractors alike—was compromised in a major supply chain attack that provided Russian actors access to sensitive information as part of an espionage campaign.
Then, in March, Microsoft called out China for taking advantage of a vulnerability in the company’s Exchange email program to hack into organizations around the globe. And in April, cybersecurity firm Mandiant accused China of orchestrating a series of compromises to a Pulse Secure, LLC, program. U.S. federal government employees use this program to remotely connect to agency networks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert on the Pulse Secure compromise, saying that since June 2020 it affected government agencies, critical infrastructure entities, and other private sector organizations.
“The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence,” according to CISA. “The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.”
CISA mandated that all civilian agencies scan their systems to see if they were impacted by the Pulse Secure compromise and to take actions to address it. This mandate marked the second time in just seven weeks that the agency issued an emergency directive to take action to secure federal networks. Prior to 2021, CISA issued just three emergency directives in 2020 and one in 2019.
“Over the last year, CISA has issued several alerts urging agencies, governments, and organizations to assess and patch Pulse Connect Secure vulnerabilities,” said Acting CISA Director Brandon Wales in a statement. “This emergency directive reflects the seriousness of these vulnerabilities and the importance for all organizations—in government and the private sector—to take appropriate mitigation steps.”
The cascade of cybersecurity compromises highlights an ongoing problem that was first noted in 1997 by the U.S. Government Accountability Office (GAO), when it placed information systems security weaknesses on its High-Risk Series, an annual assessment of high risks to the U.S. federal government.
“These weaknesses pose high risk of unauthorized access and disclosure or malicious use of sensitive data,” GAO explained in the assessment. “Many federal operations that rely on computer networks are attractive targets for individuals or organizations with malicious intentions. Examples include law enforcement, import entry processing, and various financial transactions.”
The GAO highlighted that U.S. defense systems may have experienced roughly 250,000 attacks from hackers in 1995, with roughly 64 percent of them being successful and most going undetected.
“Since June 1993, we have issued over 30 reports describing serious information security weaknesses at major federal agencies,” GAO wrote. “In September 1996, we reported that, during the previous two years, serious information security control weaknesses had been reported for 10 of the 15 largest federal agencies. We have made dozens of recommendations to individual agencies for improvement and they have acted on many of them.”
Incremental improvements will not give us the security we need.
But the U.S. government has not implemented hundreds of other GAO recommendations, and has often failed to move at a rapid pace when addressing cybersecurity at civilian agencies. That could finally be changing.
In May, U.S. President Joe Biden signed an executive order to begin overhauling the U.S. government’s cybersecurity and lay the groundwork for future improvements and outreach to the private sector.
“Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the executive order said. “The federal government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology) and those that run the vital machinery that ensures our safety (operational technology).”
The executive order instructs agency heads to take numerous steps that fall into seven overarching categories: removing barriers to threat information sharing between government and the private sector; modernizing and implementing stronger cybersecurity standards in the federal government; improving software supply chain security; establishing a Cybersecurity Safety Review Board; creating a standard playbook for responding to cyber incidents; improving detection of cybersecurity incidents on federal networks; and improving investigative and remediation capabilities.
Many of the action items touch on addressing vulnerabilities that malicious actors used to compromise federal networks. For instance, the executive order creates baseline security standards for the development of software sold to the federal government along with requirements for developers to maintain greater visibility into their software. It also requires service providers to alert agencies they have contracted with about any cyber incidents—or potential incidents. These mandates address some of the vulnerabilities that were brought to light during the SolarWinds incident.
Along with these processes, the executive order also requires the U.S. federal government to implement security best practices.
“Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors,” according to a White House fact sheet on the executive order. “The federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”
In addition to improving security, the executive order mandates touch on many of the problems that the GAO has identified in its assessments that have long been overlooked.
“We’re sitting at 25 years that GAO has been calling cybersecurity one of the highest risk areas to the nation,” says Nick Marinos, director, information technology and cybersecurity, at GAO. “And in some ways, the difficulty here is that it’s not only evolving—it’s getting bigger in the challenges and threats that our country and the world are facing from cyberspace attacks.”
Some of these threats were highlighted in the report that Marinos’ team published in March 2021, High-Risk Series: Federal Government Needs to Urgently Pursue Critical Actions to Address Major Cybersecurity Challenges, which represents the findings from 40 reports GAO published in the last two years on cybersecurity.
The report emphasized the need for “significant attention” from the U.S. federal government to establish a comprehensive cybersecurity strategy and perform effective oversight. Key to this is the creation of a central role in the executive branch to implement the national strategy once it’s compiled.
Congress authorized the creation of the Office of the National Cyber Director within the Executive Office of the President to do just that. And in April, U.S. President Joe Biden nominated John Chris Inglis to fill the role. But he had not been approved by the U.S. Senate as of Security Management’s press time.
With the issuance of the executive order, there is an even more urgent need to fill this position as whoever holds it will be instrumental in implementing the order—as well as hiring support staff to oversee the work.
“The legislation called for several dozen positions to be created and filled within the office,” Marinos says. “To get to that point and get fully up and running will take time.... The urgency is there. We don’t have time to waste on this issue.”
Jennifer Franks, director of IT and cybersecurity issues at GAO, says that the ability to implement the numerous mandates outlined in the executive order is top of mind.
“You can establish policies and procedures, but what we do is look at the implementation strategies of what these agencies are doing,” she says. “The executive order establishes a clear timeline of what you should be accomplishing, who you should be coordinating with, and how to communicate with others what you have been accomplishing.”
Previous administrations have gotten to the point where they have organized priorities on cyber threats, but they have not been able to execute a governmentwide strategy.
“That’s been difficult,” Marinos adds. “There are many things going on across the federal government that are good, but it’s hard to know what effect they’re having until you combine them—then you could find opportunities to share lessons learned, increase the capacity of one program over another, and get a sense of urgency that is missing from a lack of clarity on who is running point.”
Most of the 16 agencies it reviewed had incident response processes with “key shortcomings” that limited their ability to minimize damage from attacks.
One crucial area that needs to be addressed is incident response to cyber intrusions, data breaches, or attacks. In 2019, the GAO found that most of the 16 agencies it reviewed had incident response processes with “key shortcomings” that limited their ability to minimize damage from attacks.
The executive order sets out to solve this problem, laying out a process to create a standardized playbook and set of definitions for cyber incident response by federal departments and agencies.
“Recent incidents have shown that within the government, the maturity level of response plans vary widely,” the White House fact sheet said. “The playbook will ensure all federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.”
The GAO also highlighted the need for the federal government to take action to protect critical infrastructure, explaining that the government had only implemented 30 of GAO’s recommendations in this area out of nearly 80 made since 2010. This need became even more paramount the week that Biden signed his executive order, during which a ransomware attack caused a major oil and gas pipeline company, Colonial Pipeline, to shut down operations. While not an attack on federal networks, the incident that began on a private network could have cascaded to create a national security issue.
Marinos says he is encouraged to see the emphasis the executive order placed on addressing critical infrastructure security through improving mechanisms for information sharing and supply chain security. Both of these initiatives will boost the federal government’s cybersecurity while also enhancing the private sector’s security, he says.
The GAO has also made additional recommendations that need to be implemented, including that federal agencies with lead roles in protecting critical infrastructure collect and report on improvements from using the National Institute of Standards and Technology (NIST) Cybersecurity Framework and more specific recommendations, such as plans developed by the U.S. Department of Energy (DOE) for electric grid cybersecurity.
“DOE had developed plans and an assessment to address the risk to the electric grid; however, we found that these documents did not fully address risks to the grid’s distribution systems,” according to the GAO report. “To address this issue, we recommended that DOE more fully address cyber risks to the grid’s distribution systems in its plans to implement the national cybersecurity strategy for the grid.”
In April 2021, the DOE announced it would begin a 100-day plan to address cybersecurity risks to the U.S. electric system.
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” said Secretary of Energy Jennifer M. Granholm in a statement. The plan encourages electric grid owners and operators to implement measures or technology to enhance detection, mitigation, and forensic capabilities related to cybersecurity. It also created milestones for owners and operators to identify and deploy systems that enable near real-time situational awareness and response capabilities in critical industrial control system and operational technology networks.
Additionally, the GAO recommended that the Federal Aviation Administration (FAA) prioritize oversight of evolving cyber threats and increasing connectivity between airplanes and other systems; that DHS update its guidance for the Chemical Facility Anti-Terrorism Standards (CFATS) program, such as incorporating training practices and identifying workforce cybersecurity needs; and that the Transportation Security Administration (TSA) fully incorporates NIST cybersecurity standards into select assessments for the transportation sector.
“Until our recommendations are fully implemented, federal agencies may be limited in their ability to ensure the critical infrastructures are protected from potentially harmful cybersecurity threats,” according to the report.
The executive order is a good start, but Marinos and Franks say it falls short of the national cybersecurity strategy that the United States needs.
“The reality is that without that and seeing how the executive branch will take action to implement a national comprehensive cybersecurity strategy, we will be left with questions,” Marinos says. “Are we best positioned for future attacks that are going to continue to evolve—just like the technology we rely on?”