By: Terresa Monroe-Hamilton
This is one of those ‘Holy Crap!’ moments. I simply could not believe what I was reading here. We now know that the Chinese hacked the Interior Department three years ago and stole security clearance files and other sensitive personal information of some 22 million U.S. federal employees. Per Fox News, evidently the cyber defenses at the Department of Interior, which hosted White House Office of Personnel Management (OPM) servers targeted in the theft, were still unable to detect “some of the most basic threats” inside the Interior’s computer networks — including malware actively trying to make contact with Russia.
How incompetent and sloppy can you get? The Office of Inspector General (OIG) conducted a 16-month examination of the Interior’s ability to detect and respond to cyber-threats. It was discovered that their IT guys did not bother to implement a sweeping array of mandatory, government-wide defensive measures ordered up after the disastrous OPM hack, didn’t investigate blocked intrusion attempts and left “multiple” compromised computers on their network “for months at a time.”
Very, very sensitive security clearance files have now been moved to the Department of Defense. But there is soooo much more that is wrong here, it is difficult to know where to begin. The report noted the following:
● Sensitive data at the Interior could be taken out of the department’s networks “without detection.”
● Network logs showed that a computer at the U.S. Geological Survey, an Interior bureau, was regularly trying to communicate with computers in Russia. The messages were blocked, but “the USGS facilities staff did not analyze the alerts.”
● Dangerous or inappropriate behavior by network users — including the downloading of pornography and watching pirated videos on Russian and Ukrainian websites — was not investigated.
● Computers discovered to be infected with malware were scrubbed as soon as possible and put back into use — meaning little or no effort went into examining the scope and nature of any such threats to the broader network. This happened, the OIG team noted, with one intruder they discovered themselves.
● Simulated intrusions or ransomware attacks created by the examiners were carried out with increasing blatancy without a response — in the case of ransomware, for nearly a month
● After the devastating OPM hack, which was discovered in April 2015, the department didn’t even publish a lessons-learned plan for its staffers based on the disaster. The OIG inspectors reported that the Interior started to draft an “incident response plan” that month to deal with future intrusions, but “did not publish it until August 2017” — two months after the OIG team had finished their lengthy fieldwork.
● Distressingly, the report also notes that the department’s cybersecurity operations team was not privy to a list of the Interior’s so-called “high-value IT assets” prepared by the Chief Information Officer, “due to its sensitive nature.”
In other words, the people who should have been assigned with protecting the Interior’s sites and information were blocked from doing so.
'Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure'
— Donald J. Trump (@realDonaldTrump) May 11, 2017
Assets included: “IT systems, facilities and data that are of particular interest to nation-state adversaries, such as foreign military and intelligence services.” Very often they would “contain sensitive data or support mission-critical Federal operations.” To put it bluntly, almost nothing has been done since the OPM hack. And it’s not just the Interior… pick a federal agency and you would probably find similar results. That is wholly unacceptable. They are leaving us wide open to attack by our enemies. We are trusting idiots with national security here.
I think it is safe to say that every federal agency needs to be examined by competent IT people from top to bottom. The systems are without a doubt breached and infiltrated. And it needs to be done now, not later. When OIG staffers presented 23 recommendations to fix the huge gaps in the Interior’s digital defenses, the department’s top IT officials agreed, but said some of the most important fixes would take as many as five years, due to budgetary constraints. Here’s a thought… trim some of that pork off the budget and get this fixed before a foreign enemy takes down our federal agencies!
“This is totally unacceptable and absurd,” says Jason Chaffetz, former head of the House Committee on Oversight and Government Reform, which in 2016 issued a scathing report on the lapses surrounding the earlier OPM security breach. “With one good trip to Best Buy we might be better off,” he added. That’s sadly true. Whole systems are going to have to be scrapped and redone to get a handle on this. And while you are at it, do intensive, in-depth background checks on everyone and fire those who don’t pass the sniff test. I am certain as well that we have spies within our agencies and they need to be ferreted out ruthlessly.
The report is damning. It’s evidence of widespread gross negligence on the part of Interior’s top cyber-officials. This is not a new condition. A lot of it grew under Obama, but it has been metastasizing for decades. Now, Trump will have to take this tiger by the tail and clean up this mess. All of this is further complicated by previous federal efforts to centralize and rationalize the bureaucracy, including creation of a number of “shared business centers” across the government. We are talking over 150 federal agencies here. Wrap your head around that problem.
Those shared business centers are where OPM’s personnel servers were located. Though OPM itself was responsible for maintaining the security of its servers, according to the OIG report, the hackers who stole personnel files “moved through the U.S. Office of Personnel Management environment through a trusted connection to the [Interior] Department’s data center, pivoting to human resources systems hosted by the Department.” These “lateral” connections across the government provided by the service centers are a “gold mine” to foreign intelligence hackers when penetrated, according to the cybersecurity expert consulted by Fox News. In addition, databases at the Interior Department offer foreign hackers additional sensitive troves.
The Interior’s nine bureaus may be best known for managing the nation’s national parks and vast land resources. But federal lands and waters also supply some 30 percent of U.S. oil and gas production and the department’s bureau of reclamation is the country’s second-largest provider of electrical power. The U.S. Geological Survey monitors water resources and harvests satellite data on a global basis. Geothermal, solar and wind resources are also concentrated on federal lands and the department also oversees the safety and environmental soundness of offshore drilling.
President Trump has already issued an executive order that declares that “the executive branch has for too long accepted antiquated and difficult-to-defend IT,” and that “known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies.” The various heads of federal agencies were supposed to begin reporting on their “risk management measures” to deal with those problems within 90 days of the May 11, 2017, executive order. That obviously never happened.
When asked about the incompetence at the Interior, a senior official made excuses and claimed to be laser-focused on cybersecurity. You’re kidding, right? The President’s Management Agenda was also meant to institute the upgrade of information technology, especially the work force employed. Funds for the tech upgrade are supposed to come from a renewable, $500 million Technology Modernization Fund. In addition, the President’s proposed 2019 budget contains some $80 billion in IT and cybersecurity spending, ostensibly a 5.2 percent increase.
The administration says the upgrade could take one to two years. I’m not sure we have that long. Look at the threats we are facing. The Interior’s cybersecurity defenses are riddled with holes. They got a ‘C’ in 2017. In reality, they should have gotten an ‘F’. The program needs a complete shift in focus and experts brought in that can get the job done regardless of cost. This is a national security issue. If we have computers trying to talk with the Russians, we have a fatal flaw in our cybersecurity. And just switching to the ‘cloud’ is not going to handle it. Fox News is to be commended for doing first rate reporting on this.
Pingback: Trevor Loudon's New Zeal Blog » What Cybersecurity? Interior Department Computers Trying To Talk To Russia
Pingback: What Cybersecurity? Interior Department Computers Trying To Talk To Russia