A few months ago, worried officials from the Department of Veterans Affairs reported a record number of attempts to insert malware onto their systems: 1.19 billion in one month. But there are some indications that March was the high water mark for that particular form of cyber threat and that the tides are beginning to recede.
Stephen Warren, VA’s chief information officer, told reporters this week that the volume of malicious software that made its way across federal network boundaries and into VA systems declined significantly in both of the past two months: By May — the most recent month for which statistics are available — malware detections fell to 575 million, and Warren expressed guarded optimism that the downward trend would continue or at least stabilize.
He gave much of the credit to the Department of Homeland Security’s EINSTEIN system, which is meant to create a governmentwide perimeter around agency networks. VA became the first large adopter of the most advanced version, known as 3A, when it integrated it with the department’s existing security systems last year.
But the payoff from the newest edition didn’t arise until the rest of the government began to come aboard, something that’s started to happen over the last several months. Only 20 percent of the government is covered by Einstein 3A so far, but its objective is to let agencies share cyber threat signatures with DHS so that attempted attacks can be thwarted at federal network boundaries. As additional agencies have signed on, Warren said that’s exactly what’s happened.
“When we were the only department that was using this, we could only defend ourselves against the threats we already know about,” he said in a telephone briefing with reporters. “As more and more organizations become part of the protection, a threat vector against anyone has resulted in protections for everybody else. It’s allowing us to improve more quickly and be more aware. Every time one agency sees a probe on either the classified or unclassified side, it’s not only spotted, but the protections against future attacks apply to us all. It’s a tremendous multiplier of all of our capabilities.”
The 3A iteration of Einstein improves upon previous versions in that it automatically blocks malicious network traffic based on signatures spotted in any prior attempts to sneak malicious software into a federal agency system. Earlier versions also use signatures, but they simply warn network administrators that bits of traffic appear to be suspicious and require human intervention in order to deal with a given threat.
Rising wave of threats
At VA, Warren said the rate at which suspicious emails are making their way into VA systems also appears to be declining after cresting in March: during that month, VA systems detected 81 million such emails; in May, they detected 74 million.
“As more and more agencies use [Einstein 3A], we’re seeing not just the multiplier effect but also some natural tuning as more folks bring it online,” Warren said. “It’s pushing down on a rising wave of threats and allowing us to adapt our systems based on what we’ve all been seeing. But we’re also trying to bear in mind the kinds of warnings stockbrokers give: past performance is not necessarily an indication of future performance. We are not complacent about the fact that the volume has come down, because the persistence of the attackers has not changed and their sophistication has not changed. Most of what we’ve accomplished has probably been about knocking down the easy ones. That causes us to keep looking at the cases that aren’t so easy and what we need to be doing to stay in front of the threat.”
The decline in malicious activity on VA’s networks also coincides with the point at which officials — concerned at that time about a rapid increase in malware attacks — decided to add restrictions to employees’ ability to browse the Web.
In March, VA began using an outside contractor to filter all of its users’ queries to Internet sites. The approach is essentially a whitelisting policy. In general, VA users cannot access any website unless it has been previously vetted and validated as malware-free, part of a process called “characterization.”
“What you’ve seen in other organizations that have done this is they’ve knocked out a tremendous amount of drive-by or click-by compromises, because those are the places where a majority of the malware and bad actors sit,” Warren said. “We simply don’t let you go there. But if you need to go somewhere that hasn’t been characterized yet because you have a mission need, we’ll put it at the top of the queue to validate it.”
But Warren acknowledged that’s a daunting task: there are about a million new sites added to the public Internet each day. He said the department would strive to find a reasonable balance between its varied users’ needs to access the outside world with the department’s pressing cybersecurity concerns.
And VA already has taken steps to acknowledge differences between the requirements of its various health care and benefits arms across the country, Warren said. Two years ago, VA decided to delegate decisions about how and whether to restrict Internet access to local and regional departmental officials.
New CIO takes over Monday
But Warren said VA is examining further restrictions, and he laid out options for regional managers during a recent cyber summit.
“For example, we already do monitoring at the desktop as folks click on a link or bring something down, but what we’re talking about now is completely locking these things out and completely disallowing any downloading of files,” he said.
Warren emphasized though that final decisions about those policies will not be his to make.
Beginning on Monday, Laverne Council will assume the position of VA CIO and assistant secretary for information and technology, a position Warren has filled in an acting capacity for the past two years. He said he will defer any policy decisions about Internet blocking and many other policy matters (including whether to continue conducting regular media briefings) until she takes office and is adequately briefed on current operations and policies.
In that vein, Warren said he left VA’s first-ever comprehensive cybersecurity strategy on Council’s desk before he reverts to his day job: the chief operating officer of the department’s $4 billion IT apparatus.
“It’s something we’ve had in multiple documents in multiple forms and we thought it was important to pull it together into a single place,” he said. “It’s basically the same things I’ve discussed in various hearings and press briefings: Providing security while ensuring mission delivery. It’s how you lock things down while doing your mission, and that’s not just an IT issue. It’s a cultural thing, and it’s making sure that every single employee understands that this is part of their job. We’ve been talking with not just the IT workforce, but the entire VA workforce to sensitize them to safe practices. It not only allows them to bring those practices into work, it allows them to take them home.”