Responding to cyber penetrations into federal IT systems at the Office of Personnel Management and elsewhere, the Office of the Director of National Intelligence said Wednesday that it was launching a “comprehensive” and governmentwide counterintelligence campaign. The program, officials said, is intended to head-off future data thefts and blunt the impacts of those that already have occurred, beginning with a multimedia blitz warning of the dangers of spear phishing attacks.
ODNI’s National Counterintelligence and Security Center is crafting the program for a target audience of federal employees, contractors and their families, but hopes the “awareness” materials it is producing will also be adopted by the private sector. Over the next four months, the program will broaden its reach to cover hacks via social media, human targeting and safeguarding sensitive or personal information when feds are traveling overseas, said Bill Evanina, the national counterintelligence executive.
But he said his office decided to begin the awareness campaign with warnings about spear phishing: carefully crafted emails that are designed to get a particular user to click on a malicious link. The approach is based on the premise that for a vast majority of network intrusions, poor cyber hygiene on the part of government employees and contractors has at least as much to do with an enemy’s success as a network’s technological underpinnings.
“In 91 percent of the breaches we’ve seen in the government and private sector over the last several years, the attacks emanated from spear phishing,” Evanina told a Washington conference organized by the Intelligence and National Security Alliance and AFCEA. “As an intelligence official, what that means to me is that our adversaries do not need to use sophisticated techniques to compromise our systems and our people. It’s one email.”
Evanina said the campaign will be mostly an informational one, although some agencies have taken more aggressive steps such as sending test phishing messages to their own users in order to gauge how susceptible they are to the hacking technique — sometimes to shame users who click on malicious links — but usually to “set the tone” that employees need to be on the watch for malicious email traffic.
“This is mostly about awareness, so we’re putting together video vignettes, posters and literature that can go out to government employees and anyone else that can use it to clean up their cyber hygiene,” he said. “The end result, we hope, is that just a few people don’t click on malicious links and we may prevent a massive breach in the future. That sounds dramatic, but most of these breaches start with a spear phishing success. If just a few people get the message and don’t click on an email because it doesn’t look right, we can save a lot of personally identifiable information that otherwise would be stolen.”
Cyber intrusions traced back to successful phishing attacks
The OPM hack, which exposed sensitive personal information including background investigation records for nearly 22 million people, originated via login credentials the attackers stole from a contractor, most likely via an earlier phishing attack against the private vendor’s own systems .
A sophisticated phishing campaign also is suspected as the origin of a recent attack on the unclassified email system used by the military’s Joint Staff. That penetration forced DoD to shut down the Joint Staff’s email services for several weeks.
“That was a good reminder to all of us that you can have the greatest technology and greatest defensive structure in the world, but in the end, you can never underestimate the impact of user behavior,” Adm. Mike Rogers, the commander of U.S. Cyber Command, told a small gathering organized by the Woodrow Wilson Center on Tuesday evening. “If you look at that penetration, they were trying to attack dozens of different segments of our military networks. They were only able to achieve the penetration in one of those segments.”
Put another way, whether by technological defenses or good training, much of the rest of the military avoided falling victim to the same attack. The Coast Guard, for example, has publicly acknowledged that it was able to fend off the phishing campaign before it landed in the inboxes of any of its users.
As for the Joint Staff, Rogers said even though its systems were compromised, Cyber Command developed a series of “workarounds” to let its users continue to perform their missions even while their core email services were unavailable.
“It’s not quite as simplistic as that — but I don’t want to tell everyone exactly what we do and how we do it as we defend our networks,” he said. “But we also have to get used to the idea that despite your best efforts, you are going to be penetrated. It’s not a question of if, it’s how and when. If you go back a few years ago, me and most of my fellow cyber warriors spent most of our time trying to protect our perimeters. We have to pay a lot more attention to how our critical functions can continue to get executed even when our networks are degraded, which is what we did on the Joint Staff.”
Rogers said the spear phishing campaigns Cyber Command is seeing also are extremely persistent and hackers are increasingly adept at changing their tactics in response to measures that aim to stop attacks at the government’s network boundaries.
He said the exact same attackers that eventually made their way into the Joint Staff’s systems had tried to do so one week before, unsuccessfully.
“I watched the same actor totally change the structure they used and they came back literally within a week with a totally different scheme of maneuver that I had not seen before,” he said. “Every day, we are in contact with a series of adversaries that are constantly changing. We have to be innovative and constantly changing if we’re going to keep up with it. We have to acknowledge that we’re not going to be perfect. We have to deal with user behavior, but we need to be resilient if someone gets in.”
With respect to the OPM hack, Rogers said Cyber Command assisted in developing mitigation plans after the attack was discovered, but he reiterated the government’s position that DoD has no day-to-day role in fending off attacks against civilian agency systems.
“That’s not our mission. But as we started to realize the implications of the OPM attack, we started to work with them about how we could apply DoD capabilities, if that’s what they required,” Rogers said. “In the end, we were able to use my National Security Agency hat. We deployed a lot of NSA personnel and expertise to OPM to help them understand what had happened and how to structure their network for the future. But it wasn’t just us, it was DHS, FBI and others. We’ve become a pretty tight team over time.”