The Homeland Security Department issued an alert in May detailing a series of attacks against government and industry. The U.S. Computer Emergency Readiness Team released an analysis report detailing nine incidents between July 2014 and May 2015 in which hackers stole what they call “bulk personally identifiable information (PII)” from public and private-sector organizations.
“The cyber threat actors involved in each of these incidents demonstrated a well- planned attack and high level of sophistication,” US-CERT wrote in the report, which Federal News Radio obtained.
While US-CERT doesn’t go into detail about whom the incidents impacted, two of the first three incidents reported involved government personnel data. In one of the incidents to which US-CERT responded, “PII data belonging to hundreds of thousands of government personnel was compromised.”
As DHS saw this trend of attackers trying to steal bulk PII, Secretary Jeh Johnson issued the first-ever Binding Operational Directive (BOD) to the civilian agencies.
S.Y. Lee, a DHS spokesperson, said in an email to Federal News Radio that, given the current level of risk to federal systems, Johnson’s directive on May 21 told each agency to mitigate the most critical vulnerabilities on its Internet-facing systems within 30 days.
Lee said if agencies cannot mitigate a particular vulnerability, they should work with DHS cybersecurity experts in developing an approach that will effectively reduce the agency’s risk.
A DHS official said, as of June 1, DHS is providing E3A services to 13 federal civilian department and agencies, protecting nearly half of civilian personnel. DHS also has established Memoranda of Agreement with 52 federal agencies to implement E3A.
“This capability focuses on preventing malicious activity at the perimeter of federal civilian executive branch networks through a combination of commercial and government information and technology,” Lee said. “It is a unique system that utilizes classified information to protect unclassified network traffic for federal civilian executive branch networks and allows DHS to better detect, respond to, and appropriately counter known or suspected cyber threats identified within the federal network traffic it monitors. As the department detects and stops adversaries’ attacks with Einstein, we will take the knowledge we gain and share it with the private sector and other partners, meeting their information needs in a manner that is consistent with the protection of privacy and civil liberties. They will be able to use this information to better protect themselves.”
White House Press Secretary Josh Earnest said Friday, in announcing the more rapid expansion of the Einstein program, that it is part of the administration’s ongoing focus on cybersecurity.
“[W]e have seen our adversaries use innovative techniques and to learn from their previous efforts to try to find vulnerabilities in our system and to exploit them,” Earnest said. “And that means that our defenses, and those who are responsible for protecting these systems, need to be vigilant about constantly updating and reviewing our security measures to make sure that our computer systems, and the data that they hold, are safe.”
A clear trend among recent cyber breaches
Sen. Tom Carper (D-Del.), ranking member of the Homeland Security and Governmental Affairs Committee, said the Obama administration made the right decision to expedite the implementation of Einstein across government.
“Given that the Einstein system played a key role in uncovering this recent serious cyber attack on the Office of Personnel Management, we need to make sure federal agencies have this system in place as soon as possible,” he said in a statement. “I commend the administration’s steadfast attention and actions on this pressing issue. That being said, cybersecurity is a shared responsibility. I look forward to working with my colleagues to follow up on the administration’s actions and ensure that this critical cybersecurity system is properly implemented across the federal government.”
Chris Finan, the CEO of Manifold Security and a former White House and Defense Department cyber official, said the similarities among recent hacks are clear.
“All the evidence suggests that this was the same group or an affiliated group to the perpetrators of the Anthem and the Premier Blue Cross intrusions earlier this year. What was really interesting about those data breaches was that the data never showed up. They stole a ton of records. I think for Anthem it was like 80 million customer social security numbers, and for Premier it was even more detailed account information, I think, for like 11 million people. None of that identity information ever showed up on the black-market criminal websites,” he said. “So the theory is that it was stolen for cyber espionage purposes, not cyber criminal purposes. It’s interesting that we are seeing the same IP addresses, some of the same hacking tools used in the OPM breach, and so the modus operandi (MO) may indeed be espionage.”
Finan said it would be telling if this new data gathered from 4 million current and retired feds shows up on the PII black market.
A government IT official, who requested anonymity, said the espionage theory is one that doesn’t get a lot of attention, but should.
The official says, at their agency, they see targeted spear phishing attacks in which the emails look legitimate but include links or documents that are infected with malware. Once a federal employee opens them, the attackers are in the network. That is the cyber attackers’ end goal, the official said.
The source said it looks as though the Chinese, or whomever is behind the attack, is gathering very detailed information about employees and combining it with the security clearance data that was stolen from USIS and KeyPoint Government Solutions over the last year. They now have a goldmine of data that they can use through emails or calls to figure out a way to get into the government’s networks.
Mark Weatherford, a former deputy under secretary for cybersecurity at DHS and now a principal at the Chertoff Group, said, unlike some private-sector data, federal-employee data brings with it additional reasons to be nervous.
“The one thing that is a bit concerning is, when you think about the government employees that have security clearances and access to sensitive information, having certain kinds of this information can make them more susceptive perhaps to black mail, extortion and things like that,” he said. “That’s one of the concerns that is a little bit higher for government employees.”
Both Finan and Weatherford expressed concern that OPM’s data was not encrypted.
Finan said, based on the reports he’s seen, the hackers got into a system or on a server, beat the server’s required authentication and were able to pull data off in batches.
Weatherford added, when an organization like OPM has crown jewels like personnel data, the security bar should be higher.
“[W]e know that there are a variety of actors that pose a threat to our computer networks. In some cases, there are state actors. In some cases, there are individuals that are acting on behalf of states. In some cases, these are simply criminal enterprises. And the goals of each of those organizations or individuals is different. In some cases, it’s simple espionage that a foreign government is conducting,” Earnest said. “We’ve raised significant concerns about economic espionage that some companies — and even some states — engage in. This is the concern that we have frequently raised with the Chinese government. In some cases, we’re just talking about raw criminal enterprises — that there are individuals that are out there looking to steal somebody’s identity so that they can use that information to get money that they otherwise aren’t entitled to.”
Through the binding operational directive, DHS is trying to raise agencies’ expectations and actions.
Lee said DHS helps agencies by measuring and motivating them to be more secure, providing a baseline of security for the federal government, and coordinating the national response to significant cybersecurity incidents and providing incident response assistance to impacted agencies. Agencies are responsible for their own risk management, while DHS provides a consistent baseline of security in areas where it is affordable and efficient to take a governmentwide approach.
Lee did not provide a copy of the binding operational directive.
One government source said the directive is similar to the memorandum of agreement agencies signed with DHS to let it scan their networks in the aftermath of the Heartbleed and Jazz Bug vulnerabilities that they dealt with last year. In October, the Office of Management and Budget authorized DHS to regularly conduct proactive scans of certain civilian agency networks.
The source called the BOD “a big deal” because it’s going to require far more coordination within the agency among technology and mission areas. The source said DHS is basically saying, from here on out, if something is cyber critical, that pretty much trumps everything and agencies need to move out of it immediately.
A second government source says the definition of a critical vulnerability is based on the national vulnerability database, which defines critical as anything that has a rating of a 10. The source said there are probably hundreds of these critical vulnerabilities across the government.