A leading National Security Agency official said Tuesday that none of the high-profile cybersecurity breaches in government over the past two years required hackers to employ the strongest tools at their disposal.
Less than two weeks after the arrest of an NSA contractor at Booz Allen Hamilton sent shockwaves through the intelligence community, NSA Deputy National Manager for National Security Systems Curt Dukes told reporters that cyber adversaries have their hands on unknown vulnerabilities in vendor software — so-called “zero-day” vulnerabilities — but have consistently breached government IT systems through known vulnerabilities before they can be patched.
“In the last 24 months, not one zero-day has been used against each one of those intrusions. Basically, the adversary took advantage of poorly secured systems. Once they had that initial foothold, they then elevated privileges and then moved to mission objective — which was either exfiltration of PII information [or] exfiltration of evidence,” Dukes said.
In the case of the Office of Personnel Management data breach, during which hackers stole the personally identifiable information (PII) of 21.5 million people, Dukes said OPM’s vulnerability came from having so many departments and agencies need access to its personnel management system.
“Cyber defense is largely an individual enterprise. What I mean by that is that you may do a good job in protecting your network, but because of those trust relationships, you have a dependency on those other networks, and they may not be practicing the same level of security that you would like to see, Dukes said. “We’re increasingly connected when it comes to our networks, and so what we’ve found in the last 24 months is that an adversary typically will exploit those trust relationships.”
Aside from the OPM data breach, the federal government has responded to several cyber intrusions over the past two years. In October 2014, hackers infiltrated unclassified computer networks at the Executive Office of the President and the State Department, causing temporary outages. A spear phishing attack in July 2015 at the Pentagon also breached an unclassified email system of the Joint Chiefs of Staff.
“If you’re a computer network exploitation team, you don’t want use a zero-day, you want to keep those in reserve for only the hardest targets that you’re going after. In that last 24 months, OPM, EOP and State Department weren’t particularly well protected, and so the adversary didn’t have to use a zero-day. They could use a known exploit that they knew had not had a patch installed for that,” Dukes said.
With only three months until the start of the next presidential administration, Dukes said he’d like to see the incoming team rethink national cyber defense. Part of that strategy, he said, should include better government cyber hygiene to weed out the most preventable cyber intrusions.
“So far, we haven’t actually changed the equation for the adversary. They still can easily attack us, achieve mission objectives. I want to actually raise the cost… to the adversary. They’ll have to then start using zero-days against us, and that will help industry better prepare us for those type of attacks, Dukes said.
The NSA works regularly with cybersecurity officials at the Department of Homeland Security and the FBI, but Dukes said the government’s cross-agency response hasn’t kept pace with hackers.
“As we orchestrate across those three departments and agencies, what we find is we’re sub-optimal, and by the time we actually respond to an intrusion, it takes hours to days. By then, in cyber time, the adversary’s already met their objective. I think, as a nation, we have to rethink how we actually organize when we do cyber defense to protect the whole of the nation,” he said.
Arrest of former NSA contractor leaves questions unanswered
Three years after the unprecedented disclosure of secret government data by Edward Snowden, the arrest of another NSA contractor has grabbed headlines. Harold Thomas Martin III, of Glen Burnie, Maryland, was arrested by FBI officials in August, but news of his alleged theft of NSA documents surfaced only this month.
Around the time of Martin’s arrest, top-secret NSA data was reported to have been leaked by an online group calling itself the Shadow Brokers. When asked whether Martin’s arrested was connected to the leaked documents that appeared online, Dukes said he couldn’t comment on the ongoing investigation, but confirmed that the online post did include some cyber vulnerabilities.
“I can’t speak to whether or not what [Martin] had is actually what was posted on the Shadow Brokers site, in that regard, but what I can say is that there were a number of zero-days that were actually included in that posting,” Dukes said.