ArchiveOODA OriginalSecurity and Resiliency

Stark Vulnerabilities and Strong Recommendations continue in 2021 update to “Federal Cybersecurity: America’s Data at Risk” Report (2019)

In a follow-up to a 2019 report that found major cybersecurity vulnerabilities at eight government agencies, the U.S. Senate Committee on Homeland Security and Governmental Affairs has released a 2021 updated report. Entitled Federal Cybersecurity:  America’s Data Still at Risk,  the update does not mince words: “This report revisits those same eight agencies two years later. What this report finds is stark.”  

Identifying the problems and vulnerabilities seems to be the first step toward improving the U.S. cyber-defenses. What is impressive is that the report has sophisticated recommendations and shared government-wide offerings which should be implemented to bolster specific agency defenses.  These recommendations and shared services are instructional for all cybersecurity professionals, public and private sector alike, when considering your organization’s cybersecurity efforts moving forward.  

Federal Cybersecurity:  The Vulnerabilities  

According to the report, especially concerning to the Senate investigative subcommittee which filed the report are the unprecedented scale of recent state sponsor hacker activity, including the December 2020 SolarWinds supply chain hack by the Russian SVR (Government agencies are still trying to understand the severity of the SVR attack, which went undetected for 9 months and is amongst the “largest and most damaging cyber-attacks in our history”) and the breach of federal agencies in April 2021 by a Chinese state-sponsored hacking group using remote access product Pulse Connect Secure, dodging password and multifactor authentication to access multiple agency’s data.   The volume of incidents is also troubling:  30,819 in 2020, up 8% from the prior year.  

What is further striking is that these unprecedented attacks occurred even after the 2019 report itemized in detail the agencies that were vulnerable to attack and how they were failing to secure data. Only DHS made significant improvements to its information security based on the findings and recommendations of the initial 2019 report. The other agencies only scarce improvements.  

The scope of the 2019 investigation was impressive:  the examination of ten years of inspector general audits reports, with a focus on the compliance by the agencies with Federal statutory cybersecurity standards. The eight agencies evaluated included:  the Department of Homeland Security, the Department of State, The Department of Transportation, the Department of Housing and Urban Development, the Department of Agriculture, the Department of Health and Human Services, the Department of Education, and the Social Security Administration.  

The most common vulnerabilities identified by the 2019 report will be familiar to private sector cybersecurity professionals as dogged, perennial issues impacting the speed and effectiveness of implementing cybersecurity update programs:  

  • Seven agencies failed to provide for the adequate protection of personally identifiable information (PII).  
  • Five agencies failed to maintain accurate and comprehensive IT asset inventories 
  • Six agencies failed to timely install security patches and other vulnerability remediation actions designed to secure the applications.  
  • All eight agencies used legacy systems or applications that are no longer supported by the vendor with security updates resulting in cyber vulnerabilities for the system or application.  

It is in this climate that state sponsored hacking groups attacked federal information systems to the tune of over 30,000 information security incidents in 2020. Of the eight agencies named in the report, only two (State and DHS) are confirmed as having been breached as part of the 2020 Russian SVR attack. What does that say about other three agencies that were penetrated as part of that attack (Treasury, Commerce, and the National Institutes of Health)? Do they have a similar understanding of their baseline vulnerabilities to that of the eight agencies from the report? Is it safe to say that the finding and recommendations from the initial report and the update this month are scalable and potable to all government agencies?  

Further sobering are the specific details of the problems discovered by the 2021 report update at various agencies: user account and identification management issues on classified and non-classified networks; non-exist IT asset management records for over 14,000 devices and computers; high risk, public facing website security issues easily susceptible to attack;  the undetected acquisition of sensitive PII files, including financial information of users; an unauthorized “Shadow IT” presence which would not have otherwise been revealed unless it failed or was breached;  and inadequate PII protection and application of the appropriate access management controls.   

Federal Cybersecurity:  The Recommendations 

It is clear that the Committee on Homeland Security and Governmental Affairs is taking the problems and vulnerabilities revealed by their investigative subcommittee very seriously. What is vital to understand is that these Government-wide issues are endemic cybersecurity problems for companies big and small. The scale of the Federal Government’s cybersecurity problems acts a huge window into the private sector cybersecurity challenges ahead, potentially impacting the broader economy.  

Systemic problems which the report encourages the government to immediately address include: 

Legacy systems:  Systems or applications no longer supported by the vendor with security updates. What’s more, funding is used on these costly, tough to secure legacy systems at the expense of funding other security efforts.  

Failure to install: Security patches and controls for remediation are not installed quickly enough and with a regularity.  

Asset inventories:  Accurate and comprehensive information technology inventories are simply not done.  

In the end, it is about the PII:  Personally identifiable information is, more often than not, inadequately protected.  

Who is in charge? Cybersecurity responsibilities are highly distributed, across the government and within the agencies themselves, making broad cybersecurity initiatives very difficult to implement. The one shared service offered by DHS, the National Cybersecurity Protection System (NCPS), also known as EINSTEIN, was found by the investigation committee to be woefully inadequate 

What is the plan? The Federal Government remains without a standardized cybersecurity strategy.  

Table stakes:  Encryption of sensitive data, user access management, multi-factor authentication and systems certification need to be implemented and maintained agency wide.  

The higher order recommendations of the report are also illustrative of strategies organizations should consider: 

  1. Risk-Based IT Budget Models:  A risk-based approach would be a sea change for government agencies and the private sector alike. A risk-based model guards against freewheeling IT spending based on broadly perceived cybersecurity weaknesses and instead allows for the analysis and determination of high probability security threats and their appropriate security measures. Key performance indicators (like return on investment) can also be more readily mapped to certain capabilities based on a risk-based model.
  2. Centralization and Accountability:  In this age of distributed networks, cloud services, and bottom up/democratized platforms, this recommendation seems dated and counterintuitive, but vital. The report recommends “a centrally coordinated approach for Government-wide cybersecurity to ensure accountability. A primary office should coordinate with appropriate agencies to develop and implement a cybersecurity strategy for the Federal Government.”
  3. Shared Services work:  The Cybersecurity and Infrastructure Security Agency (CISA), Cybersecurity and Quality Services Management Office should expand their shared services offerings available to all federal agencies and improve the inefficiencies with the EINSTEIN system, ideally with COTS products and solutions. DHS ‘owns’ the evaluation of EINSTEIN and justification of the cost of the program to Congress.
  4. Prioritization of Risk-based reporting metrics:  The Federal Information Security Modernization Act (FISMA) has been in place since 2014 as an amendment to the inaugural FISMA of 2002. The reporting metrics of audit reports have, as a result of the 2014 FISMA, been standardized throughout the government. The report now recommends that risk-based metrics should be prioritized to reflect the “overall maturity of an agency’s information security program.”  Threat patterns, security controls that address these threat patterns, and risks unique to the networks of particular agencies should be the primary indicators used to generate this maturity assessment.
  5. Expansive Modernization efforts need to be updated:  Recommended updates to the 2014 FISMA include inclusion of current cybersecurity best practices, making CISA the official leader of Federal cybersecurity operations, requirements for agencies and contractors to report certain cyber incidents to CISA, and the determination of a formal definition of “major incident” which would require agencies to “ notify Congress in a timely manner of significant cyber incidents instead of continuing to rely on the current definition which has promoted inconsistent notification to Congress.” 

Concluding Comments:

For some, the central argument is that the U.S. is woefully unprepared to wage a “war of the future,” especially in cyber, where until recently the governmental response (based on publicly available reports) to cyber-attacks has been inaction, tepid warnings and/or heavy sanctions. The depth and breadth of the U.S. offensive posture in cyber is largely classified, potentially underutilized based on public reports, and has still not been subjected to the court of global opinion based on a mainstream media-driven, news cycle grabbing U.S. offensive cyber-attack of another country (Stuxnext notwithstanding) of any significance or scale.  

What has been clear, at least since July of 2019, is that the U.S. has actually has a weak cyber-defense. And, to extend the sports analogy further:  in American football – unforced errors, special teams, and a solid defense wins games.

Additional Resources:

Ransomware: An update on the nature of the threat

The technology of ransomware has evolved in sophistication and the business models of the criminal groups behind it have as well. The result: The threat from ransomware has reached pandemic proportions.

This post provides an executive level overview of the nature of this threat. It is designed to be read as an introduction to our accompanying post on how to mitigate the threat of ransomware to your organization. See: Ransomware, an update on the nature of the threat

China’s Plan for Countering Weaponized Interdependence

In an article entitled “The international environment and countermeasures of network governance during the “14th Five-Year Plan” period” by Xu Xiujun (徐秀军) in the February 27, 2021 edition of China Information Security, we see the continuation of China’s concerns over Weaponized Interdependence and China’s desire to shape a global technology and economic environment that is less influenced by Western power. Xiujun identifies concerns in several interconnected areas including cybersecurity, economic centralization, and advancement in technologies like AI, Quantum, and 5G. See: China’s Plan for Countering Weaponized Interdependence

If SolarWinds Is a Wake-Up Call, Who’s Really Listening?

As the U.S. government parses through the Solar Winds software supply chain breach, many questions still remain as to the motive, the entities targeted, and length of time suspected nation state attackers remained intrenched unseen by the victims.  The attack stands at the apex of similar breaches in not only the breadth of organizations compromised (~18,000), but how the attack was executed.

See: If SolarWinds Is a Wake-Up Call, Who’s Really Listening?

From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice

While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? See: Solar Sunrise to Solar Winds

Russian Espionage Campaign: SolarWinds

The SolarWinds hacks have been described in every media outlet and new source, making this incident perhaps the most widely reported cyber incident to date. This report provides context on this incident, including the “so-what” of the incident and actionable insights into what likely comes next.

Russian Espionage Campaign: SolarWinds

The Cyber Threat to NASA Artemis Program:

NASA is enabling another giant leap for humanity. With the Artemis program, humans will return to the Moon in a way that will enable establishment of gateways to further exploration of not just the Moon but eventually the entire solar system. The initial expenses of the program will return significant advances for scientific understanding and tangible economic returns. As Artemis continues, the project will eventually deliver improvements for humanity that as of yet have only been dreamed of. But there are huge threats. For more see: The Cyber Threat To Artemis

Security In Space and Security of Space:

The last decade has seen an incredible increase in the commercial use of space. Businesses and individual consumers now leverage space solutions that are so integrated into our systems that they seem invisible. Some of these services include: Communications, including very high-speed low latency communications to distant and mobile users. Learn more at: OODA Research Report: What Business Needs To Know About Security In Space Also see: Is Space Critical Infrastructure, and the special report on Cyber Threats to Project Artemis, and Mitigating Threats To Commercial Space Satellites

Mitigating Cyber Risks: Four real world practitioners exchange views at OODAcon

This panel at OODAcon brought together pioneering experts with ideas we believe hold the potential to cause order of magnitude improvements in cybersecurity posture. We the ensuing discussion resulted in actionable insights you can put in place in your organization immediately to kickstart your journey in mitigating cyber risk.

Daniel Pereira

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.