Cyberattacks at federal agencies draw House scrutiny

WASHINGTON--As new details emerged about cyberattacks against networks at the State and Commerce departments last year, politicians on Thursday said they're concerned many federal agencies are ill-prepared to fend off such intrusions.

Members of a U.S. House of Representatives cybersecurity subcommittee said they weren't confident that the computer systems at bureaus within the State and Commerce departments were adequately secured and scrubbed of backdoors that could allow cybercrooks to re-enter. They also questioned agency representatives on whether they could truly guarantee that sensitive information hadn't been accessed or copied.

"We don't know who's inside our networks," subcommittee chairman Rep. James Langevin (D-R.I.) said at an afternoon hearing here. "We don't know what information has been stolen."

Indeed, 21 of 24 major federal agencies had weak or deficient information security controls in place during the last fiscal year, according to audit reports, said Gregory Wilshusen, director of information security issues for the Government Accountability Office.

Pitfalls ranged from failing to replace well-known vendor-supplied passwords on systems to not encrypting sensitive information to not creating adequate audit logs to track activity on their systems, according to a new GAO report (PDF) he summarized at the hearing.

One of the main purposes of the hearing was to allow officials at the State and Commerce departments to give the first complete public accounts of the cyberattacks since news reports brought the incidents to light several months ago.

The State Department troubles began in May, said Donald Reid, senior coordinator for security infrastructure for the agency's Bureau of Diplomatic Security. An employee at an office in the East Asia Pacific region opened an e-mail message that contained what appeared to be a legitimate Microsoft Word document of a congressional speech--but when opened, actually unleashed malicious code that allowed the intruder backdoor access to the State Department's network.

The agency's intrusion detection system "immediately" detected the flaw and later discovered additional breaches on its systems in other Asian outposts and at its Washington headquarters, Reid said. In the process of analyzing that malicious code, analysts also discovered another previously unknown hole in the Windows operating system that lacked a security patch.

Realizing that Microsoft would not be able to issue a fix as speedily as necessary, the department developed a temporary "wrapper" designed to protect the systems from continued exploits, Reid said. All the affected systems were brought back up and running by July, and the department has not encountered further troubles, Reid said. (Microsoft ultimately released the new patch in August.)

Some politicians targeted Reid's assurances that the attacks only affected "unclassified" systems. Because government auditors have determined that the State Department lacks a complete inventory of its computer systems, "how can you be certain your classified networks aren't touching your unclassified networks, and can you really know hackers have only accessed unclassified networks?" Langevin asked. He also suggested that even unclassified networks can contain "sensitive" data.

Also encountering pointed questions from the handful of politicians present Thursday was Dave Jarrell, manager of the Commerce Department's Critical Infrastructure Protection Program.

Jarrell recounted events that transpired beginning in July at his department's Bureau of Industry and Security, which handles the sometimes thorny topic of export controls. After a senior BIS official discovered one morning that he could not log in to his machine, an agency computer security team went on to discover 33 computers that had attempted to establish connections to suspicious Internet protocol addresses originating from Internet servers in China.

Some politicians criticized the bureau for admittedly not knowing exactly how long the attackers were able to gain access to their systems. Jarrell said the agency was "very confident" that the data on existing machines is safe. He blamed the inability to pinpoint the time of the intrusion on faulty audit logs and said the agency was fixing that problem.

Politicians also used the hearing to lash out again at the Department of Homeland Security's persistently lagging cybersecurity efforts. They lamented that the agency had only managed to pull up its own information security grade, as determined by its compliance with federal standards, to slightly above failing this year. (The State and Commerce departments, for their part, both received F's.)

"I'll be honest with you," Langevin said. "I don't know how the department thinks it's going to lead this nation in securing cyberspace when it can't even secure its own networks."

[ajbright]

I believe the topics discussed will be

1/People are idiots for not applying patches
2/Microsoft are crap
3/Microsoft are great
4/Macs are great
5/Macs are crap
6/I hate Bill Gates
7/Linux will solve everything
8/Wild Conspiracy theories about GW and Homeland Security
9/Wild Conspiracy theories that are accidentally true about GW and Homeland Security
10/Lefties are gay
11/Righties are nazies

[n3td3v]

U.S Government Cyber Security

You'll never be able to secure your networks as long as state funded cyber attacks exist.

The threat isn't from individual bedroom hackers, its from government hackers who are being funded and directed by intelligence agencies the world over.

If U.S Government invest mission or billions in cyber security, other big nations (india?) have as much money to research ways to break in to U.S Government computers, no matter how sophisticated.

America can stop bedroom hackers for sure, but they aren't the real threat to national security are they, state funded cyber attacks are.

[n3td3v]

spelling error

"invest mission or billions."

its ment to say "invest millions or billions."

[Phillep_H]

Groups

Government hackers will certainly be a problem for other governments, but crime groups and the political/religious groups are more a threat to businesses and home users. Gov't looks for specific things, the others look for anyone vulnerable.

[wildchild_plasma_gyro]

The day God died

So anyway there they are the last 50 people on the planet in their super Nearly got to peta rich bunker that was built buy yet more idiots of god(boris).
So anyway boris finds that the food has run out and his best mate fred wants to eat him. "Don't you fear the raf of god" boris says "no" says fred "i fear you less than the other 48 in here who all voted you next". "but i spread the fish" boris says "we've fell for that enough times" fred says laughingly.
"But i set people free" Boris , "we're all honerery freemasions in here mate" shouts another bloke.
"I am the devine, my ansisters book was the true book" say boris "nah i hate eating paper" says fred.
Donk god gets eaten.

If you want to read chapter two why deciding who got eaten next looked nothing like a triangle.

Please pay
Lots of thought to yourself and whats in your way of achieveing your dreams and true integrity here on DIY earth.

[i_made_this]

They should darn well "draw scrutiny"...

...because in today's day and age, secure comm's aren't exactly brain surgery. They can even use Windows XP if they wish but Windows Internet Explorer is not well advised. Use Firefox plus Cypherix like a number of our other government agencies here and abroad do, as well as firms like IBM and Lockheed Martin, and they'll be just fine. Wouldn't it be nice if DHS actually kept up to date with CERT advisories? Or would that be too easy?

[Macsaresafer]

Let them use anything they like, but

make sure they know that if the get hacked, it's their jobs that get
hacked next. Do that, and Windows and IE will both disappear.

[MSSlayer]

You can spend trillions

On security tools and it will do nothing for two reasons:

People are apparently allowed to put sensitive data in laptops and thumb drives. This easily defeats all security.

Even worse is that people are stupid. Low tech social engineering can beat any security you want to throw at it. The governments and businesses need to stop hiring idiots who give out log in information to anyone who asks.

[Leria]

The social engineering thing is true

The social engineering things is true, though I am not sure about the laptops and thumbs drives things, not with the encryption tech of today.

As to the social engineering thing..... that is usually done by posing as a higher up in the company from some other branch or higher up in the government, and people are TRAINED to give out information on command to these people.

Now, in order to stop those social engineering things you have to do one of two or more things: tell people to NEVER give out, write down, etc. their information, especially passwords, or simply have everything on a central computer where people are allowed to change documents, but not take them home or download them to other computers.

[Leria]

The social engineering thing is true

The social engineering things is true, though I am not sure about the laptops and thumbs drives things, not with the encryption tech of today.

As to the social engineering thing..... that is usually done by posing as a higher up in the company from some other branch or higher up in the government, and people are TRAINED to give out information on command to these people.

Now, in order to stop those social engineering things you have to do one of two or more things: tell people to NEVER give out, write down, etc. their information, especially passwords, or simply have everything on a central computer where people are allowed to change documents, but not take them home or download them to other computers.