White House sprints to patch security flaws
The White House is nearing the end of a 30-day “cyber sprint” aimed at plugging the most gaping holes in the government’s network security.
The administration is scrambling to fortify its online defenses after hackers repeatedly infiltrated federal agencies, making off with everything from U.S. weather data to the president’s private schedule to, most recently, private data on virtually every government employee.
{mosads}Many on Capitol Hill and in the security community have praised the White House for taking steps to address the security weaknesses.
“It’s a good step, but it’s not enough,” Sen. Barbara Mikulski (D-Md.) told The Hill.
In early June, the White House announced that federal agencies had been directed to patch critical vulnerabilities, restrict the number of people with access to privileged data, quicken the adoption of multi-factor authentication and scan systems for malicious activity.
It was the first public response to the massive data breach at the Office of Personnel Management (OPM), which has likely left over 18 million people’s sensitive information in the hands of Chinese hackers.
House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), who has been a vocal critical of the Obama administration’s security efforts, gave the administration some credit, though he said the action was coming far too late.
“That race started about 15 years ago, but I’m glad they’re going to start to get in the race,” he told reporters.
Some observers have been impressed by the White House’s unusual tempo and aggressiveness during the 30-day effort.
“I’m seeing efforts to bring in outside companies to help with stuff,” said Rodney Joffe, a senior technologist at security firm Neustar who has advised numerous agencies on cyber practices. “I’ve been impressed with the rates and the speed with which that is happening.”
Similar “sprints” are common in the tech sector, Joffe said.
Others are worried that the directive is merely a smokescreen for deeper problems.
“All of that is just absolute hype,” said Robert Lee, a former cyber officer in the Air Force and co-founder of Dragos Security. “There is no way any of that does any good towards their goal.”
Experts see many of the directives handed down by the White House as basic maintenance.
Multi-factor authentication, for example, is commonplace for online banking systems and email service providers. In addition to a password, users must provide a second form of identification, such as a one-time pin number sent to a phone.
Limiting the number of people with access to sensitive data is also considered a best practice at many companies. Without the restrictions, digital intruders are able to roam around networks undetected after lifting any employee’s login details.
In fact, that’s how the OPM hackers got into the database housing federal workers personnel files. Officials acknowledged that digital invaders stole a government contractor’s login credentials and used that information to crack the OPM network. The hackers ultimately made off with the records of 4.2 million current and former government employees.
Without the top-down order from the White House, many security specialists and former officials believe numerous agencies would have continued to drag their feet on changing their practices.
Members of Congress have hammered OPM officials, for instance, for not promptly adopting multi-factor authentication despite the repeated warnings of their inspector general.
“It’s about time that there be this type of high-level impetus on cybersecurity,” said John Cohen, a former counterterrorism coordinator and intelligence analyst at the Department of Homeland Security. “I think that what it does is hopefully serve as a wakeup call.”
But some counter that the directive is too scattershot.
“It might patch up those things, but it is misleading to say they’re going to do all of that,” said Lee, of Dragos Security.
“What they should be saying is, ‘Hey, we’ve identified those top two things … we’re going to address these one or two priorities,’” Lee added. “If you have more than one or two priorities you don’t have priorities.”
Others, such as Cohen, worry that the White House is doubling down on outdated concepts of cybersecurity.
“We, at the federal level, still seem to be overly focused on cyber strategy that focuses on perimeter security and rapid identification of intrusions,” he said.
It’s inevitable that perimeters will get breached, Cohen said. Progressive organizations have started focusing more on how to best encrypt and store data, so that once the hackers get in, they won’t be able to read or remove it.
Cohen pointed out that the order doesn’t include any explicit mention of encryption, a topic that has become a point of contention in the wake of the OPM breach.
While OPM officials have insisted that encrypting its data would not have thwarted its hackers, tougher security could have helped in previous government breaches.
Suspected Chinese hackers last year infiltrated U.S. Investigations Services (USIS), a government contractor handling background checks, and stole at least 27,000 DHS officials’ records.
Cohen said that when those records were on the DHS servers, they were encrypted, but not while they were in transit to USIS, leaving them vulnerable.
The White House says it’s working to address these challenges under the directive.
When the sprint ends in a week, Federal Chief Information Officer Tony Scott is expected to release this review, which will include a long-term plan to tackle the shortcomings. The White House said the plan would include methods to “better protect data at rest and in transit.”
The strategy will be key to winning over critics in Congress.
“I’d say across the board this administration probably hasn’t taken cybersecurity of our own federal system seriously enough,” Senate Homeland Security and Governmental Affairs Committee Chairman Ron Johnson (R-Wis.) told The Hill. “Listen, I will support any measure that does take this seriously, starts implementing the type of solutions that we need, but it’d be awful nice if the president would provide leadership.”