Interior Department watchdog ‘highly successful’ at hacking agency’s networks

The Department of the Interior’s Office of Inspector General (OIG) said Wednesday that it has been “highly successful” at accessing the agency’s networks as part of a security audit due to cybersecurity shortcomings. 

As part of a security audit, OIG employees conducted penetration testing on the Interior Department’s networks and were successfully able to break into networks and access sensitive information, including intercepting and decrypting network traffic, accessing internal networks at two Interior Department bureaus, and stealing the credentials of an agency IT employee. 

The OIG accessed the networks through simulating previous attacks by malicious hackers to target federal agencies, including using portable testing units concealed in backpacks and operated by smartphones to test the networks while the OIG employees were positioned in publicly accessible areas of Interior Department buildings.

The OIG noted that the penetration testing went “undetected” by both IT personnel and security guards. 

“We used the same tools, techniques, and practices that malicious actors use to eavesdrop on communications and gain unauthorized access,” the OIG wrote in a report detailing the security audit results. “Many of the attacks we conducted were previously used by Russian intelligence agents around the world.”

Based on findings from the audit, the OIG accused the agency’s Office of the Chief Information Officer of failing to “establish and enforce wireless security practices” and concluded that the Interior Department did not carry out regular tests of its network security or maintain inventories of its wireless networks and published inadequate security guidance. 

“Without operating secure wireless networks that include boundary controls between networks and active monitoring, the Department is vulnerable to the breach of a high-value IT asset, which could cripple Department operations and result in the loss of highly sensitive data,” the OIG wrote.

In order to prevent successful cyberattacks, the OIG recommended the Interior Department take more than a dozen steps to increase security, and noted in the audit that 13 of the recommendations had already been resolved by the agency. 

Interior Department Chief Information Officer William Vajda responded to each of the OIG’s recommendations in a letter attached to the report, writing that his office “appreciated working” with the OIG. 

“I am pleased to report that the Department not only concurs with all of the Office of the Inspector General’s recommendations, but also have substantially complied with all of them, with just a few remaining tasks to be accomplished with respect to a few of the recommendations,” Vajda wrote to Interior Department Inspector General Mark Lee Greenblatt. 

In a statement given to The Hill on Thursday, a spokesperson for the Interior Department emphasized to The Hill that most of the vulnerabilities were “substantially addressed.”

“The Office of the Chief Information Officer takes the protection of our assets and systems very seriously,” the spokesperson said. “Over the past two years, we have implemented multiple controls to standardize wireless networks across the Department to ensure a consistent level of security. As a result, we substantially addressed all Office of Inspector General recommendations prior to the release of this report.”

The OIG noted in the report that despite these strides forward, the agency can do more to shore up cybersecurity.

“Until the Department improves its cyber risk management practices, its computer networks and high-value IT assets will be at risk of compromise, the results of which could have serious or severe adverse effects on Department operations, assets, or individuals,” the OIG wrote. “The Department has begun taking significant steps to mitigate these weaknesses, but more remains to be done.”

-Updated at 7:10 p.m.