By Joseph Marks
One of the large video screens is checked in the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Wednesday, Aug. 22, 2018. (AP Photo/Cliff Owen)
The first priority: Looking for evidence of any major hacks that wormed through government defenses the past 35 days while agencies were working with a skeleton crew of security pros.
It will take them days or weeks to pore through security logs to assess how much damage the shutdown did to the security of government computer networks and the sensitive data they hold. The attacks did not abate because the government was closed: One cyber manager who worked without pay during the shutdown described an uptick in attacks on his agency -- including phishing emails containing malware, attempts to reset employee passwords and attempts to trick users into downloading malicious software cloaked as a legitimate update.
Also on the docket: Figuring out how to adjust the multimillion-dollar contracts to upgrade and secure federal IT systems that have spent more than a month on ice.
Perhaps most dishearteningly, cyber and IT leaders across the government will need to figure out the smartest way to prepare for the possibility of another shutdown if Congress and the president can’t reach a new funding deal when the current one expires in three weeks. President Trump has said congressional Democrats must give him new money for a U.S.-Mexico border wall or risk another shutdown when the temporary funding expires.
The best hope, former officials told me, is that agencies can learn from the shutdown just ended to prepare as smartly as possible for the next one — if and when it comes.
“In terms of preparing to shut down again, the agencies should look at any lessons they have learned from having to operate with a skeleton crew and make adjustments based on that very recent experience,” Michael Daniel, former White House cybersecurity coordinator, told me by email.
Already, the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency is gearing up to take on some big projects post-shutdown. CISA was operating with about half its staff furloughed and the remainder working without pay during the shutdown. But this week, one of its top goals will be implementing an emergency order, issued Jan. 22 during the shutdown, directing agencies to protect their Domain Name System from a cyber hijacking campaign that private-sector researchers have linked to Iran, an agency official told me.
Digital tampering stemming from that vulnerability affected “a number of agencies” during the shutdown, according to a tweet stream from CISA Director Chris Krebs.
We are aware of a number of agencies affected by the tampering activities and have notified them. In part, by issuing the directive, CISA seeks to work with agencies to detect and prevent additional impacts on agencies and systems. 2/7— Chris Krebs (@CISAKrebs) January 23, 2019
The agency also plans to relaunch efforts focused on supply chain cybersecurity and pipeline security, the official said.
“We are happy to be back at it, and look forward to getting the full force of CISA back up to speed,” the official said.
CISA and other agencies must also focus after the shutdown on restoring the morale of highly skilled workers who missed two successive paychecks and may be seriously considering leaving government for the private sector, former officials told me.
Those agencies should also move to restart the hiring process for new cyber pros as quickly as possible, Philip Reitinger, a former top DHS cyber official, told me.
“One piece of advice I'd offer agencies trying to hire cybersecurity talent is to start reaching out to prospective hires on Monday,” Reitinger said, “assuring them that they are valued and that the government needs them — please don't be discouraged and decide to work elsewhere.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
The Pentagon building in Washington, DC. (AFP PHOTOSTAFF/Getty Images)
“Despite some progress in fending off attacks staged by in-house ‘Red Teams,’ the testing office said, ‘we estimate that the rate of these improvements is not outpacing the growing capabilities of potential adversaries who continue to find new vulnerabilities and techniques to counter fixes,’” Bloomberg’s Anthony Capaccio reported.
The critical assessment may be publicly released as early as this week, Capaccio reported.
John Scott-Railton, a senior researcher at the Citizen Lab, poses for a photograph in New York on Jan. 17. (Kathy Willens/AP)
“Who these operatives are working for remains a riddle, but their tactics recall those of private investigators who assume elaborate false identities to gather intelligence or compromising material on critics of powerful figures in government or business,” Satter reported. Ron Deibert, the director of Citizen Lab, which is based at the Munk School of Global Affairs and Public Policy at the University of Toronto, said the undercover operations were “a new low,” according to the AP. NSO said in a statement that it was not involved “either directly or indirectly” in the operations. The AP also reported that it found no evidence that the operatives were tied to NSO.
Ukrainian Cyber Police Chief Serhiy Demedyuk in Kiev, Ukraine, on Nov. 2, 2017. (Valentyn Ogirenko/Reuters)
The hackers have also used offers for software updates and shopping invitations in their attempts to steal personal information. “Russian state structures have never interfered, and are not interfering, in the internal affairs of other countries,” Kremlin spokesman Dmitry Peskov said in response to Demedyuk's comments, according to Reuters.
A person holds a sticker after voting in Durham, N.C., on May 8, 2018. (Gerry Broome/AP)
— Officials in the city of Sammamish, Wash., moved municipal computer systems offline following a ransomware attack and are working with a security consulting company to unearth information about the attack, according to StateScoop's Colin Wood. “The city has stopped processing passports, pet licenses and permits, and also took its map services offline,” Wood reported. “Many of the city’s shared storage drives are inaccessible, city spokeswoman Sharon Given told StateScoop. The city also cancelled its credit cards as a precaution.”
— More cybersecurity news from the public sector:
Facebook chief executive Mark Zuckerberg in San Jose on May 1, 2018. (Marcio Jose Sanchez/AP)
Instagram doesn't include end-to-end encryption on its chats, Facebook Messenger offers the option for users who turn on the “Secret Conversations” feature and WhatsApp does offer default end-to-end encryption already, Wired's Lily Hay Newman noted. “In attempting to unify its chat services, Facebook will need to find a way to help users easily understand and control end-to-end encryption as the ecosystem becomes more porous,” Wired reported.
— More cybersecurity news from the private sector:
Hands type on a computer keyboard in Los Angeles on Feb. 27, 2013. (Damian Dovarganes/AP)
— More cybersecurity news from abroad:
- Senate Intelligence Committee open hearing on worldwide threats tomorrow.
- Senate Armed Services Committee hearing on “Department of Defense enterprise-wide cybersecurity policies and architecture” tomorrow.
- Senate Armed Services Committee hearing on China and Russia tomorrow.
- BSidesPhilly cybersecurity conference in Philadelphia on Friday.
- B-Sides Tampa cybersecurity conference in Tampa on Saturday.
The shutdown's lasting toll on federal contractors:
Lawmakers have three weeks to make a deal on border security: