By Brian Krebs
washingtonpost.com Staff Writer
Thursday, April 19, 2007 5:33 PM
Federal computer networks are being targeted on an unprecedented scale and recent high-profile compromises at two key federal agencies are likely just the most visible symptoms of a government-wide security epidemic, government security experts told a congressional oversight committee today.
Officials from the Commerce and State departments appeared before the House Homeland Security Committee's cyber-security panel to explain at least three separate instances where sensitive government electronic data was compromised.
Donald Reid, senior coordinator for security infrastructure at the State Department's Bureau of Diplomatic Security, described how an employee at an agency installation in East Asia opened a virus-infected e-mail attachment disguised as the text of a congressional speech. Investigators later found that the virus leveraged a previously unknown security hole in Microsoft's Word software that allowed the sender to evade anti-virus programs and hijack any computer running the Windows operating system that is used to open the document.
Further investigation showed that hackers had infiltrated State Department systems in Washington and other agency posts in the Pacific region. In the process of examining the infected systems in Washington, forensics experts learned that attackers had infiltrated them using another undocumented software security hole, a flaw in Microsoft's Windows operating system.
Dave Jarrell, manager of the critical infrastructure protection program at the Department of Commerce, said agency investigators learned in July 2006 that hackers using Chinese networks had broken into its network after one of its top officials complained that he was unable to log on to his computer. A follow-up audit showed that the official had been locked out of his account after hackers unsuccessfully tried to log into his system, and that it was among at least 32 other systems on the department's network that were seeded with a malicious software program designed to cloak the fact that unauthorized users had gained access to the network.
Officials from both agencies assured lawmakers that no classified information or networks were compromised by the break-ins. But Rep. James Langevin (D-R.I.), the panel chairman, said it was impossible for the officials to make that statement definitively, as neither agency had completed its annual required annual inventory of computer systems.
"I think these incidents have opened a lot of eyes in the halls of Congress. The truth is we don't know the scope of our networks. We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security." Langevin said. "These are not the only agencies experiencing problems. They are simply the only attacks that have been made public."
Indeed, evidence indicates that all federal agencies were similarly compromised last summer, said Marcus Sachs, director of the SANS Internet Storm Center, a Bethesda, Md.-based organization that tracks Internet security trends.
"These attacks didn't affect just the federal government, but also the private sector, state agencies and other national governments," Sachs said in an interview during a break at Thursday's committee hearing. "What we don't know is what they were able to do, what did the attackers do after that? There is just no telling."
Federal agencies are fending off and cleaning up digital attacks against their information systems on a scale never seen before, said Jerry Dixon, director of the Department of Homeland Security's National Cyber Security Division. In 2006, the NCSD received reports of nearly 24,000 security "incidents," activity that ranges from attackers probing electronic networks for security holes to computer virus infections to cases of unauthorized access to government information resources. The NCSD is already on track to receive more than double that number of incident reports in 2007, Dixon said.
Protecting large government and private sector networks is a task complicated by the regular need to update thousands of computers and servers. According to analysis by washingtonpost.com, in at least 10 instances last year, Microsoft was rushed to issue a security update to fix previously unknown software flaws that criminals were using to break into vulnerable systems. In all of 2006, Microsoft shipped 104 updates to plug software holes labeled "critical," flaws so dangerous that hackers could exploit them with little or no help from the victim. Forty-one of those vulnerabilities resided in the widely used Word and other Microsoft Office programs that could be exploited by virus writers just by convincing a recipient to open an infected e-mail attachment.
Both the Commerce and State departments received failing grades for their handling of computer security in 2006, according to "report cards" handed down from congressional oversight committee last week. The Department of Homeland Security, which is responsible for ensuring the security of federal information systems and leading by example, earned a grade of "D."
"I don't know how [DHS] thinks it's going to lead this nation in securing cyberspace when it can't even secure its own networks," Langevin said. "Not only are these grades embarrassing, they're dangerous."