The federal government got hammered on multiple fronts Wednesday over its inability to protect its computer networks from cyberattacks.
A top lawmaker on Capitol Hill sounded the alarm about agencies’ use of a web program widely known to be outdated and vulnerable. Across town, the Government Accountability Office revealed in a new report that agencies still hadn’t implemented hundreds of recommendations to shore up their cyberdefenses. And even the watchdog at the National Security Agency, which is tasked with defending U.S. communication systems, rebuked the agency for failing to properly safeguard sensitive data stored in its networks.
The Trump administration has promised to make improving federal cybersecurity a priority, but the stories on Wednesday show that agencies across government still aren’t taking even basic steps to defend themselves against digital threats. And it raises questions about whether President Trump is following through on his pledge to hold agency heads accountable for protecting their networks — a goal he set more than a year ago in his sweeping cybersecurity executive order.
“What’s missing is White House leadership,” Sen. Ron Wyden (D-Ore.) told me in an email. “There is no one in the executive branch with the vision, authority, and appetite to address of all of the low-hanging fruit for defensive cybersecurity.”
“For far too long, the executive branch has failed to embrace basic cyber hygiene,” added Wyden, who sent a letter Wednesday to the heads of the NSA and the Department of Homeland Security calling for the government to stop using Adobe Flash. The multimedia program is riddled with security flaws and will stop receiving security updates in 2020. “Most of this stuff isn’t rocket science — it is basic cyber hygiene,” Wyden said, “but someone needs to care enough to prioritize fixing it.”
The White House recently parted ways with two of its top cybersecurity officials, who could have helped corral agencies into action. In their absence — and with plans to eliminate the role — it’s not clear who could lead such an effort. That makes the critiques of the government’s cybersecurity posture look even more troubling. Consider the following:
— Per Wyden’s letter, top cybersecurity officials haven’t offered guidelines for phasing out Adobe Flash, even though researchers have shown how hackers have used the software’s vulnerabilities to launch cyberattacks.
— Agencies throughout government haven’t heeded about 1,000 of 3,000 recommendations issued by the GAO on protecting cyber critical infrastructure, managing the cybersecurity workforce, and responding to cybersecurity incidents.
— NSA personnel aren’t complying with rules for protecting “computer networks, systems and data,” according to the agency’s inspector general. The agency also has “inaccurate or incomplete” security plans and had fallen behind on basic federal information security guidelines, the inspector general found.
Trump vowed on the campaign trail to order a review of U.S. cyberdefenses and to confront malicious cyber activity by foreign governments. His cybersecurity executive order issued in May 2017 was no doubt a step in that direction, outlining plans for the president himself to hold agency heads accountable for managing cybersecurity risks.
But a year on, some experts are wondering when they will see results. “They made the claim that leadership was going to be held responsible. What does that mean? Do you give them more money? Do you fire people? What’s the date for holding people accountable?” said Ari Schwartz, who served as the National Security Council’s senior director for cybersecurity during the Obama administration.
“It’s a case-by-case situation, but there has to be some follow-up,” he told me. “And now is the time to become impatient about it.”
Indeed, pressure is building on the White House to whip agencies into shape — and some of it is coming from within the administration. A May report by the Office of Management and Budget and the Department of Homeland Security found that dozens of federal agencies weren’t equipped to deal with cyber intrusions. Of 96 federal agencies examined, a whopping 71 had cybersecurity programs deemed “at risk or high risk.”
And not everyone is laying blame on the White House, including Rep. John Ratcliffe (R-Tex.), who is sponsoring legislation to codify into law a DHS program for identifying cybersecurity risks. In a hearing on the OMB report's findings Wednesday, he said he was concerned about the federal government's struggle to detect cyberthreats. But he told me afterward he feels the administration is taking the issue seriously.
“The Trump administration has been incredibly supportive of our efforts to address the glaring cybersecurity weaknesses in our federal government,” Ratcliffe said in an email. “I’m confident we will see improvement in this space if we continue strict and vigilant oversight along the way.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “Trump will convene a meeting Friday of the National Security Council on election security, a session that could include a discussion of possible Russian interference in November’s midterm elections, according to a White House official,” The Washington Post's Philip Rucker and Ashley Parker reported Wednesday. Trump has made conflicting comments and suggestions on the matter in recent days. In a tweet on Tuesday, he said without evidence that Russia “will be pushing very hard for the Democrats” in the 2018 midterm elections.
“But when he sits down Friday with his national security team — which includes Bolton, Secretary of State Mike Pompeo, Defense Secretary Jim Mattis and intelligence and military chiefs — Trump is expected to be confronted with the government’s latest intelligence regarding election threats, including from Russia,” Rucker and Parker wrote. “It was unclear what Friday’s agenda entailed, but it would be striking to convene a meeting on election security without delving into the Russian threat — especially as the president is under scrutiny for his warm overtures to Putin.”
PATCHED: Speaking before the Senate Foreign Relations Committee on Wednesday, Pompeo defended Trump's stance on Russia and said the president is “well-aware of the challenges that Russia poses to the United States and our partners and allies.” In his opening remarks to the committee, Pompeo also said that he “personally made clear to the Russians there will be severe consequences for interference in our democratic processes.”
As he concluded his opening statement, he sought to dispel concerns about Trump's position on Russian interference. “I want you to know, President Trump has stated that he accepts our intelligence community's conclusion that Russia meddled in the 2016 election.” Pompeo said. “He has a complete and proper understanding of what happened. I know. I briefed him on it for over a year. This is perfectly clear to me, personally.”
Sen. Robert Menendez (D-N.J.), the committee’s top Democrat, had a heated exchange with Pompeo about Trump’s meeting with Putin in Helsinki, with both men interrupting each other several times at the beginning of the hearing. “In his conversation with Putin, I hope the president laid out the consequences of interference in the 2018 election, but I know you can't tell me that,” Menendez said. Pompeo interjected, saying that Trump has stated publicly that he raised the issue with Putin and that “Vladimir understands that it won’t be tolerated.” “I wish he had said that in public in Helsinki,” Menendez shot back. Pompeo also responded in the affirmative when Menendez asked him if he would work with senators on new legislation to punish Russia.
PWNED: “Amid mounting warnings about another Russian cyberattack on the 2018 midterm elections, [Trump]’s former homeland security adviser said a recent staff shake-up ordered by national security adviser John Bolton has left the White House with nobody in charge of U.S. cyber policy and raised concerns about 'who is minding the store,' ” Yahoo News's Michael Isikoff wrote Wednesday. “ 'On cyber, there is no clear person and/or clear driver, and there is no clear muscle memory,' said Tom Bossert, who served as White House homeland security adviser until last April, in an interview with the Yahoo News podcast Skullduggery.”
Additionally, Bossert, who had briefed the president on Russian interference, lamented Trump's news conference in Helsinki, Isikoff reported. “ 'We talked extensively on cybersecurity,' said Bossert about his briefings with Trump. 'I thought we had a sufficient number of conversations on this particular matter,' ” Isikoff wrote. “'So look, I don’t mean to pile on him. I’ve stated I was pretty disappointed — I think others have — in the president’s press conference performance,' Bossert added. 'He needed to correct that; it seemed to be appeasing Putin far too much. In fact, it seemed oddly to suggest he believed Putin’s galling assertions and dismissals.'”
— Sens. Maria Cantwell (D-Wash.) and Lindsey O. Graham (R-S.C.) worry about Russian cyberthreats to the U.S. power grid and are seeking answers from the White House. In a letter to Trump on Wednesday, the senators wrote that “more information must be provided to Congress addressing our specific concerns about Russian capabilities or interference with respect to our energy infrastructure.” Cantwell and Graham asked Trump about Russia's abilities to threaten the U.S. energy infrastructure, the extent of previous Russian attempts to infiltrate it and the Trump administration's response to those threats. “Your administration has proposed the formation of a new Office of Cybersecurity, Energy Security, and Emergency Response at the Department of Energy as a way to elevate the importance of cyber security issues,” Cantwell and Graham wrote to Trump. “However, there is a need for additional cybersecurity resources to address our fundamental concerns.”
— “The major problem law enforcement faces in obtaining digital evidence is not the encryption of devices but figuring out which company holds the relevant data and how to get it, according to a study released Wednesday by the Center for Strategic and International Studies,” The Post's Ellen Nakashima reported. “Though much of the debate around access to digital evidence has focused on the challenges law enforcement agencies face in cracking encrypted devices or decoding encrypted data, CSIS researchers William A. Carter and Jennifer Daskal have found that the biggest hurdle is actually identifying the phone or email service provider that holds the data.”
— More cybersecurity news from the public sector:
— “Cosco Shipping Holdings Co. was hit by a cyberattack that has disabled the Chinese state-run company’s U.S. website and email systems, but the company said the incident hasn’t disrupted its global shipping operations,” The Wall Street Journal's Costas Paris reported. “'So far, all vessels of our company are operating normally, and our main business operations are stable,' Cosco said in a customer advisory posted Wednesday on its Facebook page. The company was communicating with customers via social media.”
- The Brookings Institution hosts a panel discussion on online privacy.
- Senate Commerce subcommittee hearing on “global Internet governance” on July 31.
- Black Hat USA security conference on Aug. 8 through Aug. 9 in Las Vegas.
- DEF CON security conference on Aug. 9 through Aug. 12 in Las Vegas.
House Speaker Paul D. Ryan (R-Wis.) said politics is “enabling the worst in us”:
Father reunited with son after more than two months:
London's zoo animals stay cool with frozen treats: