Thousands of federal cyber workers are returning to their posts after more than a month on furlough today. And they have a big to-do list.
The first priority: Looking for evidence of any major hacks that wormed through government defenses the past 35 days while agencies were working with a skeleton crew of security pros.
It will take them days or weeks to pore through security logs to assess how much damage the shutdown did to the security of government computer networks and the sensitive data they hold. The attacks did not abate because the government was closed: One cyber manager who worked without pay during the shutdown described an uptick in attacks on his agency -- including phishing emails containing malware, attempts to reset employee passwords and attempts to trick users into downloading malicious software cloaked as a legitimate update.
Also on the docket: Figuring out how to adjust the multimillion-dollar contracts to upgrade and secure federal IT systems that have spent more than a month on ice.
Perhaps most dishearteningly, cyber and IT leaders across the government will need to figure out the smartest way to prepare for the possibility of another shutdown if Congress and the president can’t reach a new funding deal when the current one expires in three weeks. President Trump has said congressional Democrats must give him new money for a U.S.-Mexico border wall or risk another shutdown when the temporary funding expires.
The best hope, former officials told me, is that agencies can learn from the shutdown just ended to prepare as smartly as possible for the next one — if and when it comes.
“In terms of preparing to shut down again, the agencies should look at any lessons they have learned from having to operate with a skeleton crew and make adjustments based on that very recent experience,” Michael Daniel, former White House cybersecurity coordinator who's now president of the Cyber Threat Alliance, told me by email.
Already, the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency is gearing up to take on some big projects post-shutdown. CISA was operating with about half its staff furloughed and the remainder working without pay during the shutdown. But this week, one of its top goals will be implementing an emergency order, issued Jan. 22 during the shutdown, directing agencies to protect their Domain Name System from a cyber hijacking campaign that private-sector researchers have linked to Iran, an agency official told me.
Digital tampering stemming from that vulnerability affected “a number of agencies” during the shutdown, according to a tweet stream from CISA Director Chris Krebs.
We are aware of a number of agencies affected by the tampering activities and have notified them. In part, by issuing the directive, CISA seeks to work with agencies to detect and prevent additional impacts on agencies and systems. 2/7— Chris Krebs (@CISAKrebs) January 23, 2019
Other CISA priorities include cutting paychecks as quickly as possible to employees who have been furloughed or working without pay, relaunching stalled work on election cybersecurity and helping industries combat Chinese hacking, the official told me.
The agency also plans to relaunch efforts focused on supply chain cybersecurity and pipeline security, the official said.
“We are happy to be back at it, and look forward to getting the full force of CISA back up to speed,” the official said.
CISA and other agencies must also focus after the shutdown on restoring the morale of highly skilled workers who missed two successive paychecks and may be seriously considering leaving government for the private sector, former officials told me.
Those agencies should also move to restart the hiring process for new cyber pros as quickly as possible, Philip Reitinger, a former top DHS cyber official, told me.
“One piece of advice I'd offer agencies trying to hire cybersecurity talent is to start reaching out to prospective hires on Monday,” Reitinger said, “assuring them that they are valued and that the government needs them — please don't be discouraged and decide to work elsewhere.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The U.S. military’s cybersecurity capabilities aren’t improving rapidly enough to stay ahead of major adversaries, according to a report from the Pentagon testing office obtained by Bloomberg.
“Despite some progress in fending off attacks staged by in-house ‘Red Teams,’ the testing office said, ‘we estimate that the rate of these improvements is not outpacing the growing capabilities of potential adversaries who continue to find new vulnerabilities and techniques to counter fixes,’” Bloomberg’s Anthony Capaccio reported.
The critical assessment may be publicly released as early as this week, Capaccio reported.
PATCHED: International undercover operatives posing as investors targeted members of the cybersecurity watchdog Citizen Lab, which has worked to expose damage to civil liberties caused by the Israeli surveillance software company NSO Group as well as attacks by state-backed hackers, the Associated Press’s Raphael Satter reported. On two occasions, operatives met with Citizen Lab members at hotels in Toronto and New York and asked them questions about NSO and their personal lives such as: “Do you pray?” “Why do you write only about NSO?” ″Do you write about it because it’s an Israeli company?” ″Do you hate Israel?”
“Who these operatives are working for remains a riddle, but their tactics recall those of private investigators who assume elaborate false identities to gather intelligence or compromising material on critics of powerful figures in government or business,” Satter reported. Ron Deibert, the director of Citizen Lab, which is based at the Munk School of Global Affairs and Public Policy at the University of Toronto, said the undercover operations were “a new low,” according to the AP. NSO said in a statement that it was not involved “either directly or indirectly” in the operations. The AP also reported that it found no evidence that the operatives were tied to NSO.
PWNED: Serhiy Demedyuk, the head of the Ukrainian cyber police, said hackers probably tied to Russia are carrying out cyberattacks on electoral servers as Ukraine is set to hold a presidential election in March, Reuters's Pavel Polityuk reported. Hackers have also targeted the personal computers of Ukrainian election staff and have purchased personal information about election officials. “According to the cyber police, no infiltration into the electoral system has been recorded yet, but they expect even larger attacks a month before the elections when the commission’s regional offices will start working,” Polityuk reported.
The hackers have also used offers for software updates and shopping invitations in their attempts to steal personal information. “Russian state structures have never interfered, and are not interfering, in the internal affairs of other countries,” Kremlin spokesman Dmitry Peskov said in response to Demedyuk's comments, according to Reuters.
— Indiana Secretary of State Connie Lawson is refusing to disclose her communications with the National Association of Secretaries of State in response to a public records request seeking information about NASS's discussions on election security matters and its relationships with voting machine vendors, Politico's Eric Geller reported. “Secretary Lawson and other NASS leaders have made public statements at times that misrepresent the security threats to voting machines,” Susan Greenhalgh, who is policy director for the National Election Defense Coalition and submitted the request, told Politico. “Congress and the public have a right to understand why.”
— Officials in the city of Sammamish, Wash., moved municipal computer systems offline following a ransomware attack and are working with a security consulting company to unearth information about the attack, according to StateScoop's Colin Wood. “The city has stopped processing passports, pet licenses and permits, and also took its map services offline,” Wood reported. “Many of the city’s shared storage drives are inaccessible, city spokeswoman Sharon Given told StateScoop. The city also cancelled its credit cards as a precaution.”
— More cybersecurity news from the public sector:
— Facebook chief executive Mark Zuckerberg's plan to integrate WhatsApp, Instagram and Facebook Messenger also includes adding end-to-end encryption, the New York Times's Mike Isaac reported. “We’re working on making more of our messaging products end-to-end encrypted and considering ways to make it easier to reach friends and family across networks,” Facebook said in a statement, according to the Times.
Instagram doesn't include end-to-end encryption on its chats, Facebook Messenger offers the option for users who turn on the “Secret Conversations” feature and WhatsApp does offer default end-to-end encryption already, Wired's Lily Hay Newman noted. “In attempting to unify its chat services, Facebook will need to find a way to help users easily understand and control end-to-end encryption as the ecosystem becomes more porous,” Wired reported.
— More cybersecurity news from the private sector:
— The transparency group Distributed Denial of Secrets, or DDoSecrets, released 175 gigabytes of hacked and leaked documents from Russia with information about oligarchs, Russia's war in Ukraine and other issues, according to the New York Times's Scott Shane. “Dark Side of the Kremlin,” which is the main batch of documents that the group posted online, contains “hundreds of thousands of messages and files from Russian politicians, journalists, oligarchs, religious figures, and nationalists/terrorists in Ukraine,” DDoSecrets said on Twitter. Most of the documents “had been released in Russia, Ukraine and elsewhere, sometimes on obscure websites,” according to the Times. “There were no immediate reports of new bombshells from the collection.”
— More cybersecurity news from abroad:
- Senate Intelligence Committee open hearing on worldwide threats tomorrow.
- Senate Armed Services Committee hearing on “Department of Defense enterprise-wide cybersecurity policies and architecture” tomorrow.
- Senate Armed Services Committee hearing on China and Russia tomorrow.
- BSidesPhilly cybersecurity conference in Philadelphia on Friday.
- B-Sides Tampa cybersecurity conference in Tampa on Saturday.
The colorful, quirky and weird parts of the Stone indictment, explained:
The shutdown's lasting toll on federal contractors:
Lawmakers have three weeks to make a deal on border security: