Abstract
The number of US breaches reported publicly for all levels of government between 2005 and mid-2016 was 314 with at least 148,491,010 records (not individuals) compromised. In spite of a decade of work to break down bureaucratic silos between agencies, partly in support of eGovernment initiatives, the standard of care over digital assets is not uniform either vertically (at multiple layers of government) or horizontally (across government service or functional categories). Meanwhile, agencies are often dependent upon external contractors that may not follow best practices for information asset protection (e.g., contractors implicated in the successful exploit against the US OPM, publicized in 2015). This extends the security chain, increasing the possibility for exploitation of a weak link. From a hacker’s perspective, confusion at jurisdictional boundaries offers attack opportunities throughout the chain. New uses for WAPs supporting smart transportation and other citizen benefits are multiplying.
Keywords
eGovernment; smart city; Office of Personnel Management (OPM); data governance; supply chain; FISMA
The widespread anxiety about Big Brother government is perhaps less related to remembered childhood sibling rivalries and Orwellian dystopian visions than it is to our inability to escape interactions with government. This may be why we experience less collective outrage when a retailer is breached and our personal information is exposed than when a government agency experiences a similar incident—and consequences. We can choose to patronize another retailer. We cannot choose to patronize another government (unless we relocate or emigrate). Unfortunately, the number of US breaches reported publicly for all levels of government between 2005 and mid-2016 was 314, with at least 148,491,010 records (not individuals) compromised, according to the Privacy Rights Clearinghouse.1
And yet as citizen consumers we increasingly insist on digital options for filing government reports, receiving government benefits, and retrieving government-curated information and services. Convenience, as discussed throughout these chapters, often relies on the use of WAPs and devices, in spite of their acknowledged vulnerabilities. In making our individual risk calculations, we often assign less weight to safety than to speed. The traditional cost–time–quality/scope triangle of competing factors for producing or achieving outcomes is thus skewed toward time at the expense of quality, which in data terms is associated with the security objectives of CIA.
Public/private partnerships are touted as a logical way of moving forward, especially given interdependent interests. Those partnerships will include state and local government agencies increasingly on the public side. Organizations that work with federal government clients, in particular, should be keenly aware of the Federal Information Systems Management Act of 2002 (FISMA) and the guidelines developed by the US National Institute of Standards and Technology (NIST).2 The suite of guidelines issued by NIST offer useful tips to organizations (or individuals, really) who have information assets that they value. The National Checklist Program provides a repository for configuration guidance for specific IT products. The process for contributing a checklist is described in NIST SP 800-70 Revision 3.3
The NIST team envisions checklists for component and device configuration that are organized along different environmental dimensions: standalone (i.e., individually managed), enterprise or managed (centrally controlled), custom (e.g., specialized security-limited functionality), legacy (also a custom environment, but one in which system components might not be adaptable to, or interruptible for, upgrade to a more secure configuration), and security-specific. The checklists are intended to be fine-tuned for the local environment after a methodical identification of functional needs, threats and vulnerabilities, and security needs.
Private sector companies that fail on security dimensions when working with government entities suffer damage to their reputations—and to their very financial viability, as seen in the aftermath of the 2014–2015 breaches at the US OPM and the May 2013 compromise of 10,000 US DHS employee records. US Investigations Services (USIS) lost both OPM and DHS government contracts, which comprised about one-third of parent company Alegrity’s revenue. The DHS breach was traced to a vulnerability in the system it used for processing background investigations for security clearances. USIS was already under scrutiny from a whistleblower’s reporting of deficient background investigation processes (and even “flushing” and “dumping”). USIS is the company that vetted ex-NSA employee Edward Snowden and also Aaron Alexis (the solo gunman in the 2013 Washington Navy Yard shooting spree that killed 12 people).4
KeyPoint Government Solutions was tapped by OPM to step in after USIS’ contract was terminated. Throughout the June 2015 Congressional hearings with the now-former technology leads at OPM, members of the House Committee on Oversight and Government Reform expressed frustration at the failure of OPM Director Katherine Archuleta to respond directly to questions. This frustration was expressed vividly by Congressman Lynch who said:
You know what, this is one of these hearings where I think I am going to know less coming out of this hearing than I did when I walked in because of the obfuscation and the dancing around that we are all doing here … I wish that you were as strenuous and hard working at keeping information out of the hands of hackers as you are [at] keeping information out of the hands of Congress and Federal employees. It is ironic. You are doing a great job stonewalling us, but hackers not so much.5
For defense-in-depth to work, vulnerabilities throughout the OSI stack have to be mitigated and safety mechanisms built in that reflect the entirely reasonable assumption that an attack somewhere will occur. Similarly, vulnerabilities throughout the supply chain or business partner network must be mitigated and safety mechanisms built in that segregate functionality, coordinate detection, and collaborate on prevention. If each component of the system is appropriately robust down to the data level, the resiliency of the whole is promoted. The OPM failure offers an example of interconnected failures in terms of:
For hackers, pointillist attention to these background services is desirable: Confusion at jurisdictional boundaries offers attack opportunities within any organization. The successful exploit against the US OPM is an example of this. Year after year, Inspector General (IG) reports identified problems in the decentralized deployment and management of protected data security mechanisms. Gaps in security proliferated, and the agency network was successfully compromised in two distinct incidents that resulted in the exposure of at least 21.1 million records of current and past government employees and job applicants, including those requesting top secret security clearance. In addition to text-based information, some 5.5 million fingerprints were also extruded by hackers, presumably based in China.
Attack Chronology
Doxing Attack for PII Extrusion: OPM, Department of Interior (DoI), DHS
Hacker Objective: Obtain deep background information and biometric details about government officials (including those with security clearances)
Hacker Technique: Multilayer, multiple techniques (reconnaissance through supply chain vendor; exploitation of multiple unpatched software vulnerabilities, e.g., Java, Windows XP, COBOL; lateral movement through network; malware insertion; data extrusion)
Victim Impact (Individuals): Foreign state access to PII and biometric details of more than 21 million prospective, current, and past government officials, including those engaged in national security activities; release of biometric information (5.6 million fingerprints) that could be used to fool multifactor authentication systems or implicate individuals in untoward activities; unknown potential for future impact (e.g., identity theft, impaired personal and family safety, compromise of online accounts)
Victim Impact (OPM Director and OPM CIO): Both individuals suffered serious, public damage to their professional reputations. The OPM Director resigned from service and the OPM CIO retired from service.
Victim Impact (Indirect; Contractor Organizations): Both directly involved contractor organizations suffered financial loss. USIS lost business-sustaining contracts with the US Government. Contractor KeyPoint’s professional credibility was damaged.
Victim Impact (US Government): Exposure of agent network to potential compromise and loss of trust with respect to current and future employees
The OPM data breach does not so much illustrate the possibility of cascading failures as illuminate a cataract of existing failures. The preconditions for the successful attack are legion; it was a matter of time. And yet, some of the basic flaws are common to other agencies, so this type of incident is not likely the last.
Initial reconnaissance appears to have occurred through a hack of a contractor’s system to obtain privileged credentials. Inadequate security protection of the OPM system had been documented by the OPM’s IG for years in its annual FISMA audit reports. Since 2009, the IG had identified problems with OPM’s information security management structure as “material weakness.”8 One analysis has suggested that the publicly reported weaknesses may have encouraged hackers to initiate reconnaissance against systems identified as having inadequate authentication and authorization mechanisms in place.9
The collateral damage possible from this attack could include blackmail or pressure on government officials with security clearances due to the highly personal and detailed nature of the records extruded; the damage potential goes beyond identity theft and public embarrassment. This incident highlights the dependence of government agencies on outside contractors—and lack of enforced compliance with FISMA requirements for these contractors. It also reveals the amount of sharing among government agencies with respect to infrastructure technology. The DoI is the repository for the OPM personnel records database through DoI’s Interior Business Center, which provides cloud government services for multiple agencies as part of a cost-streamlining effort. Some 150 different agencies use DoI IT services. OPM maintains electronic personnel records for millions of current and past government employees, including Congressional staffers. The electronic version of this system (eOPF) is accessible from OPM (and some other departments) through Internet portals—and, apparently, a gateway used by other agency web servers.10
Summary of Attack and Incident Detection Chronology11
| May 7, 2014: | Access to OPM LAN (malware installed) |
| July 3, 2014: | Backdoor exfiltration started |
| August 22, 2014: | USIS hacked (DHS, customs personnel records compromised) |
| October 2014: | Pivot to DoI (OPM personnel records database) |
| December 15, 2014: | Data (4.2M records) siphoned |
| December 2014: | Decryption tool implemented |
| April 15, 2015: | Anomalous SSL traffic observed beginning in December |
| April 2015: | DHS CERT notified |
| April 17, 2015: | Loaded SSL traffic data into Einstein (DoI IDS) |
| April 23, 2015: | Observed historical netflow of data |
| April 2015: | Notified Congress |
| June 2015: | Congressional hearings |
| July 9, 2015: | OPM admits to breach of 21.5M SSNs |
| September 23, 2015: | OPM admits to breach of 5.6M fingerprints |
The supply chain weaknesses within the federal government operate whether supply chain members are external contractors or other government agencies. The obsolescence of legacy federal IT infrastructure is significant, as is persistent vagueness about response procedures when indicators of attack (IoA) or indicators of compromise (IoC) are suspected or even actually identified. A 2016 US GAO report found that US DoD policy was unclear about roles and responsibilities and command responsibilities for supporting civil authorities during a cyber incident.12 This lack of clarity extends to definitions of who is responsible to protect privately owned telecommunications and power infrastructure. According to Norman C. Bay, Chairman of the Federal Energy Regulatory Commission, “If I had a cyber threat that was revealed to me in a letter tomorrow, there is little I could do the next day to ensure that that threat was mitigated effectively by the utilities that were targeted.”13
In another critical infrastructure area that has received a lot of attention, especially at the state and local (smart city) levels, the public/private partnership for transportation needs work. Vehicle cyber security is an area that has received insufficient guidance from the US Department of Transportation (DoT). “Modern vehicles contain multiple interfaces—connections between the vehicle and external networks—that leave vehicle systems, including safety-critical systems, such as braking and steering, vulnerable to cyberattacks. Researchers have shown that these interfaces—if not properly secured—can be exploited through direct, physical access to a vehicle, as well as remotely through short-range and long-range wireless channels.”14
Another GAO report found that the majority of federal government IT spending (75%) is dedicated to operations and maintenance rather than on development, modernization, and enhancement, for which spending has declined by $7.3 billion since 2010. Remarkably, some systems (including those concerned with nuclear force operations) still depend on 8-inch floppy disks. It is highly likely that contractors connected with such systems are likewise still tied to outdated (50-year-old) technology. Systems critical for US citizens include the US Department of Treasury individual master files—the authoritative data source for individual taxpayers. It is about 56 years old and no plans for its replacement exist.15
Ideally, a cost/risk/benefit analysis will help government decision makers determine when to work on the substructure that supports—both financially and informationally—the complex system of benefits and payments on which our federal government operates. Attacks against the IRS E-filing PIN system, for example, reveal how hackers and other criminals can monetize stolen PII. In the 2016 attack, unauthorized, bot-based attempts were made to generate E-filing PINs for 464,000 stolen SSNs. Although only 101,000 such PINs were successfully generated before the automated process was halted,16 that still represents many citizens who were mulcted of anticipated tax returns, and furthered loss of trust in the US Government.
At the state and local government levels, the number one spending priority, according to a study by the Center for Digital Government, is cyber security. For states, the next set of priorities is shared-services cloud computing, mobile apps, and IT personnel recruitment. States are incorporating 21st century technology into their infrastructure. Investment in policy, practices, and people should be in alignment with these changes. Digital literacy and augmentation of staff skills still rank lowest in terms of priorities, however.17
Cyber Storm
Many Federal, state, and local government agencies and private sector organizations conduct periodic (e.g., annual) disaster recovery exercises to train staff in what should be done during emergencies and to identify and correct problems encountered in the simulations so that they do not occur during actual emergencies. Analogous to these disaster planning exercises, the DHS has been conducting a series of cyber security exercises, called Cyber Storm, since 2006.18 Cyber Storm is a Government-led, full scale, cyber security exercise involving international, Federal and State governments, and private sector organizations. The purpose of the exercises is to exercise and evaluate response, coordination, and recovery mechanisms in reaction to simulated cyber events. Exercise scenarios include affecting or disrupting infrastructure within the energy, information technology, transportation, and telecommunications sectors. Findings showed where communications worked effectively and where communications and planning could be improved.19
As security becomes a larger issue for all organizations, it is anticipated that exercises like Cyber Storm will become as common as disaster planning exercises. At a minimum, all organizations should review the Cyber Storm After Action Reports to identify areas they may need to consider in their security plans.
Federal Government Takeaways
The OPM breach has brought renewed attention to securing information in Federal agencies. Laptops employ common access cards (CACs)20 or PIV21 cards to create VPNs to agency networks. Government personnel and contractors are required to undergo security briefings/courses on a yearly basis. These courses identify how data can be compromised (e.g., theft of cellphone or tablet, shoulder surfing), countermeasures (e.g., password-protected cellphone, encrypted data on tablet), and what to do when a (possible) breach occurs.
Contractors are required to provide a security plan, typically based on NIST SP800-53, to identify how they are protecting PII in their systems that support the government. In addition, agencies are starting to levy a requirement on contractors that, if their systems are breached, the contractor is responsible for credit monitoring for all potentially impacted individuals for three years. These costs can run into the millions of dollars after a breach.
Separation of systems/information accessible by the Internet from those with a “For Official Use Only” or higher sensitive information classification still appears to be a work in progress. Another area where security work is required relates to spear phishing. When asked on the phone for some information associated with a person, how does the customer service person verify that the request is valid and should be honored?
State Government
In the late 1990s and early 2000s, technology-based economic development was being widely promoted to add more dimension to the financial resiliency of US states, especially among those states in the economically fatigued regions that were losing jobs and momentum: the rust belt (AKA manufacturing and steel belts) and the cotton belt. States along both coasts seemed to have the right combination of telecommunications infrastructure, educated workforce, innovative companies, risk capital, and geographic appeal to compete into the 21st century. In particular, the latter states appeared less exposed to competition from labor-rich and less-regulated economies (especially the BRIC countries: Brazil, Russia, India, China) with respect to historical economic bastions like manufacturing, food processing, and customer service centers. Frequently heard around economic development roundtables were buzzwords like ubiquitous computing, always on, 24/7, online/inline, collect once/use many. State governments were asked to share citizen information across organizational boundaries, which sounded easy until innovators realized the consequences of little or no data governance. Naming and spelling conventions and identification fields were not standardized, allowing multiple entries for the same person or address that appeared, to the system, as unique. Existing policies for sharing information did not exist or were prohibited. Smartphones were not yet available—but people happily carried their five-pound (at a minimum) laptops to seek out Wi-Fi hotspot, which were mapped and configured for convenience.
Some incumbent telecommunications companies tried to obstruct the implementation of free public wireless networks, even as the cost of wireless base stations dropped from about $1000 in 1999 to $100 in 2003.22 Warchalking, which is essentially marking locations with WAPs, emerged as a grassroots effort in 2002 to share signals in the early days of the sharing economy. The pavement near buildings where signals could be picked up was marked with symbols reminiscent of Depression-era hobo signs, and the warchalking practice itself likened to trainspotting or planespotting (hiking trail cairns come to mind as well). Controversy arose over whether subscribers to wireless services, including cities and retail merchants, were allowed to invite others to share signal for free. Service providers like AT&T Broadband and Time Warner Cable sent letters threatening account termination to wireless subscribers who claimed no harm/no foul if others within 300 feet of their access point could pick up signals.23
States competed to define—and deliver—eGovernment services. The annual Digital States Survey ranked states according to their relative sophistication with respect to delivering citizen to government (C2G) services, even if these services were implemented on legacy platforms that were largely dependent on mainframes that had already exceeded their end of life expectancy. Without adequate budgetary resources for technology refreshment so that the core foundation was structurally sound, as it were, convenient applications for citizens and governments alike (government-to-government or G2G) were implemented. Not surprisingly, internal processes, policies, and employee training were misaligned with new attack surfaces created by the explosion in eGovernment services. Systems were compromised. Data breaches occurred—and state-based IT teams began to focus more on protecting what was already in place rather than rolling out new initiatives. Within this technological environment, the National Association of State Chief Information Officers (NASCIO) released a comprehensive report24 about the risks of wireless use with recommendations that are still, and perhaps more, relevant today:
States and private industry largely support the infrastructure framework within which cities implement their smart city initiatives. With their larger responsibilities for public safety and utilities, a recent NASCIO survey indicates that only about 25% of respondents indicated that discussions about the IoT had begun.25 State-level oversight of road and highway construction, however, provides an opportunity for coordinating activities across multiple infrastructure and operational elements. For example, states can mandate that highway-widening projects are leveraged as opportunities for deploying appropriate conduits for future or current needs like telecommunications lines, sensors for water movement and capacity, or GIS mapping devices. Rather than funding multiple, sequential digs in highway rights of way to deploy conduits, coordination at the state level can reduce traffic disruption and cost. States can also enable smart city initiatives by consolidating vendor accounts to take advantage of volume discounts for the kind of services generated that are less glamorous but nonetheless essential for maintaining infrastructure health and resiliency. Although such services may run in the background—for example, data backup, recovery, and storage; information security and incident detection; power redundancy; data analysis and reporting; network configuration mapping; asset administration; best practice standards and vendor selection criteria—they create a stronger mesh across the whole interconnected system, streamline support processes and allocation of technical talent, and encourage cost and performance efficiencies.
Local Government
The US Government has encouraged local innovation through funding programs for infrastructure buildout, such as the various rural broadband initiatives delivered through the US Department of Agriculture (USDA). Between 2009 and 2015, for example, the USDA awarded Community Connect grants worth more than $77 million for broadband buildout in rural areas.26 Other federal agencies have contributed to infrastructure capacity as well. The US Department of Labor has funded projects to connect workforce components: local labor outlets (e.g., Workforce One and other unemployment organizations), private sector industries, and educational institutions. In particular, funding has gone to community colleges that have the flexibility to design focused curricula that meets industry needs for specifically trained and certifiable technicians, mechanics, and skilled trades. The HHS has encouraged the adoption of innovation by mandating implementation of EMRs and EHRs, as discussed in Chapter 6, WAPs in Medical Environments.
Implementation of continuing refinements of recording guidelines, such as the coding of specific treatments according to the International Classification of Diseases (ICD), are mandated by October 1, 2015.27 HHS innovations in electronic recordkeeping followed the initiatives launched by the Veterans Affairs Administration and the branches of (active) military services. Interest in this on the part of the latter, the US Department of the Army, for example, received emotional and clinical support when combat duty conditions required accessible medical records that were not tied to a specific geographic location. Paper files were inadequate for those requiring immediate medical attention in combat situations, particularly when previous medical care information was stored in multiple repositories (e.g., hospitals, private practitioners, and medical clinics in diverse locations), and there were no existing communications or information-sharing channels. Such mandates may drive increased demand for infrastructure improvements at the local level.
Seven cities accepted the US Government’s “Smart Cities” challenge in the hope of receiving the $40 million award (with a $10 million sweetener from Vulcan, Inc., in addition to other private sector corporate donations) and succeeded through review rounds. These cities focused on citizen mobility issues with an emphasis on making smart apps so that drivers and pedestrians don’t have to be inconvenienced. Only one of the seven cities (out of 78 applications) that have passed through the final round seems to be addressing disconnects between commercial traffic (distribution, logistics, shipping—totaling $1.4 trillion in 2014 or 8.3% of annual GDP)28 and noncommercial traffic. This city's proposed initiative would deploy sensors on traffic lights to improve throughput for freight and other commercial vehicles to alleviate both traffic congestion and the associated pollution released when such vehicles are idling for extended periods of time.29
As with the eGovernment initiatives at the state level in the early 2000s, the original exuberance around smart city concepts has calmed down a bit as city officials and citizens recognize the total cost of such initiatives, the untested scalability (and practicability) of some IoT products and services, and the barriers to collaboration that exist between different organizations and communities of interest. Communities are finding incremental opportunities in terms of program reach (e.g., transportation, parking, lighting, water distribution) and geographic coverage (i.e., starting with a specific neighborhood or school campus as the “non-conference room” pilot).30 Planning and a holistic view are imperative, combined with clear understanding of what information and assets can be valuable to—and used effectively by—bad actors. Robust data governance should be defined before that data are gathered. Who will view that data? How will it be protected and maintained? How will updates to the data be verified and authenticated to ensure that changes are not just symptoms of a spoofing attack? The data governance discussion should be broached—along with concerns about security, privacy, return on investment—and made integral to planning a truly smart city, rather than one that is just sensor-rich: … “to fully take advantage of IoT, cities must integrate it into existing data strategies while addressing new challenges and continually refining their procedures as they grow these new projects.”31
Those participating in smart city initiatives have an international resource for information sharing, lessons learned, and recommended standards. The ANSI Network on Smart and Sustainable Cities (ANSSC), launched in 2014, leverages (through monthly webinars and other channels) the collective wisdom and influence of the ISO technical committee 268 (Sustainable Development in Communities), the ITU, IEC, and ISO/IEC JTC 1, in addition to regional and national standards groups in Europe and Asia.32
Takeaways
Although money is tight, governments can perform a number of low-cost activities to improve their security posture:
Security is a process not a destination. As employees become more security aware, the plan can be expanded to include the following:
Summary
From a hacker’s perspective, pointillist attention to government and background services is desirable: Confusion at jurisdictional boundaries offers attack opportunities within any environment or administrative ecosystem. The successful exploit against the US OPM is just one example of this. Year after year, IG reports identified problems in the decentralized deployment and management of protected data security mechanisms. Gaps in security proliferated, and the agency network was successfully compromised in two distinct incidents that resulted in the exposure of at least 21.1 million records of current and past government employees and job applicants, including those requesting top secret security clearance. In addition to text-based information, some 5.5 million fingerprints were also extruded by hackers, presumably based in China.
This pattern in the government sector is similar to what has been witnessed in the private sector. Sony Pictures assumed its systems were secure and protected from undetected infiltration by an external attacker. That was before North Korean President Kim Jong Un took offense at Sony’s distribution of The Interview, a film satirizing his late father, and released a digital army of hackers to compromise Sony’s network, entertainment assets, and senior management’s reputation.33
At what point should criminal or vengeful behavior be characterized as a threat to governmental fulfillment of its duties to establish justice, insure domestic tranquility, and provide for the common defense? In the following chapter we will discuss issues around WAP functionality and protection in mission environments involving law enforcement, first responder and emergency management, and military activities.
Comments
Post a Comment