By Anne Broache
Staff Writer, CNET News.com
April 19, 2007
WASHINGTON -- As new details emerged about cyberattacks against networks
at the State and Commerce departments last year, politicians on Thursday
said they're concerned many federal agencies are ill-prepared to fend
off such intrusions.
Members of a U.S. House of Representatives cybersecurity subcommittee
said they weren't confident that the computer systems at bureaus within
the State and Commerce departments were adequately secured and scrubbed
of backdoors that could allow cybercrooks to re-enter. They also
questioned agency representatives on whether they could truly guarantee
that sensitive information hadn't been accessed or copied.
"We don't know who's inside our networks," subcommittee chairman Rep.
James Langevin (D-R.I.) said at an afternoon hearing here. "We don't
know what information has been stolen."
Indeed, 21 of 24 major federal agencies had weak or deficient
information security controls in place during the last fiscal year,
according to audit reports, said Gregory Wilshusen, director of
information security issues for the Government Accountability Office.
Pitfalls ranged from failing to replace well-known vendor-supplied
passwords on systems to not encrypting sensitive information to not
creating adequate audit logs to track activity on their systems,
according to a new GAO report (PDF) he summarized at the hearing.
One of the main purposes of the hearing was to allow officials at the
State and Commerce departments to give the first complete public
accounts of the cyberattacks since news reports brought the incidents to
light several months ago.
The State Department troubles began in May, said Donald Reid, senior
coordinator for security infrastructure for the agency's Bureau of
Diplomatic Security. An employee at an office in the East Asia Pacific
region opened an e-mail message that contained what appeared to be a
legitimate Microsoft Word document of a congressional speech--but when
opened, actually unleashed malicious code that allowed the intruder
backdoor access to the State Department's network.
The agency's intrusion detection system "immediately" detected the flaw
and later discovered additional breaches on its systems in other Asian
outposts and at its Washington headquarters, Reid said. In the process
of analyzing that malicious code, analysts also discovered another
previously unknown hole in the Windows operating system that lacked a
Realizing that Microsoft would not be able to issue a fix as speedily as
necessary, the department developed a temporary "wrapper" designed to
protect the systems from continued exploits, Reid said. All the affected
systems were brought back up and running by July, and the department has
not encountered further troubles, Reid said. (Microsoft ultimately
released the new patch in August.)
Some politicians targeted Reid's assurances that the attacks only
affected "unclassified" systems. Because government auditors have
determined that the State Department lacks a complete inventory of its
computer systems, "how can you be certain your classified networks
aren't touching your unclassified networks, and can you really know
hackers have only accessed unclassified networks?" Langevin asked. He
also suggested that even unclassified networks can contain "sensitive"
Also encountering pointed questions from the handful of politicians
present Thursday was Dave Jarrell, manager of the Commerce Department's
Critical Infrastructure Protection Program.
Jarrell recounted events that transpired beginning in July at his
department's Bureau of Industry and Security, which handles the
sometimes thorny topic of export controls. After a senior BIS official
discovered one morning that he could not log in to his machine, an
agency computer security team went on to discover 33 computers that had
attempted to establish connections to suspicious Internet protocol
addresses originating from Internet servers in China.
Some politicians criticized the bureau for admittedly not knowing
exactly how long the attackers were able to gain access to their
systems. Jarrell said the agency was "very confident" that the data on
existing machines is safe. He blamed the inability to pinpoint the time
of the intrusion on faulty audit logs and said the agency was fixing
Politicians also used the hearing to lash out again at the Department of
Homeland Security's persistently lagging cybersecurity efforts. They
lamented that the agency had only managed to pull up its own information
security grade, as determined by its compliance with federal standards,
to slightly above failing this year. (The State and Commerce
departments, for their part, both received F's.)
"I'll be honest with you," Langevin said. "I don't know how the
department thinks it's going to lead this nation in securing cyberspace
when it can't even secure its own networks."
Subscribe to InfoSec News