Government Agencies Wide Open To AttackGovernment Agencies Wide Open To Attack

Two government security breaches in 2006 were just the tip of the iceberg, leaving sensitive information wide open to espionage and cybercriminals, according to a leading member of the House Committee on Homeland Security.

James Langevin, D-R.I., speaking before the House Homeland Security Committee's cybersecurity panel on Thursday afternoon, said he was "disappointed and troubled" about the state of the U.S. government's cybersecurity policies. The two computer break-ins at the Department of State and the Department of Commerce last summer are very likely deeper and more insidious than even the government has reported.

And Langevin contends that there are more security breaches that the public simply doesn't hear about.

"Let me be clear about the threat to our federal systems: I believe the infiltration by foreign nationals of federal government networks is one of the most critical issues confronting our nation," said Langevin, who is chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. "The acquisition of our government's information by outsiders undermines our strength as a nation. ... This is a most critical issue that we cannot afford to ignore any longer."

Langevin, who is also is a member of the House Committee on Homeland Security, led Thursday's panel discussion on cybersecurity.

David E. Jarrell, manager of the Commerce Department's Critical Infrastructure Protection Program, testified before the committee, describing how a locked-down computer led IT investigators to discover that hackers had infiltrated the network via Chinese networks. The security breach was discovered on July 13, but investigators could not say when the hackers gained entry or exactly where they went inside the network. While Jarrell testified that there was no evidence that data "was lost" during the incident, he could not say if it had been copied and transferred outside of the government network.

The breach was in the Bureau of Industry and Security section of Commerce. That section deals with what technologies -- generally nuclear or technologies of a national security nature -- that are too sensitive to be exported to other countries.

Donald R. Reid, senior coordinator for Security Infrastructure with the State Department's Bureau of Diplomatic Security, also testified Thursday, telling the panel that the breach at the State Department stemmed from a targeted attack using social engineering and a Microsoft zero-day vulnerability.

Reid said the trouble began in May when an employee opened a malicious attachment disguised as the text of a congressional speech. The worker's machine was infected with a Trojan backdoor that was caught by the agency's intrusion detection system. As IT workers investigated the breach, though, they began to find other intrusions in the East Asia Pacific region, as well as in Washington. Hackers had been using yet another Microsoft zero-day bug to worm their way into the State system, Reid explained.

Alan Paller, director of research at the SANS Institute, attended Thursday's hearing and said he was struck by the agency directors' desire to say that their security was working well.

"Saying 'we're OK' doesn't improve what's wrong," he said in an interview with information. "There are big problems here. Between them, Commerce and State had 30 different systems compromised last summer. You're not hearing about most incidents because they quickly classify them as classified. This is just the tip of the iceberg."

Paller pointed out that IT investigators with the Commerce Department still don't know where the intruder hid inside their system. They didn't keep logs long enough to be able to look back and see specifically what machines he touched. "They only found the ones he left visibly touched," he added. "We don't even know how many machines the Chinese still own. We have a pretty good idea that State got the intruders out, but with Commerce, we have no idea how many systems are still owned by someone else."

From the Government Accountability Office, Gregory C. Wilshusen, director of information security issues, and David A. Powner, director of information technology management issues, testified in tandem Thursday. They said information security weaknesses continue to place federal agencies at risk, and noted that in 2006, agencies reported a record number of information security incidents to U.S.-CERT.

They reported that of the 24 major agencies last year, 18 had access control weaknesses, such as not replacing well-known vendor-supplied passwords, permitting excessive access privileges that users did not need, not encrypting sensitive information, and not creating or maintaining adequate audit logs.

Many agencies, they added, did not even install patches in a timely manner.

These weaknesses need to be dealt with immediately, and not with more FISMA-like reports but with immediate actions, said Paller.

"Right now, every window and every door has a hole in it," he added. "You can get into basically any federal system without getting caught. It's criminal. The weaknesses are all over the place. They're wide open."