Cyberattacks could have been mitigated
Agencies should improve relationships with service providers, experts urge
Agencies and their service providers need better coordination to quickly stop the type of cyberattacks that recently targeted government Web sites, security experts say.
The distributed denial-of-service (DDOS) attacks, which targeted a range of government and private-sector Web sites in the United States and South Korea, affected targets differently. Organizations that work closely with their service providers were able to sidestep the effects of the attacks more readily than those that don't, analysts say.
“Large banks in the United States have great relationships with service providers, so why doesn’t the U.S. government have a good relationship with their service providers to ensure that they can quickly turn the spigot off?” asked John Bumgarner, research director for security technology at the U.S. Cyber Consequences Unit, an independent research institute.
In recent years, large-scale DDOS attacks also hit Web sites in the nations of Estonia and Georgia. Those attacks and the recent incidents that targeted U.S. sites used botnets, in which computers, hijacked and controlled remotely, were used to overload systems, experts say. DDOS attacks are fairly simple cyberattacks, relying on sheer numbers to shut down Web sites.
Bumgarner said the inability of some agencies to mitigate the recent attacks show the U.S. government didn’t learn the lessons of the attacks on Estonia and Georgia. He said those nations didn’t have established relationships with their providers that they could quickly use to their advantage during a national crisis.
Some of the security people at government agencies didn’t even know who their Internet service providers are, said Alan Paller, director of Research at the SANS Institute. "The most important lesson learned: too many federal agency security people did not know which network service provider (NSP) connected their web sites to the Internet so they could not get the NSP to filter traffic," Paller added.
U.S. government sites reported to have been among the targets of the attacks that hijacked tens of thousands computers include: the White House; the State, Transportation, Defense, Treasury, and Homeland Security departments; the National Security Agency; the Secret Service; and the Federal Trade Commission.
Nick Shapiro, a White House spokesman, said that as of the night of July 7, all federal Web sites were back up and running and that the attacks “had absolutely no effect on the White House's day-to-day operations."
"The preventative measures in place to deal with frequent attempts to disrupt WhiteHouse.gov's service performed as planned, keeping the site stable and available to the general public, although visitors from regions in Asia may have been affected," he added.
However, the attack disrupted some other agency sites during the July 4 holiday weekend and into the early part of the work week, including the Treasury Department, Secret Service, Federal Trade Commission and Transportation Department, according to published reports.
In a statement, DHS said its U.S. Computer Emergency Readiness Team had issued a notice to federal departments and agencies advising them of steps to take to help mitigate such attacks. The department also said that attacks on federal networks happen every day and that “measures in place have minimized the impact to federal Web sites.”
Paller said DHS "did a really good job of finding those network service providers that the agency didn’t know about because they have good connections with them.”
Patricia Titus, former chief information security officer at DHS’ Transportation Security Administration and currently chief information security officer at Unisys Federal Systems, said she believed determinations on how to handle remediation was done on a case-by-case basis by the agencies depending on the nature of the attack. Titus said the slower pace at which some sites came back online could be a result of agency officials being cautious in their forensic work.
It’s also possible, she said, that the complexity of the information technology architecture of some agencies makes it more difficult for them to be nimble and come back online quickly. Titus said these types of incidents often “give an opportunity to the security office and the CIO to ask for additional funding for capabilities that they may not have had.”
Bumgarner said that for years, the government’s cybersecurity posture has been primarily focused on reducing information theft, and although that’s important, it represents only a small piece of a larger security picture.
“The success of these recent DDOS attacks suggest that our government may be missing some important pieces needed to complete the overall security puzzle,” he said.
Ben Bain is a reporter for Federal Computer Week.