Lawmakers press State, Commerce on cyber break-ins

The chairman of a House Homeland Security subcommittee confronted a State Department official about whether the department had responded appropriately to a computer system intrusion last year.

Rep. James Langevin (D-R.I.), chairman of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology told Donald Reid, State’s senior coordinator for security infrastructure, at a hearing yesterday that State had not correctly balanced business continuity and national security considerations in the face of the incident.

“I am not satisfied that the State Department has given proper weight to protecting national security,” Langevin said.

The hacking event, the details of which were revealed for the first time at yesterday’s hearing, occurred in May 2006, when a State employee opened a Microsoft Word e-mail attachment embedded malicious code. The code established backdoor communications outside the department’s network.

Lawmakers also questioned Dave Jarrell, manager of the critical infrastructure protection program at the Commerce Department, about an intrusion into that department’s computer system that it discovered in July 2006. That incident led to the quarantining of several Commerce computers and to the implementation of enhanced cybersecurity protocols. Jarrell also indicated that a forensic inspection could not determine the date of the original penetration.

The State incident “led to the discovery of a previously unknown operating system vulnerability for which no security patch existed,” Reid said. As a result, a State task force “developed a temporary wrapper that would protect systems from being exploited further, but would not fix the vulnerability.”

Langevin criticized State for taking the temporary-wrapper approach, saying it was not prescribed for the threat presented, and for not more aggressively disconnecting department computers from the Internet.

Reid replied that a temporary fix was necessary because “it takes Microsoft two months or longer to issue a new security patch.”

Reid also defended the decision not to take State computers off-line saying, “There is a business case to be made here. Our consular offices issue passports and visas. If you take the system off-line, all this comes to screeching halt. We felt the risks were worth it.”

To this Langevin replied, “I am not satisfied you have erred on the side of protecting national security.”

Langevin also criticized State for failing to complete an inventory of its computer systems, citing a departmental inspector general report saying the job was only half done. Langevin suggested information could be compromised through relationships between classified and unclassified systems.

“We don’t necessarily agree with the IG’s conclusions,” Reid responded. “We are confident that hackers don’t have a route into our classified networks.”

But Greg Wilshusen, director of information security issues at the Government Accountability Office, who testified at the same hearing, confirmed that “the Department of State does not have a complete inventory” of its cyber assets and that unknown interconnections between classified and unclassified networks “could raise significant security violations.”

With regard to the Commerce hacking event, Langevin expressed concern that the department “has no idea how long the attackers were actually inside their systems” before it discovered the intrusion. He added, “though Commerce tells us that data was not lost, data can easily be copied and sent outside through the Internet.”

Rep. Bob Etheridge (D-N.C.) said the Commerce break-in was troubling because the extent of the information compromised is still unknown and “it may never been known.“

To this Jarrell replied that there were no known information losses. He added that the department was planning on implementing two-factor authentication for access to systems and was in the process of changing protocols for remote access.

“We are hoping to have done this fiscal year,” he said.

Buxbaum is a freelancer writer in Bethesda, Md.