A newly released report and binding operational directive dating back to 2016 reveals alarm from DHS about network infrastructure security.
A 2016 report from the Department of Homeland Security on network infrastructure security sheds new light on how DHS was dealing with widespread vulnerabilities in a popular router used by federal agencies.
The report, issued in conjunction with Binding Operational Directive 16-02 and made public for the first time this week, noted that as security practices for individual computers and devices have hardened, nation-state hackers have adapted by focusing on weaker network infrastructure devices, like routers, that "are often working in the background with little oversight -- until network connectivity is broken or diminished."
An increase in observable attacks on network infrastructure devices led then-DHS Secretary Jeh Johnson to issue the BOD on Sept. 27, 2016, deeming the vulnerabilities "critical." In a letter released along with the report, Johnson warned agencies that "for several years, network infrastructure devices have been the attack-vector of choice" for advanced persistent threat hacking groups to conduct denial of service attacks, data theft and alteration of data moving across federal networks.
He also made it clear that these threats were not hypothetical.
"We have witnessed our adversaries attempting to take advantage of these vulnerabilities to exploit Federal agency networks," Johnson wrote to agencies. "We anticipate that our adversaries will continue to try to take advantage of these vulnerabilities, as well as vulnerabilities we have yet to identify."
In August 2016, the report said unspecified threat actors publicly released exploits for a number of vulnerabilities related to Cisco ASA routers and other devices. That timeframe overlaps with the Shadow Brokers release of hacking tools and exploits pilfered from the National Security Agency. It also coincides with the time period when federal government officials were reporting increased threats from Russian-based hackers targeting the U.S. government and election infrastructure.
Trevor Rudolph, a cybersecurity fellow at New America and former Obama administration cybersecurity official, was involved in clearing the report's initial release to federal agencies and critical infrastructure networks in 2016. Rudolph described the level of panic about the vulnerabilities among federal officials at the time as being on par with their response to the 2015 hacking of the Office of Personnel Management.
"The threat environment is huge as you might imagine. The surface is wide, given the prevalence of these devices," Rudolph said.
According to the report, Cisco began rolling out patches to address the vulnerabilities starting in 2011, but DHS was still worried about unpatched routers throughout the federal government in September 2016, saying attackers may have continued to target unpatched devices "months or even years" after the patches became available.
A spokesperson for Cisco told FCW that the DHS report "references issues found in ASA devices that were publicly disclosed in 2014 and 2016" by Cisco and others and that the company has been working to provide patches and guidance to its customers where necessary since then.
Rudolph said device manufacturers could have addressed many of the security concerns listed in the report by automatically pushing patches and updates to their devices instead of requiring manual input.
"I think progress on security is only going to come when you address the security of the underlying technology and essentially human-proof it," he said.
Officials from DHS did not respond to questions about the timing behind the release, but Sen. Ron Wyden (D-Ore.) has been pushing the agency to make more documentation around BOD 16-02 public, telling the National Protection and Programs Directorate in a September 2017 letter that it "includes information that I believe would particularly inform the ongoing debate about cybersecurity."