Three years after Chinese hackers stole security clearance files and other sensitive personal information of some 22 million U.S. federal employees, cyber-defenses at the Department of Interior, which hosted White House Office of Personnel Management (OPM) servers targeted in the theft, were still unable to detect “some of the most basic threats” inside Interior’s computer networks — including malware actively trying to make contact with Russia.
In a 16-month examination of Interior’s ability to detect and respond to cyber-threats, evaluators from the department’s Office of Inspector General (OIG) also discovered that Interior’s technicians simply did not implement a sweeping array of mandatory, government-wide defensive measures ordered up after the disastrous OPM hack, didn’t investigate blocked intrusion attempts, and left “multiple” compromised computers on their network “for months at a time,” according to a redacted OIG report issued in March.
Ultra-sensitive security clearance files have since been moved to the Defense Department, but, among other things, the OIG report noted that:
● sensitive data at Interior could be taken out of the department’s networks “without detection.”
● network logs showed that a computer at the U.S. Geological Survey, an Interior bureau, was regularly trying to communicate with computers in Russia. The messages were blocked, but “the USGS facilities staff did not analyze the alerts.”
● dangerous or inappropriate behavior by network users — including the downloading of pornography and watching pirated videos on Russian and Ukrainian websites — was not investigated.
● computers discovered to be infected with malware were scrubbed as soon as possible and put back into use—meaning little or no effort went into examining the scope and nature of any such threats to the broader network. This happened, the OIG team noted, with one intruder they discovered themselves.
● simulated intrusions or ransomware attacks created by the examiners were carried out with increasing blatancy without a response—in the case of ransomware, for nearly a month
● After the devastating OPM hack, which was discovered in April 2015, the department didn’t even publish a lessons-learned plan for its staffers based on the disaster. The OIG inspectors reported that Interior started to draft an “incident response plan” that month to deal with future intrusions, but “did not publish it until August 2017”— two months after the OIG team had finished their lengthy fieldwork.
● Distressingly, the report also notes that the department’s cybersecurity operations team was not privy to a list of Interior’s so-called “high-value IT assets” prepared by the Chief Information Officer, “due to its sensitive nature.”
In other words, the people tasked with protecting Interior’s most important information sites were not told what they were.
The report notes that such assets include “IT systems, facilities and data that are of particular interest to nation-state adversaries, such as foreign military and intelligence services.” They also often “contain sensitive data or support mission-critical Federal operations.”
In short, “there hasn’t been a lot done” in the wake of the devastating OPM hack, an official in the Inspector General’s office told Fox News. And, to make matters even worse, the OIG official said, “It’s likely that the same tests at other [federal] agencies would yield the same results.”
When OIG staffers presented 23 recommendations to fix the huge gaps in Interior’s digital defenses, the department’s top IT officials agreed — but said some of the most important fixes would take as many as five years, due to budgetary constraints.
“This is totally unacceptable and absurd,” says Jason Chaffetz, former head of the House Committee on Oversight and Government Reform, which in 2016 issued a scathing report on the lapses surrounding the earlier OPM security breach. (Chaffetz has left Congress and is now a Fox News contributor.)
“With one good trip to Best Buy we might be better off,” he added.
A top cybersecurity expert consulted by Fox News concurred, called the report “pretty damning” and evidence of “gross negligence” on the part of Interior’s top cyber-officials. The expert has a deep knowledge of federal information systems and experience with national security issues.
The long-term neglect, inertia and disarray concerning information security at Interior and other parts of the federal bureaucracy dates back to the Obama administration and beyond. But now they offer a steep challenge to the Trump administration, which is trying to impose its own cybersecurity agenda along with a sustained program of information technology-driven management modernization on the shambolic federal bureaucracy.
It is further complicated by previous federal efforts to centralize and rationalize the bureaucracy, including creation of a number of “shared business centers” across the government.
The business center at Interior offered — and still offers -- human resources services to 150 federal agencies, according to its website.
That is where OPM’s personnel servers were located. Though OPM itself was responsible for maintaining the security of its servers, according to the OIG report the hackers who stole personnel files “moved through the U.S. Office of Personnel Management environment through a trusted connection to the [Interior] Department’s data center, pivoting to human resources systems hosted by the Department.”
'With one good trip to Best Buy we might be better off.'
Such “lateral” connections across the government provided by the service centers are a “gold mine” to foreign intelligence hackers when penetrated, according to the cybersecurity expert consulted by Fox News.
In addition, databases at the Interior Department offer foreign hackers additional sensitive troves.
Interior’s nine bureaus may be best known for managing the nation’s national parks and vast land resources. But federal lands and waters also supply some 30 percent of U.S. oil and gas production, and the department’s bureau of reclamation is the country’s second-largest provider of electrical power. The U.S. Geological Survey monitors water resources and harvests satellite data on a global basis.
Geothermal, solar and wind resources are also concentrated on federal lands, and the department also oversees the safety and environmental soundness of offshore drilling.
In an executive order issued last May, President Trump explicitly declared that “the executive branch has for too long accepted antiquated and difficult-to-defend IT,” and that “known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies.”
Heads of federal agencies were supposed to begin reporting on their “risk management measures” to deal with those problems within 90 days of the May 11, 2017, executive order -- while the OIG evaluation of Interior was still in progress. Field work on the Interior report ended a month later, in June.
Queried about the dismal evaluation of Interior’s cyber-defenses, a senior official in the White House Office of Management and Budget, which is in charge of the administration’s cybersecurity makeover, told Fox News that “we all acknowledge there are gaps across the Dot-Gov”-- shorthand for the federal government’s digital domain.
But, he added, “we are leveraging our authority to manage and eliminate these deficiencies. We have put down very ambitious markers and said, here is where we need to go.”
In particular, “we are laser-focused on cyber-security,” he said.
That imperative was reinforced, the official said, in the President’s Management Agenda, a document issued last month that laid out an ambitious, long-term plan for modernizing the federal government, with a sweeping upgrade of information technology as a key tool, along with a reorganization and upgrading of the federal work force and its management—especially the IT work force.
Money needs for the tech upgrade are supposed to come from a renewable, $500 million Technology Modernization Fund. In addition, the president’s proposed 2019 budget — which only happens insofar as Congress lets it — contains some $80 billion in IT and cybersecurity spending, ostensibly a 5.2 percent increase.
Even though the administration’s makeover plans are being pressed forward vigorously and as fast as possible, the presidential management agenda also warns that “deep-seated transformation takes time and will not happen in one or two years.”
The pressure to carry out all those ambitious tasks is supposed to come from, among other things, “continuous performance improvement,” by means of relentless monitoring of results. In cybersecurity, these include annual “performance audits,” carried out under the Federal Information Security Modernization Act and known as FISMA reports, along with an annual report card on information technology acquisitions.
In 2017, Interior’s heavily redacted FISMA account points to numerous holes in Interior’s defenses in a wide array of its departments, and an overall assessment that deficiencies were noted across all the conceptual areas of cybersecurity. The department’s score on the technology acquisition report card dropped from B+ to C in 2017.
In the shorter term, the administration is pinning its hopes on an aggressive move to cloud-based services and other technologies that will move government departments like Interior away from the “perimeter” defenses that the OIG report shows they might not be carrying out in the first place.
The strategy was outlined in yet another report to the president, on Federal IT modernization, issued last December.
The December report underlines that achieving its goals “will require an active shift in the mindset of agency leadership…IT practitioners, and oversight bodies.”
The evaluation of cyber-defenses at Interior is evidence that shift is not yet underway.