The recent release of a treasure trove of internal Democratic National Committee emails by WikiLeaks has once again put government cybersecurity capabilities front and center. It’s not a typical hack, as all signs are pointing to this being a state-sponsored attack with the intention of swaying U.S. elections. But it’s just another in a string of breaches that are calling into question the U.S. government’s ability to protect and defend its information security infrastructure.
There has been some discussion following the DNC breach as to whether the electoral system should be considered part of the U.S. critical infrastructure. Some have even suggested the incident could be construed as an act of war, considering that the suspected attackers are from a Russian group with ties to the country’s intelligence forces.
Any form of retaliation may not be wise. But the unprecedented scale and scope of this attack leaves no question that the consequences could be catastrophic to the integrity of the U.S. electoral process — even to the foundation of democracy itself.
DNC attack sets new precedent
The breach, which led to the disclosure of some 20,000 committee emails and other documents, was not an isolated incident. Shortly after it became public, two other attacks came to light — on the Democratic Congressional Campaign Committee (the party’s fundraising arm) and on the campaign of Democratic presidential contender Hillary Clinton.
The same group, called Fancy Bear and connected to the Russian military intelligence, has been implicated in all three attacks. Clearly, the attacks have all been orchestrated in an attempt to cause more drama for the Democratic party and influence election results.
Cyberattacks on political campaigns are not new. The campaigns of both Barrack Obama and John McCain were breached by Chinese hackers in 2008. Other countries’ political entities have been targeted as well.
What makes this breach stand out is both its sophistication and extent of the compromise. The bad actors penetrated email and chat traffic for almost a year — which speaks not only to the amount of planning and discipline they put into their execution but also to an operation that was well funded and extremely organized.
It’s fair to say there hasn’t been such an elections-related information theft since Watergate. And it’s likely only the beginning of many more “digital Watergate” incidents yet to come. After all, we no longer live in a time when spying relies on the physical bugging of offices, as it did in the Nixon era. As sensitive and private communications and documents have moved into cyberspace, so has political espionage.
Broader government cyber weaknesses remain
Unfortunately, this latest incident is not a big surprise. It has been nearly a year since the massive Office of Personnel Management breach compromised 21.5 million federal employee records and more than 5.6 million fingerprints. But despite a push from the White House and federal officials to lock down cyber infrastructure — including a 30-day “Cybersecurity Sprint” last year and steps taken in accordance with the Federal Information Security Modernization Act (FISMA) of 2014 — federal agencies remain open to the type of foreign exploitation we saw during the DNC incident.
FISMA requires federal agencies to implement agency-wide information security programs for their information systems and data. A March annual report to Congress on FISMA noted progress including a drastic reduction in the number of active critical vulnerabilities in federal systems and a 30 percent increase in strong authentication.
However, major gaps remain. For example, 24 top agencies scored a 68 percent average in their ability to detect and block unauthorized software while at the same time experiencing an increase in incidents such as social engineering and suspicious network activity.
A survey released earlier this summer by KPMG and (ISC)2 found that of 54 senior U.S. cybersecurity managers, 59 percent said their agency “struggles to understand how cyberattackers could potentially breach their systems,” while 40 percent didn’t know where the agency’s key assets were located. Adding to the challenge is the fact that 80 percent of the government’s $80 billion IT budget is dedicated to maintaining legacy systems.
At the same time, the government is more frequently targeted by cyberattackers. During FY ’15, federal agencies saw a 10 percent increase in cybersecurity incidents (to more than 75,000), according to the FISMA report. The government overall rose to the No. 4 spot last year for being the most-attacked sector — behind only healthcare, manufacturing and financial services — according to IBM.
Cautiously optimistic about progress
It’s interesting to note that following the breach disclosure, the DNC put together a four-person cybersecurity advisory board that has no actual cybersecurity experts on it. Rather, the panel includes prominent policy and information technology leaders. This seems to send a mixed message about DNC’s commitment to avoid an encore.
Fortunately, there are promising signs that the technology and executive leadership within the government are embracing the notion that the status quo is a dangerous tactic.
The Department of Defense launched a pilot “Hack the Pentagon” program this year to encourage white hats to find vulnerabilities in the agency’s system. At the same time, the Obama administration announced a Cybersecurity National Action Plan that includes, among other things, a focus on multifactor authentication, the proposal of a $3.1 billion Information Technology Modernization Plan, a $19 billion cybersecurity investment during FY ‘19 and the addition of a new position of a federal chief information officer (FCIO).
Current FCIO Tony Scott is also pushing for the technology modernization plan, as well as being a major proponent of replacing legacy technology with secure cloud software. Prior to the OPM breach, opening up the DoD network to ethical hackers or advocating for moving government data to the cloud may have been implausible. Let’s be cautiously optimistic that these kinds of initiatives are a sign that the tide is turning.
The federal government is not exactly known for embracing emergent technology. But it wouldn’t be fair to say that the government is not capable of innovation — a look at the cutting-edge data analytics and marketing technology used by the DNC itself proves otherwise. The question is, can the same innovative thinking cross over into the more critical sectors —especially cybersecurity infrastructure.
Sekhar Sarukkai is a co-founder and the chief scientist at Skyhigh Networks, driving the future of innovation and technology. He has more than 20 years of experience in enterprise networking, security and cloud services development.