While it was far from being the “shot heard ‘round the world” of Revolutionary War fame, the cyber attack on the Pacific Northwest National Laboratory over July 4th weekend this year did represent a significant first blow in the search for liberty for that organization – specifically, liberty from being hacked.
As reported in InformationWeek, PNNL, a Richland, WA-based R&D lab under contract to the Department of Energy:
“discovered what it described as a 'sophisticated' targeted attack on its systems the Friday before the holiday, compelling the organization to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access. PNNL also blocked internal traffic while investigating and mitigating the attack. The lab says no classified or sensitive information was accessed in the attack.”
In the weeks following the attack, PNNL revealed that the attack had been a two-pronged cyber-assault on its systems. The perpetrators first “exploited an undisclosed bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines.”
The attack was one of literally hundreds perpetrated upon government agencies and their contractors this year. It came only days before the Department of Defense revealed one of its private contractors had been the victim of the largest cyber theft of sensitive files – 24,000 – in the government’s history.
The issue for the government remains, how does it defend itself from these attacks and proclaim its independence from hackers?
We Hold These Truths Self-Evident
Former Fed CIO Vivek Kundra identified at least part of the problem with the government’s cyber-security plans prior to his stepping down in August. He said the problem was not lacking for potential solutions, but rather lacking in the implementation of them. He even went so far as to charge his successor with less planning for IT and more focus on its execution. Of this he said,
"My advice would be to be aware of entropy and make sure that you’re really, really focused on execution, not just on policies. You need to roll up your sleeves and get some work done."
By his own admission, US government IT under Kundra had serious shortcomings in bringing projects to fruition, including data center consolidation, cloud computing and continuous security monitoring.
The GAO went one step further in its investigation into the government’s preparedness for cyber attacks and openly questioned the DoD’s ability to keep up with the threats of cyberspace. Among the chief issues identified by the GAO were the multiple and often contradictory government publications that discuss how to handle cyber threats. These documents cannot even come to a consensus regarding terminology and job responsibilities.
Our Lives, Our Fortunes, and Our Sacred Honor
That the cyber attack on the PNNL labs revealed yet another software vulnerability is not insignificant, nor is it lost on the government, fortunately. The action plan the Department of Homeland Security unveiled in July is among the first to acknowledge that internal IT systems and not just external relationships are one of the keys to cyber defense.
The DHS recognizes the fact that any cyber security policy needs to include automated structural analysis of application software. By identifying areas where the applications in use may not live up to optimal software quality standards, the government can work toward plugging the holes and give cyber infiltration efforts fewer points to breach.
Software is just one small part of the plan. The lion’s share looks toward diplomatic and external measures as well as procedural items. Nevertheless, if the software being used by the government lacks in terms of structural quality, hackers – independent or supported by foreign governments – will find a way to exploit it. By identifying those holes in the software, though, it gives the government the chance to identify potential breach points and close vulnerabilities that serve as entry points to future hackers.
So while the Department of Defense--and its contractors, such as PNNL--may not yet be prepared to withstand a cyber attack, by beginning to address the structural quality of their application software they may indeed begin to declare their independence from hackers.