The Federal Election Commission was hit by a massive cyberattack hours after the government shutdown began, according to a report from the Center for Public Integrity. The CPI report claimed the Chinese were behind "the worst act of sabotage" in the agency's 38-year history.
Three government officials involved in the investigation confirmed the attack to CPI, and the FEC acknowledged the incident in a statement. However, the CPI report did not explain why the officials believed China was involved, or provide any details of the network intrusion beyond the fact that attackers crashed several FEC computer systems. When asked for a statement, FEC referred Security Watch to the Department of Homeland Security and did not provide any information.
The fact that an attack during the 16-day shutdown occurred should not be a big surprise, since many security experts had warned that attackers might take advantage of IT personnel being furloughed to launch an attack. With less people watching the networks, there was a lot of opportunity for attackers. In fact, the FEC had furloughed all 339 agency employees as none of its staff had been considered "necessary to the prevention of imminent threats" to federal property, according to CPI.
"High Risk" for Network Intrusions
Hindsight is 20/20, but the attack happened almost a year after an independent auditor had warned the FEC that its IT infrastructure was at "high risk" for attack. The auditor pointed out that while the FEC had some policies in place, they were not sufficient and immediate action was required to reduce the risks. The FEC disagreed with the majority of the auditor's recommendations, arguing its systems were secure.
"The FEC's information and information systems are at high risk because of the decision made by FEC officials not to adopt all minimum security requirements that the Federal government has adopted," auditors from Leon Snead & Company wrote in November 2012.
Issues included passwords that never expired, had not been changed since 2007, or had never been used to log in. Disabled accounts remained in Active Directory and laptops issued to contractors used the same "easily guessed" password, according to the report. Even though the FEC required two-factor authentication on its computer systems, the audit identified 150 computers which could be used to remotely connect to FEC systems that didn't have the additional protection enabled. Auditors also flagged poor patching processes and outdated software.
"The controls in place reflect the appropriate level of security and acceptable risk to support the mission and safeguard the data of the agency," the agency said in its response to the audit.
It's not clear whether the attackers took advantage of the poor passwords or any of the other issues flagged in the report during the October attack. Considering the agency had dismissed the criticisms in the audit report, it is likely many of the issues remained unsolved as of October.
Security, Not Regulations
The agency needed to adopt NIST IT security controls in FIPS 200 and SP 800-53 and mandate that all contractors and third-party providers follow the requirements outlined in the Federal Information Security Management Act of 2002 (FISMA), the auditors said. Contractors working with the federal government have to comply with FISMA, and just because the FEC was FISMA-exempt didn't mean the contractors were, the auditors said.
The FEC appeared to be making IT security decisions based on what the agency is legally required to do, rather than considering what would make the agency's information and information systems more secure, the audit report said.
It's important for organisations to realise that security isn't just about checking off a list of guidelines and standards. Administrators have to think about what they are doing and make sure their actions are in line with what their infrastructure needs. The FEC insisted it had policies and guidelines in place to protect its data and networks, and it was sufficient because it complied with a different security directive. The agency had not stopped to consider whether those controls and policies actually made its network secure.
The FEC's poor security posture meant that its "computer network, data and information is at an increased risk of loss, theft, manipulation, interruption of operations, and other adverse actions," the report warned.
And we are left wondering what the attackers did that made the intrusion the biggest act of sabotage in the agency's history, and which other agencies may have gotten hit over the same time period. We can only hope other agencies had done a better job of meeting minimum security standards for its data and networks.