Is State Dept. E-Mail Hack Continuing?Officials Refuse to Confirm Details, or Who Is Behind Attack
The State Department is declining to confirm the accuracy of news reports that a breach of its unclassified e-mail system discovered three months ago continues today.
State Department spokeswoman Jen Psaki, at a Feb. 20 briefing, declined to answer specific questions about media reports that security teams have not yet been able to stop hackers from accessing the department's e-mail system.
"I'm not getting into that level of detail," Psaki said. "There are thousands of attacks from many sources that we deal with every single day, and a reason why I think there has been a focus on this particular incident is because of its extent and how broad it was. Obviously, we took steps to combat that, but it is something we work on every day."
In November, the State Department shuttered its unclassified e-mail system over a weekend as a result of a suspected hack (see State Department Shutters E-mail System). At the time, a senior department official told the Associated Press that the breach was detected in the system around the same time as a previously reported incident that targeted the White House computer network.
Psaki declined to discuss who might have hacked the e-mail system. The Wall Street Journal and Bloomberg News, citing government officials who requested anonymity, report that a number of factors suggest the attack might be linked to Russia.
The State Department - assisted by outside contractors and the National Security Agency - has repeatedly scanned its network and continues to see signs of the hackers, the Journal reports. Each time investigators find a hacker tool and block it, the intruders tweak it slightly to attempt to sneak past defenses, the newspaper reports, citing people familiar with the investigation.
In January, a State Department inspector general report said the integrity of the department's information security program is at significant risk because of recurring weaknesses the agency has failed to address (see IG: State Department Security Program Weak). Among the IG's recommendations is that the NSA conduct penetration tests on State Department systems. But the department responded that its law enforcement agency - the Diplomatic Security Service - could conduct penetration tests.
Dwayne Melancon, chief technology officer at the IT security firm Tripwire, says he understands the unease State Department security officials are experiencing. "Restoring trust after a data breach can be really frustrating because it feels like a game of whack-a-mole," Melancon says. " As you clean up one system, it gets re-infected by another. Even worse, if an attacker gains a foothold inside of your network they can wait until your attention has shifted to other things before infecting a new machine, making it much easier for them to move around in your infrastructure. All these factors significantly increase the difficulty of getting rid of compromised systems. "
Lurking in Systems
Bruce Brody, a former CISO at the Energy and Veterans Affairs departments, says he understands why hackers could be found lurking in systems months after their initial discovery. "Government agency networks are somewhat of a work in progress," says Brody, founder of Leaders in Cyber, a group that champions the role of CISOs. "Each agency has subordinate operating administrations, each of which has their own appropriation, and almost none of them fall under the governance of the CIO. These networks all operate in their own way, usually with their own rules, with power and authority resembling medieval fiefdoms rather than coherent top-down management. Any bad guy can get into any government agency almost at will."
Garet Moravec, founder of cybersecurity strategy adviser Bend the Bar, says the Cyber Threat Intelligence Integration Center being formed by the Obama administration could help mitigate problems such as the one the State Department reportedly faces. CTIIC (pronounced see-tick), as the center is known, will analyze information culled from other agencies to battle cyberthreats posed to the government and the private sector (see White House Creates Cybersecurity Agency).
"CTIIC could propel intelligence-driven network defense techniques such as the kill-chain model to identify patterns and behaviors that link intrusions to specific individuals, groups or nation states," Moravec says. "Systematizing intrusion detection and incident response procedures - coupled with more dynamic measures like applying human behaviors in relationship to cyber defense - are essential to enable organizations to protect their assets while simultaneously hindering adversaries, causing hackers to commit errors in pursuit of their destructive goals."