Federal cyber incidents reveal challenges of implementing US National Cybersecurity Strategy

Microsoft revealed on May 24 that the Chinese threat group Volt Typhoon attempted to gain access to communications systems in the United States, including Navy infrastructure on Guam. Secretary of the Navy Carlos Del Toro later confirmed the Navy “has been impacted” by the cyberattacks, although he provided no further details.

Following the release of the report, a joint advisory published by the FBI, NSA, CISA, and Five Eyes partners cybersecurity agencies from Australia, New Zealand, the United Kingdom, and Canada detailed the group’s primary tactics, techniques, and procedures (TTPs) as part of a relatively new approach to warning about these kinds of operations quickly to undercut them.

The Biden administration earlier this year announced a comprehensive National Cybersecurity Strategy that seeks to bolster federal government cybersecurity and foreclose incidents like these even earlier. Officials expect the administration to release soon guidance for agencies to implement the strategy, although experts say implementation of the guidance won’t be easy.

Recent significant federal government cyber incidents

The Navy incident follows a spate of recent and significant intrusions, thefts, and financially motivated attacks on US federal government systems, as outlined in the following timeline. Not surprisingly, most of these incidents entailed foreign threat actors seeking to engage in surveillance or steal government assets.

• May 2023 – The personal information of 237,000 current and former federal government employees was exposed in a data breach at the US Transportation Department (USDOT), affecting systems for processing TRANServe transit benefits that reimburse government employees for some commuting costs.
• March 2023 – CISA, the FBI, and MS-ISAC announced that two threat actors, one of them the Vietnamese XE Group, hacked an unnamed US federal agency’s Microsoft Internet Information Services (IIS) web server by exploiting a critical .NET deserialization vulnerability in the Progress Telerik UI for ASP.NET AJAX component.
• February 2023 – The US Marshals Service suffered a significant security breach when ransomware hackers broke into and stole data from a computer system, including a trove of personal information about investigative targets and agency employees.
• January 2023 – CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system in a “widespread, financially motivated phishing campaign.”
• December 2022 – Hackers gained access through a false account to data on more than 80,000 members of the FBI threat information-sharing program, Infragard, and began selling data stolen from it.
• November 2021 – Hackers gained access to the FBI’s Law Enforcement Enterprise Portal, sending spam emails to potentially thousands of people and companies with a faked warning of a cyberattack. The email referenced an international hacker group called the Dark Overlord, which allegedly steals data and demands large ransoms for its return.
• March 2021 – Russian hackers accessed emails in the State Department’s Bureau of European and Eurasian Affairs and Bureau of East Asian and Pacific Affairs, although it’s unclear if the theft was part of the SolarWinds breach.
• December 2020 – Hackers from Russia’s SVR intel agency were discovered to have breached multiple government agencies and at least 200 other organizations worldwide, including NATO, the UK government, the European Parliament, and Microsoft, through a supply chain attack on business software supplier SolarWinds’s Orion software.
• October 2020 – The Cybersecurity and Infrastructure Security Agency (CISA) said it consistently observed Chinese Ministry of State Security-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target US Government agencies.
• August 2020 – The FBI said elite hackers for the Iranian government, identified separately as the Fox Kitten or Parisite group, were detected attacking the US private and government sector
• April 2020 – Department of Health and Human Services, which oversees the Centers for Disease Control and Prevention, was struck by a surge of daily strikes by Chinese threat actors to steal coronavirus research.
• February 2020 – The Defense Information Systems Agency warned of a data breach that may have exposed social security numbers and other sensitive information on 8,000 military staff and contractors.
• January 2020 – The US Office of Inspector General (OIG) said that hackers who exploited a Citrix ADC zero-day vulnerability breached US Census Bureau servers.

Biden’s strategy seeks to harden federal infrastructure

More than any previous administration, the Biden administration has taken a serious step forward to secure federal government infrastructure (and, by extension, the private sector through government contractor requirements) with its expansive National Cybersecurity Strategy, released in March.

The strategy outlines five broad “pillars” of cybersecurity efforts that civilian agencies must meet, including approaches to defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and enhancing public-private operational collaboration to disrupt adversaries.

But the details of how agencies should start tackling the challenges won’t be fully understood until the administration releases the strategy’s implementation guidance, which officials say could occur over the next month or so.

Implementing the strategy will be a challenge

No matter how the guidance shakes out, government agencies’ challenges in implementing the strategy will undoubtedly be significant. First off is the sheer size and complexity of the federal government.

“It’s difficult for people to understand the scale of the federal government,” Michael Daniel, head of the Cyber Threat Alliance, tells CSO. “It’s got so many different departments and agencies and pieces and commissions and structures, and it’s geographically distributed. So, the challenges you face of moving all of that enormous enterprise along, the effort you have to go to make those changes, it’s enormous and should not be understated.”

Shawn Henry, CSO at CrowdStrike, praises the strategy as an essential step but also sees the sprawling nature of the federal government as a vexing variable in implementing the strategy. “When you think about the federal government, the multiple agencies, civilian agencies, and military agencies, the spread of those organizations, of their people and their facilities and each of those agencies from an administrative perspective, reporting up to a different enterprise,” it’s a challenge, he tells CSO.

Centralization is key

For Henry, who spent two decades in the federal government before joining the private sector, the goal of a sound cybersecurity strategy is centralization, which is especially true for the government. “I talk to companies all the time about having their overall strategy, their coordination in a centralized manner because only then can you have full visibility into what’s happening and a sense of accountability,” he says. “And historically in the government, things have been spread across all civilian agencies, the intel community, and the Department of Defense. So, it’s really, really important [to centralize] when you’ve got too many silos and too many people, the proverbial too many cooks in the kitchen.”

Likewise, Daniel thinks it’s crucial to centralize cybersecurity in the most capable parts of the government. “How do you continue shifting the burden away from every little department and agency, whether it’s the Marine Mammal Commission to the Department of Justice? How do you have the more capable agencies being the ones providing cybersecurity? How do you centralize more of that?”

Feds won’t be starting at square one

Aside from the greater need for centralization, Daniel and Henry think the cybersecurity challenges the federal government faces are not really that different from those faced by private sector organizations. “There are more similarities than there are differences,” Henry says.

“When you look at the issues that the federal government faces in cybersecurity at one level, they’re no different than what major corporations and other businesses face in the United States,” Daniel says.

The federal government won’t be starting a square one once the implementation process gets underway because departments and agencies have already been moving toward better cybersecurity for years. Nonetheless, the full strategy implementation will be a long slog.

Henry thinks there are some areas where the government could make quick wins at the outset, such as eliminating known problematic software from federal systems. “I’ve been concerned as a citizen and security professional to see the continued reliance on different software vendors that have proven to be vulnerable for many years. I call it a self-inflicted wound,” he says. “And when we’re using software that’s vulnerable over and over and over again, the most exploited software that we’ve seen, that’s a problem. It’s like leaving your front door unlocked sometimes and then wondering why you got robbed. If we’re using software that’s consistently vulnerable, and then it gets breached by China, well, shame on us.”