Lawmakers expressed concern Thursday that multiple U.S. agencies whose networks were hacked recently can't be sure they've fixed their vulnerabilities because of poor cybersecurity practices.
Several agencies haven't completed inventories of their IT equipment, and can't know how badly they've been compromised, said Representative James Langevin, a Rhode Island Democrat, during a hearing of the House of Representatives Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
"We don't know the scope of our networks," said Langevin, chairman of the subcommittee. "We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."
Cybersecurity officials from the U.S. Department of State and Department of Commerce assured lawmakers that they fixed the holes that led to network intrusions in 2006. "We felt pretty confident we had a good plan in place," said Donald Reid, senior coordinator for security infrastructure in the State Department's Bureau of Diplomatic Security.
Reid described an attack on the State Department's unclassified network in May 2006. An agency employee in the Far East opened an e-mail containing a Microsoft Word attachment with an exploit code hidden inside it, he said. At the time, there was no patch available, Reid said.
The malicious code established backdoor communications outside the agency's network, using a Trojan horse, he said. But the State Department's intrusion detection system immediately detected the problem, and the agency's incident response team used a temporary wrapper to protect systems against the vulnerability, Reid said.
The attackers took advantage of a "zero-day" exploit, Reid said. "We're in new territory," he said. "We're trying to learn as we go along."
Although Reid assured the subcommittee that the State Department's unclassified and classified networks are separate, Langevin said neither the State nor the Commerce department have completed an inventory of their networks. Both agencies received F grades in cybersecurity in scores released by Congress last week, he noted.
The inspector general's office at the State Department said in 2006 the agency had inventories less than 50 percent of its IT systems, Langevin said. If the agencies haven't completed an inventory, "then they can't know for certain these incidents don't involve the classified networks," Langevin said.
But Reid said the State Department has now completed an inventory on "far more than 50 percent" of the agency's IT equipment. The classified and unclassified networks are separate, he said. "We're very confident there's no bleed over," he added.
Subcommittee members also questioned how the Commerce Department could not pinpoint the date of an attack the agency discovered in July 2006. The agency wasn't able to recover the firewall logs earlier than eight months before it discovered three agency computers attempting to access unauthorized resources, said David Jarrell, manager of the critical infrastructure protection program in the agency's office of chief information officer.
The agency "cannot clearly define the amount of time the perpetrators were inside its ... computers before their presence was discovered," Jarrell said.
The agency "has no evidence to show that data was lost," he added.
Representative Bob Etheridge, a North Carolina Democrat, called Jarrell's testimony "troubling on many levels to me."
The hearing is a good first step toward recognizing that many U.S. agencies have been victims of cyberattacks, said Alan Paller, director of research at the SANS Institute, a security research and training company in Maryland. The U.S. government and key defense contractors are under "continuous and increasingly sophisticated attacks" from other nations, Paller said.
"The attacks work," he added. "Penetrations are deep and broad. Terabytes of highly sensitive information have been stolen and systems are under the control of the attackers. Many agencies do not even know how many of their computers are under the control of foreign nation-states."
With the federal budget tight, the best option is for the federal government to pressure IT vendors to bake security in to products, Paller said.