Government Cyber Weaknesses & the Need for White Hats

Have White Hat, Will Travel

“A young boy, with greasy blonde hair, sitting in a dark room…[T]he weary system cracker telnets to the next faceless .mil site on his hit list.”

    -Improving the Security of Your Site by Breaking Into it (1993)

On November 2, 1988, the infamous Great Worm wreaked havoc on a fledgling Internet. Robert Tappan Morris, Jr, who became the first person indicted under the relatively new Computer Fraud and Abuse Act, claimed in Court he was trying to, “demonstrate the inadequacies of current security measures on computer networks by exploiting…security defects.”

There certainly are better ways to point out security flaws than to launch a devastating malware attack. That said, how exactly do you figure out what might be exposing your computers and networks to threats?

Enter White Hat Hacking.

The term ‘hacking’ has a bad rep these days, and I’ve fundamentally given up trying to convince clients and students that it actually is an age-old, honorable role in our modern society (as opposed to ‘cracking’, like bad guys do to safes and data centers). There are indeed ethical hackers out there, protecting us by looking at bugs in code, finding weaknesses in our defenses, and informing the wider community.

One tool in the Good Guys’ arsenal is penetration testing. We’d prefer to discover our own vulnerabilities so incidents can be reduced in frequency and scope of impact, and trying to break into our own systems is a great approach.

Recently, the Federal Health and Human Services Office of Inspector General (OIG) released a report summarizing the, “penetration testing of eight HHS operating division networks.” Those tests were conducted by a third-party contractor and revealed that these organizations, “needed improvement to more effectively detect and prevent certain cyberattacks.” HHS now has four specific recommendations to address the findings so the department can better safeguard their sensitive data.

Not long thereafter, Oregon’s Department of Human Services announced that they had experienced a breach that potentially exposed 1.6M clients’ Personally Identifiable Information (PII), including full names and SSNs. One hopes the state will not only engage in a vigorous forensic investigation after the fact, but also work more aggressively to detect issues through their own pen-testing regime with a trusted external organization to mitigate future problems.

We must keep in mind, however, that such testing can’t prevent all leaks of private information. For instance, the Federal Emergency Management Agency exposed PII of disaster survivors according to the Department of Homeland Security’s OIG report last month. This incident was the result of an internal process failure rather than any malicious attack, which teaches us that in addition to ethical hacks of our own facilities, we require a compliance regime which examines policies and procedures and includes security awareness training to ensure they are followed properly.