Cybersecurity

Feds need to start thinking like hackers

Most government employees do not consider their usernames and passwords to be hot commodities, but that attitude began to change with a network attack on security contractor HBGary Federal. In early 2011, members of the hacker activist group Anonymous leaked an executive's email exchanges with FBI, Homeland Security Department and other government officials that contained their contact information.

"When you expose somebody's personal email messages, you're not just exposing their email but the email of everyone who interacted with them," says Mark D. Rasch, a former Justice Department computer crime investigator. "This is a question of national security and national integrity."

Increasingly, this scenario is playing out at government agencies worldwide. Federal protective details pack guns, government buildings have security guards, but online, public officials are more exposed. The motives for pilfering private data vary: The intruders do it for government secrets, social justice, street cred--even rent money. For some hacktivists "it's kind of extortion," says Chris K. Ridder, a San Francisco-based privacy and Internet law attorney. "They'll issue a list of demands, and if those demands aren't met they'll release embarrassing information."

Gregg Housh, a computer engineer affiliated with Anonymous, argues the HBGary dumping revealed corruption within the company and improper contracting practices. As for the innocent federal employees caught in the crossfire, "exposing the data is only showing you that your data is already out there" insecurely, he says. If Anons can exfiltrate emails, so can the professional bad guys who do this for a living, Housh adds.

"Every public official should assume that any of their electronic accounts are potential targets for hackers," says Nathan J. Hochman, a former assistant attorney general for Justice's tax division. "Public officials and celebrities have no choice but to be very vigilant over their electronic information to make sure there is privacy." While he was never hacked, there's no way of knowing if, say, a tax cheat attempted an attack. "If I was targeted, I wasn't successfully targeted," says Hochman, currently a partner at the law firm Bingham McCutchen LLP.

Prison time has not been much of a deterrent to hackers. Only a handful of hacktivists have been arrested, and some culprits are not afraid to go to jail, says a former federal official who asked to remain anonymous. For every one or two criminals the government is catching, there are probably dozens slipping through the cracks, he says. While prosecuting individuals is hard under the current legal regime, the instigators are eventually found out, Ridder says. He points to the firing of State Department contractors who improperly accessed the passport files of then-Sen. Barack Obama, D-Ill., and Sen. John McCain, R-Ariz., during the 2008 presidential campaign.

Congress is working on legislation to stiffen consequences for computer fraud. Legal experts say the punishment should fit the crime so that, for example, young people acting out of civil disobedience, who may not know the penalties, aren't thrown in jail for a decade or forced to pay hundreds of thousands of dollars. Lawmakers and courts have to find the middle ground, experts caution.

"A denial-of-service attack is kind of akin to sitting in front of a building--which is illegal," Ridder says. But we also "want to be careful about stifling legitimate political protests. The Anonymous style or Occupy Wall Street style of attack, these are much harder to think about than Russian criminal hackers."

Victim or Villain

A common thread among these breaches is the exploitation of trust. The rise of social networking has incited social engineering, or tricking a computer user into disclosing confidential information.

Former Anonymous member Jennifer Emick says government employees often victimize themselves when they are careless with government credentials in their personal lives. In her past work, Emick, now a security consultant, noticed at least two people had registered on pornography websites using dot-gov email addresses and passwords. Some porn sites are run by hackers or have been breached by hackers, she says. A few of these operators have tried entering clients' passwords into their corresponding work accounts to see if that would grant access to government databases. The trick worked at the Arizona Department of Public Safety, say current and former Anons. Anonymous offshoot LulzSec took credit for releasing hundreds of personal email correspondences, phone numbers, addresses and passwords belonging to state law enforcement personnel.

"If you are going to sign up for a porn site, use a throw away email account, not your real email," says Emick, who cut ties with Anonymous after growing concerned about stunts she says verge on criminal.

Threatening to go public with feds' personal data is not a recent phenomenon. Former FBI Director J. Edgar Hoover allegedly dangled the dossiers of his political enemies in front of the press to keep opponents in check. A Bush administration official leaked to a columnist the identity of Valerie Plame, then a covert CIA operative, to discredit her husband, a critic of the White House's foreign policies. "This type of tactic is only new in that the technology has changed and private information is more difficult to control," says Jack Lerner, a technology law professor at the University of Southern California. In a digital environment, it's probably easier to obtain sordid details on politicos than it was in J. Edgar's file cabinets. And, with insta-blogging, it's much simpler to make the secrets go viral than it was during the Plame scandal last decade.

"It could make public service a little bit scarier than 10 or 20 years ago," Lerner says. "How does this affect who decides to be a public servant?"

Scaring away certain officials from working in the government is an intended consequence, and "that's actually a good thing," notes Housh, who says he is not involved in Anonymous' exploits. Individuals unwilling to be transparent should not be running for office or applying for federal jobs, he says, adding that "the government should be accountable to the people and the people should have control of the government and not the other way around."

'Think Like a Hacker'

There's no product that can prevent hackers from plastering passwords and usernames on the Web, security experts warn. "You can't just throw technology at the problem. You can't just say we need more people . . . you have to think like a hacker," says Rasch, who is now director of cybersecurity and privacy consulting at CSC. To that end the government has been trying to recruit so-called ethical hackers--alternately referred to as white hats, penetration testers or hunters--who are paid to gain unauthorized access to computers. Because the job requires advanced technical skills, ethical code breakers are in high demand and can pull in pay packages close to $175,000 per year, say cybersecurity specialists. Partly for recruitment, federal officials last summer visited kids at the annual hacker conference DEF CON in Las Vegas to encourage them to use their password cracking powers for the greater good.

Housh says some hackers would align themselves with the feds if computer fraud laws targeted the right people. Inept investigators are apprehending innocuous pranksters at the outskirts of the illicit activity, he says, citing the mistaken arrest of one Anonymous follower who had the same username as a more nefarious programmer. "Oh, you want me to go sit at a desk in some stuffy office and go after people who I don't think are bad?" Housh mocks. "I don't want to do that for a living. I'd probably jump off the building in a couple of years."

Instead, federal cybercrime investigators need to come up with a greater purpose, perhaps the quest to stop human rights violations or foreign strikes on U.S. infrastructure, he suggests. "If things were more fair and they had a clue about what they were going after . . . if you aim hackers at something that they really hate, like child pornography, they could be really useful to you guys," he says.

Climate of Fear

Although there's no tool or law that can stop every leak, advances in technology can help reduce the risks. "In the past, let's say you got into the house, it meant you could get into every bedroom," Hochman says. But with password-protected applications and digital ciphering, "now if you get into the front door, it means that every individual door has a lock . . . Yeah, they got into the house, but they didn't get into the information." Housh says some hacktivists would welcome improved safeguards in the public and private sectors. "I actually would prefer if Anonymous were to target a company and they could not get in. It would prove that security measures were in place," he says.

The Obama administration is pushing a potentially stronger form of online ID protection that involves outsourcing credentialing to trusted, commercial providers, like Google and Verizon. But there is no such thing as a completely secure network, Verizon's chief identity strategist Tracy Hulver acknowledges. "At the end of the day, if somebody really wants to attack you and they have the resources they are going to do it," he says. "If anybody ever stands up and says it won't happen to me they are just asking for it."

Caving to hackers' wishes or, alternatively, getting off the Internet aren't solutions to the problem either. "That's one of the things that worries me--the climate of fear," Ridder says.

As a computer fraud investigator, Rasch admits he was concerned about hackers attacking him personally. The unease, however, had the positive effect of ensuring a careful, equitable investigation. "All that led me to do was follow my own instincts and do what I thought was fair," he says. "I didn't want to annoy this group."

The government should and will continue to invest billions of dollars annually in protecting federal networks, despite economic uncertainty, according to administration officials. Maybe even because of economic uncertainty, funding will be retained. Outsiders increasingly are cribbing online identities to crack open the control systems operating the nation's stock markets, hospital intake systems and other critical infrastructure, or at least they are trying. Beyond intimidation, there's a financial incentive to pocket a U.S. official's computer credentials. On Christmas Day 2011, in a scene out of Robin Hood, hackers purporting to be Anons, retrieved credit card data from subscribers--federal customers included--to security intelligence provider Stratfor to make charitable donations.

"The second part is flat-out theft: You can wire transfer funds, you can create a fictitious contract proposal, you can create a whole contract award," Rasch says.

Having multiple layers of defense is the best approach to lock down identities without restricting connectivity, security experts say. During the past year, the federal government has made tremendous strides in setting standards, establishing best practices and even heightening alertness, they note. "The answer lies with being aware, being prepared and not having a false sense of security," Rasch says. "You're never going to get to a zero-risk environment. We need to be able to communicate."

Threatwatch Alert

Network intrusion / Unauthorized use of system administrator privileges / Software vulnerability

Spammers Commandeer City of Mobile’s Server via Shellshock

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
// October 24
X CLOSE Don't show again

Like us on Facebook