Decrypting outbound data a key to security

When researchers leave the Library of Congress, their bags are checked to ensure they’re not carrying out valuable documents. But not nearly enough federal agencies are doing the same with encrypted data.

Failing to decrypt and inspect outbound network traffic poses a security risk, says Randy Wood, federal vice president at F5 Networks, an application security firm.

Wood said he recently gave a briefing to military personnel and contractors at the Space and Naval Warfare Systems Command. The presentation covered the virtues of decrypting and inspecting outbound network traffic, and “it was as if people had seen fire for the first time,” Wood said at an Aug. 6 media briefing hosted by his firm. Firms like Wood’s could have much to gain commercially from greater federal focus on decrypting network traffic for threats.

The absence of decryption played a significant role in the recent hack of the Joint Chiefs of Staff’s unclassified email network, a former intelligence official familiar with the network told FCW. The Russian hackers believed to be behind the breach took advantage of encrypted traffic that the Joint Chiefs were not decrypting and inspecting, the former official said on the condition of anonymity. Moreover, the hackers could have been targeting the unclassified network in part because classified data occasionally spills onto it.

The broader subject of encryption has gotten more attention from lawmakers since the large-scale hacks of the Office of Personnel Management. Security practices such as encryption should “become the norm rather than the exception,” Rep. Elijah Cummings (D-Md.) said during a June 16 House Oversight and Government Reform Committee hearing. (A Department of Homeland Security official has nonetheless said that encryption would not have protected the data in the case of the OPM breaches.)

There is not much in the way of public measurements of how much federal network traffic is encrypted. Civilian agencies aside from DHS and the Justice Department are less likely to encrypt data at rest or in transit, according to Chris Cummiskey, a former DHS official turned IT security consultant. Agencies should prioritize more sensitive data for protection rather than rush to encrypt everything, he told FCW. “The government just doesn’t have a very good handle on the myriad datasets that they have in terms of prioritizing” what to secure, Cummiskey said.

Brian Taggart, a senior systems engineer at ClearShark, an IT vendor that works with F5 Networks, argues that the coming use of secure sockets layer (SSL), a common encryption protocol, for exfiltration in data breaches makes decrypting SSL traffic an imperative. “I think what’s most remarkable about some of the attacks we’ve seen in the last 18 months is [that] the data [exfiltration] was not SSL, but it’s going to be,” he said at the media briefing.

Malware recently uncovered by cybersecurity firm FireEye underlines that point. The malware, which the firm dubbed Hammertoss and linked to the Russian government, uses encrypted sessions on Twitter to relay commands and extract data from breached networks.