The Transportation Department started with a bug hunting campaign that turned up unexpected vulnerabilities in headquarters computer systems.
Within Vicki Hildebrand’s first three months as chief information officer of the Transportation Department in 2017 and 2018, various component agencies were hit with three separate ransomware attacks.
The attacks were low-grade and not targeted—enough to disrupt the work of some staff but not to disrupt the network at large, Hildebrand told reporters on the sidelines of the Billington Cybersecurity Summit Thursday.
The experience, however, convinced Hildebrand, who’d recently left the private sector after 30 years at Hewlett Packard Enterprise, that she needed to launch a full review of the department’s cybersecurity.
What she found surprised even her.
Hildebrand contracted with the bug hunting firm Synack to search for vulnerabilities in computer systems that run in the Transportation secretary’s office.
Synack offers crowdsourced computer vulnerability hunting and penetration testing. It’s a process that’s similar to a bug bounty, but instead of opening up the testing to the broader public, the hunting is done by Synack’s own team of in-house hackers.
Hildebrand decided to start with headquarters computer systems because she thought they were more secure than many of the systems in Transportation’s component agencies.
“We started with software we thought was rock solid,” she said. But that confidence turned out to be unjustified.
“There were vulnerabilities we didn’t realize,” she said.
Not only were there previously unknown vulnerabilities inside the headquarters systems, but there wasn’t an easy fix for them, Hildebrand said.
Her solution was to dedicate a team to “whacking these things when they’re identified” rather than relying on regular patching schedules.
Now that headquarters systems have been vetted, Hildebrand plans to launch a “cleansing program” through the entire department that will include crowdsourced bug-hunting at select agencies, she said.
It’s not clear yet where that bug hunting will focus, though it’s unlikely to focus on the Federal Aviation Administration, which traditionally had a stronger IT infrastructure than other Transportation components, she said.
“We’ve gotten our arms around this initial experience,” Hildebrand said. “We’re learning from it and we’re in the process of designing [the cleansing program] now.”