DHS Cyber Chief Explains Issuing Emergency Directive During Shutdown

The Homeland Security Department’s lead cybersecurity official outlined the rationale behind issuing an emergency directive with a list of actions and a tight deadline for agencies to comply, all while the government feels the pressure of a more than month-long partial shutdown.

The newly named—and elevated—Cybersecurity and Infrastructure Security Agency issued its first emergency directive to federal agencies this week, giving agencies 10 days to review their Domain Name System records for signs of potential hijacking, reset passwords and to implement stronger security settings.

“We took this action after carefully considering the current and potential risk posed to federal agencies,” CISA Director Chris Krebs said in a blog post Thursday. “Because it’s our responsibility to take actions to protect federal systems, we felt an urgent response was required to address the risk.”

As part of a campaign linked to Iranian hacking groups, bad actors have been seen using compromised administrative credentials to access networks of governments across the globe and reroute traffic through the attackers’ systems, giving them full access.

“This is roughly equivalent to someone lying to the post office about your address, checking your mail and then hand delivering it to your mailbox. Lots of harmful things could be done to you—or the senders—depending on the content of that mail,” Krebs said, explaining the need for an emergency directive at this time.

While Krebs did not confirm any instances of U.S. government agencies being affected, he said Homeland Security officials are working to “assess the impact on federal infrastructure.” While that potential impact is unclear, “we know enough to be concerned,” he wrote.

Krebs offered an itemized list of concerning facts:

• We know an active attacker is targeting government organizations.
• Using techniques that aren’t especially innovative, we know they can intercept and manipulate legitimate traffic, make services unavailable or cause delay, harvest information like credentials or emails, or cause a range of other malicious activities.
• We know that this type of attack isn’t something many organizations monitor for or have tight controls around.

The emergency directive gives agencies until Feb. 5 to get through four actions to review and secure their DNS records, actions security researchers say are the right first steps in combating this widespread campaign.