Lance Bellers - Fotolia

U.S. government cybersecurity is a mess, according to officials

News roundup: John McCain, NIAC and others called out the administration for not doing enough on U.S. government cybersecurity. Plus, the Ropemaker exploit alters emails, and more.

Senators and government officials are calling out the U.S. government, as it struggles to make any real movement when it comes to cybersecurity.

During a talk at a cybersecurity conference at Arizona State University, Sen. John McCain (R-Ariz.) criticized President Donald Trump and his administration for not doing more in regard to U.S. government cybersecurity. McCain called the administration's leadership on the subject "weak," and he noted that the president has yet to follow through on his promise to present a plan to improve cyberdefenses within the first 90 days of taking office.

"Unfortunately, leadership from the executive branch on cybersecurity has been weak," McCain said, according to a statement from the senator's office. "As America's enemies seized the initiative in cyberspace, the last administration offered no serious cyber deterrence policy and strategy. And while the current administration promised a cyber policy within 90 days of inauguration, we still have not seen a plan."

McCain discussed the work that the Senate Armed Services Committee, of which he is the chairman, has been doing to improve U.S. government cybersecurity within the Department of Defense (DOD) and the military over the last few years, citing recent cybersecurity legislation, including bills that established Cyber Command and mandated that the DOD evaluate cybervulnerabilities of every major weapons system and critical infrastructure in the U.S.

"But despite the significant progress we have made at DOD," McCain said, "much remains to be done, especially in the coordination of a whole-of-government approach to defending the homeland from cyberattacks."

Also this week, the president's National Infrastructure Advisory Council (NIAC) published a draft of a report examining how federal resources can be used to improve the cybersecurity of "high-risk assets." The NIAC also called out the U.S. government for not doing enough.

"We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyberattacks -- provided they are properly organized, harnessed, and focused," the report said. "Today, we're falling short."

The report said there is only a narrow window of opportunity to improve U.S. government cybersecurity before a "watershed, 9/11-level cyberattack" strikes the country and its critical infrastructure.

The NIAC had nearly a dozen recommendations to begin improving the U.S. government cybersecurity stature, including establishing better protocols to "rapidly declassify" cyberthreat information, as well as strengthening the cyberworkforce by sponsoring a program that gets public- and private-sector experts to work together.

In a separate statement, Rob Joyce, the White House cybersecurity coordinator, echoed the sentiment, saying the U.S. needs an additional 300,000 cybersecurity experts to protect the country.

Joyce also recommended the American public not use security software from Kaspersky Lab. The Russian antivirus provider has been in the spotlight for alleged ties to the Russian government. This skepticism and caution against using Kaspersky lab products is not supported by any public evidence, and the company's founder has denied the allegations.

However, Joyce was clear in his statement to CBS News, saying he wouldn't advise his friends or family to use Kaspersky Lab software.

"I worry that, as a nation state, Russia really hasn't done the right things for this country, and they have a lot of control and latitude over the information that goes to companies in Russia."

In other news:

  • Facebook awarded $100,000 to a group of researchers who identified a way to detect credential spear-phishing attacks in enterprises in real time. The money was given to the researchers as part of its annual Internet Defense Prize partnership with the USENIX Association. The research team -- Grant Ho, University of California, Berkeley; Aashish Sharma, Lawrence Berkeley National Laboratory; Mobin Javed, University of California, Berkeley; Vern Paxson, University of California, Berkeley and International Computer Science Institute; and David Wagner, University of California, Berkeley -- presented their findings at the USENIX Security Symposium in Vancouver, B.C. Compared to a traditional spear-phishing detection method, the researchers said the new technique, called Directed Anomaly Scoring, detects nine times as many attacks. They also said an analyst would be able to look into a month's worth of attack alerts in just 15 minutes. Facebook was drawn to this technique because of its applicability to social-engineering attack detection.
  • Users of the Enigma cryptocurrency investor platform were tricked into giving around $500,000 to attackers. The attackers gained access to the Enigma domain and a Slack administrator account, and they were able to use that information to send phishing emails to Enigma users. The targeted users received emails shortly before Enigma's Token Sale -- also called an initial coin offering (ICO) -- offering them token sales prior to the ICO. Some users believed the phishing scam and sent their cryptocurrency to wallet addresses controlled by the attackers. While Enigma detected the attack immediately and sent out warnings to its users not to fall for the scam, the message didn't reach them all in time. The attackers were able to get around $500,000 in Enigma's cryptocurrency, Ethereum.
  • A new attack called Ropemaker can change the content of an email after it's delivered to add malicious URLs. Email security company Mimecast explained in a blog post that "this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. Ropemaker could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited." The company also noted that it hasn't seen any exploits of Ropemaker in the wild yet, but it still undermines the assumption that emails cannot be altered after they are sent.

Next Steps

Learn more about the executive order Trump signed on cybersecurity

Find out what effect a federal CISO has on government cybersecurity

Check out what else Rob Joyce has in mind for government IT security

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing