Are Federal Agencies Prepared to Stop Ransomware?DHS's Response About Infections on Federal Computers Leaves Questions Unanswered
Revelation of 321 attempts to place ransomware on federal government computers in the second half of last year raises a number of questions about the effectiveness of the Einstein intrusion detection and prevention system, as well as how the government responds to such attacks.
The Department of Homeland Security last week in a written response to questions posed by the ranking member of the Senate Homeland Security and Governmental Affairs Committee - Sen. Tom Carper, D-Del. - said 29 federal agencies were targeted with ransomware 321 times between June and early December of 2015 (see Ransomware: Attacks Against Government Agencies Widespread).
"The best solution to this situation is have backups and test your disaster recovery plans."
In its response to Carper, DHS said that not all of the incidents resulted in computers actually being infected with ransomware. "Some incidents included reports of attempted infection, such as phishing emails intended to deliver ransomware, or ransomware that was detected and eliminated by the agency's internal security operations center," DHS said. "In the cases where agency systems were confirmed to be infected with ransomware, the majority of infections affected end-user workstations. In all cases, the system was removed from the network and replaced with a new, clean system with minimal impact to the user and agency."
DHS said it had not received any reports from agencies that they had paid a ransom. The department said it did not track the total amount of losses, such as the impact of lost productivity, caused by these reported incidents.
Homeland Security's response leaves many questions unanswered about the ransomware incidents, including how many computers were infected and whether Einstein, a federal system designed to detect and block cyberattacks targeting civilian agencies, successfully blocked any of the ransomware attacks.
Einstein, first developed in 2003, relies on known signatures to identify malware. Einstein also provides DHS with the situational awareness to use threat information detected in one agency to protect the rest of the government.
"E3A (Einstein 3 Accelerated, the latest iteration of the intrusion prevention system) provides perimeter protection for federal departments and agencies," DHS told Carper. "E3A's two capabilities are email filtering, which protects against the use of malicious file attachments and embedded links in email content, and Domain Name System sinkholing, which prevents malware already on a government computer from contacting its command and control servers. "
I've asked DHS for more information about the ransomware incidents, but the department has yet to provide any details beyond its statement to Carper. Among the questions I posed:
- How many workstations were infected by the ransomware and from what agencies?
- Were the infected workstations restored with data previously backed up? Was any data lost due to ransomware?
- Besides workstations, what other types of computers - if any - did ransomware infect?
- What did the Einstein system do right to limit damage from the ransomware attacks?
- Where did Einstein fail to protect government computers against the ransomware attack? If it failed, why?
- Did some of the detected ransomware contain unknown signatures? If so, is that the reason they infected some computers?
- What lessons did DHS learn from these ransomware incidents to improve defenses against this type of malware?
Are expectations too high for Einstein to mitigate ransomware attacks? Perhaps.
"No defense is perfect - and that includes Einstein," says Philip Reitinger, president of the Global Cyber Alliance, who served as DHS deputy undersecretary for cybersecurity and director of the National Cybersecurity Center during the formative years of the Obama administration. "Certainly systems that detect or prevent intrusions can help stop ransomware attacks, but there are no silver bullets."
But detecting and preventing infections is only one part of dealing with a ransomware breach; responding to the infection is critical. Several former government officials contend Einstein's performance is secondary to other methods to provide a resilient federal government IT system.
"I wouldn't even tie Einstein to this situation," says former federal CIO Karen Evans. "The best solution to this situation is have backups and test your disaster recovery plans. Ransomware is banking on that fact you have no backups and you haven't thought through your contingency plans."
Response as Critical as Prevention
Paul Rosenzweig, former DHS deputy assistant secretary for policy, contends incident response to a ransomware breach is as critical as preventing it in the first place.
"We're focused on prevention, and very little on recovery," says Rosenzweig, a senior adviser to the security consultancy The Chertoff Group. Much of the government's cyberdefense efforts focus on intrusion prevention "and not remediating the inevitable failure," he says. "I'm all for resilience. Look, we just passed the Cybersecurity Act of 2015, the most modern, up-to-date thought we have in Congress about it [and] you can read the entire portion of that bill and not find the words 'resiliency' or 'recovery' anywhere."
How well are federal agencies performing in providing resilience and recovery? A September audit by the Government Accountability Office revealed that fewer agencies in fiscal year 2014 than in 2013 had implemented key elements of their business continuity and disaster recovery program. "Weaknesses in continuity of operations could lessen the effectiveness of agencies' efforts to successfully recover their systems in a timely manner after a service disruption occurs," Gregory Wilshusen, GAO director for information security issues, wrote in a report.
Clearly, much work needs to be done for the federal government to successfully mitigate the risk of ransomware - or, for that matter, other types of malware - shuttering government systems.