This blog was written by Scott Montgomery, McAfee’s previous vice president and chief technology officer of public sector.
Much has been written in a variety of news, financial, and political publications about the effects upon the populace and economy as a result of the October 2013 government shutdown. From thousands of children having their “Head Start” programs terminated to poultry and meat inspections potentially not occurring, to a $2 billion to $6 billion loss to GDP, the government shutdown took a hefty toll and was universally regarded by both politicians and citizens as a practice that should never be repeated.
One unforeseen technical consequence of the government shutdown was the assistance it gave to cybercriminals by reducing the effort required to identify critical federal human resources. For instance, in the attack chain model, the very first and most time consuming step for adversaries is identifying the ideal personnel in the target organization that are critical, or essential, because of the value of their compromised credentials. The goal is to identify those department or agency employees who manage critical assets in order to create attacks upon them personally to leverage their knowledge and privileges against the organization.
In the 2013 federal government shutdown, “non-essential” personnel were furloughed, or told to stay home during the first few weeks of October 2013. This meant that adversaries doing surveillance of government buildings were able to narrow down their physical reconnaissance of individuals to the “essential” employees who still went to the office. These furlough-exempt employees constituted a target-rich environment for adversaries because of the functions they perform: those that provide for national security; benefit payments; protection of life and property, including safe use of food, drugs, and hazardous materials; safety of transportation, border, waterway and coastal surveillance; criminal investigations; disaster assistance; and activities essential to the money, banking, and tax collection systems.
Since the shutdown, there’s been a recent spate of breaches at a variety of different government organizations: State Department, White House, OPM, USPS, and NOAA. Certainly the reduction in adversarial reconnaissance effort could be a factor in the identification of the critical personnel leveraged as part of the breaches into these organizations.
As the government begins another time period where sequestration and a shutdown aren’t out of the realm of possibility, the question must be asked: Is it possible to furlough “non-essential” personnel without creating an adversaries’ target list? How is it possible to prevent physical reconnaissance of employees identified by public processes to be “essential” to government functions? Or is it more feasible to simply look at the credentials and privileges of “essential” personnel in order to ensure that their credentials can’t be leveraged as easily against their department or agency?
In the next installment of my blog, I’ll discuss a few ways for federal organizations to look at better ways to protect the credentials of “essential” personnel and recognize improper use sooner.