InsideSources

Lawmakers on a House Oversight subcommittee criticized a Treasury Department official Wednesday over the slow roll-out of patches to a flaw discovered in encryption software used by the government last December — a fix it took the department more than eight weeks to adopt.

Texas Republican Will Hurd demanded to know why it took Treasury Department Chief Information Officer Sanjeev Bhagowalia’s department two months to update virtual private network software developed by Juniper Networks after the company discovered an unauthorized backdoor last year.

“Of the 12 agencies affected, three, including the Department of Treasury, took longer than 50 days to fully install patches and mitigate the threat posed by this vulnerability,” Hurd, chairman of the Information Technology Subcommittee, said during a committee hearing Wednesday. “This is absolutely unacceptable.”

Bhagowalia said the department implemented 25 percent of the most critical patches in one day, another 84 percent within a week and the rest within just over eight. The CIO explained while 40 of the 57 devices using the software were classified as high risk, only two of them at the U.S. Mint and Bureau of Engraving and Printing were connected to the Internet.

“Within a couple of hours after the vulnerability was announced by the equipment manufacturer, the Treasury SOC [security operations center] alerted bureau-level SOC counterparts to the vulnerability and to the mitigation instructions provided by the vendor,” Bhagowalia said in his testimony. “Thanks to the quick action of the Treasury SOC and the bureaus’ SOCs, remediation was already under way by the time government-wide alerts to patch vulnerable appliances were issued.”

He added no data was comprised or stolen via the vulnerability, present in the software for the last three years — and some speculate — intentionally planted by a foreign government. He conceded the department should have been more proactive in patching all vulnerable systems.

“How would you know if something was taken or not?” Hurd said.

The Texas Republican pressed Bhagowalia on why the department was still using so called “legacy” systems no longer supported with updates by the manufacturer — an issue highlighted government-wide since the massive breach discovered last year at the U.S. Office of Personnel Management.

Bhagowalia said such systems only make up a “small percentage” of those within the department.

In December Juniper announced it had uncovered “unauthorized code that could allow a knowledgeable attacker to gain administrative access” to certain devices and “decrypt VPN [virtual private network] connections.”

Numerous government agencies and private companies have used the operating system, called ScreenOS, for the last three years. One government official likened the vulnerability to “stealing a master key to get into any government building.”

Documents leaked by National Security Agency whistleblower Edward Snowden indicate NSA may have known about a version of the flaw in the software’s random number generator in a prior release in 2011, however officials said the backdoor was not planted intentionally by any U.S. agency.

Juniper released a patch for the vulnerability days after the announcement in December and earlier this month replaced the NSA-approved random number generator with code from another product line over concerns NSA intentionally left or exploited the flaw, indirectly leaving it for others to find.

The FBI launched an investigation into the vulnerability for any evidence of use by hackers to access classified information, but said the findings could take time to determine because of the technology’s broad deployment across federal networks.

The House Committee on Oversight and Government Reform sent letters to 24 federal agencies in January asking about the use of the affected encryption technology.

ThreatConnect CIO Richard Barger, another witness at Wednesday’s hearing, agreed the hack was likely the work of a nation state due to the technical prowess needed to keep it hidden for so long.

While a representative for the Department of Homeland Security sympathized with Juniper as the “victim” in the hack and praised the company’s response, California Democrat Rep. Ted Lieu, who holds a degree in computer science from Standford, criticized the company for declining to show up for the hearing.

“Juniper is not the victim in this case,” Lieu said. “The U.S. government and the American people are.”

“I find it disrespectful that they did not come here to testify,” he added. “It insinuates they have something to hide.”

Follow Giuseppe on Twitter

House lawmakers accused senior Education Department officials Tuesday of incompetence and engaging in ethics violations instead of addressing vital cybersecurity flaws — issues they claim have put the personal and financial data of millions of Americans at risk.

The Department of Education is one of a number of federal agencies identified in years’ worth of inspector general reports as a cybersecurity risk, and one of only three departments to actually drop its percentage of users employing two-factor authentication during the White House’s post-Office of Personnel Management hack “Cyber Sprint” last summer.

The department went from 71 percent before the sprint to 57 percent after. For privileged users, it fell from 14 percent to 11 percent.

According to lawmakers on the House Oversight Committee, those failings are in part due to the actions of Chief Information Officer Danny Harris — accused of numerous ethics violations and the subject of corrective actions at the department for involving subordinates in personal business ventures, neglecting to report outside income, lobbying to give a friend’s business an Education Department contract and backchanneling a job offer at the department for a family member.

“Taxpayers deserve the best in our CIOs, but they are not getting the best at the U.S. Department of Education,” Utah Republican and House Oversight Chairman Jason Chaffetz said of Harris, who has reportedly received more than $200,000 in bonuses from the department. “The morale in the office of the CIO is at an all-time low due to the dysfunctional environment Mr. Harris’ has cultivated.”

Chaffetz, one of the chief critics of OPM leadership in the fallout of a massive hack revealed last year that exposed data on 20 million past and present federal employees, warned weeks ago the diversity of contractors handling student data and weak cybersecurity in OPM systems and servers threatened to put the private information, including Social Security numbers and loan information, of 139 million Americans and $1.2 trillion in loans for 40 million federal student loan borrowers at risk.

“Mr. Harris has served as the chief information officer since 2008, and by virtually every metric he is failing to adequately secure the department’s systems,” Chaffetz said during Tuesday’s hearing.

Deputy Inspector General Sandra Bruce testified Harris convinced subordinates to help him run a home theater installation and automobile detailing service, some of whom were also clients. He neglected to report at least $10,000 in outside income to the agency or on his taxes and used his public email account for private work. Harris also sat on panel that eventually gave a department contract to a business owned by a friend, and made a personal loan to a subordinate of $4,000.

Florida Republican Rep. John Mica quipped “CIO” in Harris’ instance must stand for “chaos, ineptness and outrage.”

“I don’t think you can find any more ineptness or misconduct in any senior official before us,” Mica said, inquiring who was responsible for handing out bonuses while Harris was engaged in such activities.

“You’re a very, very busy man,” Democratic Rep. Carolyn Maloney said. “I can understand how there are cyber problems at the education department.”

Harris apologized for his misconduct in the investigation the department’s inspector general began in 2013, and acting Education Department Secretary of Education John B. King Jr. testified he counseled Harris on his ethics violations. The Justice Department eventually elected not to prosecute Harris in lieu of corrective action from his superiors.

“I view my behavior as unacceptable, and I have learned from this experience,” Harris said, claiming the theater installation and auto detailing were just hobbies he’s since discontinued. The CIO added he’s no longer friends with the head of the company that received the department contract, has updated his financial disclosures and merely inquired about the job for a family member, and had no involvement in the hiring process.

Harris went on to tout his agency’s progress in the realm of cybersecurity, including establishing a new cyber-focused team that meets weekly and boosting the number of privileged users employing dual authentication from 11 percent at the end of the Cyber Sprint to more than 90 percent currently.

“I don’t buy it,” Chaffetz said of Harris’ explanations for his misconduct. “You’re one of the only agencies that during the cyber sprint went down.”

“We need to ensure that this is the leadership team that can put the tools and processes in place to ensure that we aren’t back here again in a month or two months to talk about a data breach at the Department of Education,” Texas Republican and information technology subcommittee chair Rep. Will Hurd said.

Follow Giuseppe on Twitter

Congress held its first hearing Tuesday to investigate the massive hack and data theft from the U.S. Office of Personnel Management disclosed by the administration last week, which compromised the personal information of millions of federal employees.

The House Committee on Oversight and Government Reform held the first of what will likely be a number of hearings Tuesday morning to hear testimony from OPM administrators on the hack.

“This has been going on for years and it is inexcusable,” House Oversight Committee Chairman Jason Chaffetz said in his opening statement. “According to the last eight years of [inspector general] reports, OPM’s data security posture is akin to leaving all the doors and windows open in your house and expecting nobody would walk in and nobody would take any information.”

Chaffetz pointed to an OPM IG report from 2007 describing the agency’s data security as “a material weakness,” and additional reports from 2009 to 2014 elaborating on the increased threat posed by those and other subsequently identified information security weaknesses.

Those include 11 major systems of the OPM’s 47 systems, or 23 percent, which the IG said “lacked proper security authorization,” and were “completely outdated and undone,” according to Chaffetz. Five of those offices reside within the office of OPM Chief Information Officer Donna Seymour, the official charged with ensuring data security at OPM. As of November 2014, more than 65 percent of all programs operated by OPM resided on two of the systems without valid security authorization.

“This has been going on for a long time, and yet when I read the testimony that was provided here, we’re about to hear, ‘Hey, we’re doing a great job,'” Chaffetz said. “You’re not! It’s failing! This went on for years, and it did not change.”

“For any agency to disregard its data security for so long is grossly negligent. The fact that the agency that did this is responsible for maintaining highly sensitive information for almost all federal employees, in my opinion, is even more egregious.”

Despite spending 80 billion on information technology last year, Chaffetz said the state of cybersecurity across the government is unacceptable, and pointed to a number of recently reported hacks at the White House, State Department, U.S. Postal Service, IRS and the Nuclear Regulatory Commission.

“It stinks! It doesn’t work!” Chaffetz said. “Through the years, it has been a complete and total, utter failure.”

According to officials, the personal information — including Social Security numbers, birthdays, and other background information — of 4.2 million employees was compromised in the hack. Some expect that number could reach the 14 million mark over the course of the investigation, and include not only current and former federal employees, but federal contractors as well.

A further disclosure from investigators Friday acknowledged a second security breach at OPM, exposing the information of millions of security clearance-wielding defense and intelligence agency federal employees. Investigators suspect China is involved in both incidents, though the evidence in the second breach is less clear.

Included in such security clearance applications are the most intimate details of federal employees’ lives, including disclosures about histories with drugs, alcohol and sexual relationships — information often sought by foreign governments to use as blackmail in coercing federal employees to become informants.

“I sought advice from some of the nation’s top information security experts in private business and government,” Maryland Rep. Elijah Cummings, the ranking Democrat on the committee, said in his opening statement about his past efforts to secure Americans’ data. “These experts warn that we cannot rely primarily on keeping the attackers out. We need to operate with the assumption that the attackers are already inside.”

In a heated exchange between Chaffetz and director of the OPM Katherine Archuleta, the chairman asked the director why she failed to heed a warning from the agency inspector general to shut down servers deemed cyber-vulnerable last year, and why those servers, which contain data on federal employees dating back to 1985, weren’t encrypted.

“Data information encryption is a valuable –” Archuleta began.

“Yeah it’s valuable, why wasn’t it?” Chaffetz interrupted. “We didn’t ask you to come read statements, I want to know why you didn’t encrypt the information.”

“An adversary possessing proper credentials can often decrypt data,” Archuleta said. “It is not feasible to implement on networks that are too old.”

Some of those networks include “legacy systems” too outdated to implement contemporary security standards, according to Archuleta. The director added shutting down the systems would have meant halting critical OPM functions, including providing benefits to retired employees.

Archuleta and others on the panel testified security measures like encryption weren’t implemented because officials speculated they could have been decrypted in the event of an intrusion anyway, and that encryption wouldn’t have protected the data that was stolen. The director said since the hack, OPM has implement tw0-factor authentication for accessing OPM systems.

“Okay well it didn’t work, so you failed. You failed utterly and totally,” Chaffetz said. “The inspector general was right. Your systems were vulnerable. The data was not encrypted, it could be compromised, they were right last year. They recommended it was so bad that you shut it down, and you didn’t. And I want to know why.”

“There are many responsibilities we have with our data,” Archuleta said. “And to shut down the system, we need to consider all of the responsibilities we have with the use of our systems.”

Other committee members shared Chaffetz’s skepticism of Archuleta’s judgement and reasoning behind the decision to leave the systems operational, despite years of warning from the IG.

“This is one of those hearings where I think I am going to know less coming out of this hearing than I did when I walked in, because of the obfuscation and dancing around that we’re all doing here,” Massachusetts Democratic Rep. Stephen Lynch told the panel, many of whom deferred answering questions until a classified briefing on the Hill later Tuesday.

“As a matter of fact, I wish that you were as strenuous and hard working at keeping information out of the hands of hackers as you are keeping information out of the hands of Congress.”

Archuleta insisted she and the IG were working “to the best of our ability” to implement the IG’s recommended changes.

“That’s what frightens me Mrs. Archuleta — this is the best of your ability,” Virginia Republican Rep. Mick Mulvaney told Archuleta.

“In national security, it’s got to be zero tolerance,” California Democratic Rep. Ted Lieu told the panel. “When you have a culture problem, as we have had here, in the past when agency’s have had this, leadership resigns or they’re fired.”

“I’m looking here today for a few good people to step forward, accept responsibility, and resign for the good of the nation.”

Follow Giuseppe on Twitter