The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Trump's efforts failed to make critical infrastructure safer from cyberattacks, experts say

March 5, 2019 at 7:34 a.m. EST

with Bastien Inzaurralde

THE KEY

SAN FRANCISCO — The country's critical infrastructure is no safer from cyberattacks today than in May 2017 when President Trump signed an executive order pledging to better protect it, according to more than three-fourths of digital security experts surveyed by The Cybersecurity 202.

The results of The Network survey are a sharp rebuke to the Trump administration, which has made protecting critical infrastructure such as airports, hospitals and energy plants a cornerstone of its cybersecurity policy — and is touting its accomplishments at the RSA cybersecurity conference in San Francisco this week. 

“There is some good work being done by DHS and other agencies, but this needs to be a national priority with presidential leadership and it’s not,” said Chris Painter, a former State Department cybersecurity coordinator.

The Network is a panel of more than 100 security experts from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.) 

Some experts among the 78 percent who said U.S. critical infrastructure is not more secure today said the administration hadn’t done enough to achieve the goals outlined in its own executive order.  

That order called for agencies across government to use every authority at their disposal to help industry protect critical infrastructure. But most of the efforts in support of the order are still in their early stages — including a Homeland Security Department-led process to map industry’s most critical functions that are in need of the greatest protection.

“To make a major improvement in cybersecurity, the U.S. will have to make some strategic changes to how its digital ecosystem operates,” said former White House cybersecurity coordinator Michael Daniel.  

“That's not something that can be accomplished through an executive order alone,” said Daniel, who now leads the Cyber Threat Alliance, a cybersecurity information-sharing group.

Yet many also said it wasn’t just the Trump administration’s fault. Any improvements the United States had made in protecting critical infrastructure, several experts said, were simply outpaced by adversaries who were able to improve their digital attacks even more.

Dan Geer, the top cybersecurity official at the intelligence community venture capital firm In-Q-Tel, said critical infrastructure was less secure “but not because of any failure of diligence on the part of either the private or public sectors … Rather, [it’s] because our attack surface is growing faster than our diligence can grow.”

Anup Ghosh, a managing director at Accenture Security and a former DARPA official, said that threats against critical infrastructure — especially against energy utilities — are proliferating “and the industry is playing catch-up.”

Critical infrastructure is an official term DHS uses to describe 16 sectors where a physical or cyberattack would be particularly devastating for U.S. national and financial security. The list includes energy, communications, financial services and transportation, among others.  

Some other experts who said critical infrastructure was not more secure today were nevertheless complimentary about government’s efforts so far. Rodney Joffe, a senior technologist at Neustar, praised DHS for starting its new Cybersecurity and Infrastructure Security Agency — an updated and more limber version of its older cybersecurity agency — and for ramping up its collaboration with industry. “We are doing a better job,” Joffe said. “Unfortunately, the adversaries we face are continuing to evolve, and so it is really a continual battle to keep ahead.”

Suzanne Spaulding, a former Department of Homeland Security cybersecurity chief, said "elements of our critical infrastructure have undoubtedly improved their cybersecurity and, importantly, their resilience. Good work is being done at DHS and elsewhere to improve support to critical entities and identify essential functions, including high-priority supply chain risks. But our adversaries are moving ahead with malicious capabilities more quickly than we are advancing our defenses." 

Several experts within the 22 percent minority of experts who said critical infrastructure is more secure today than before the 2017 executive order pointed to specific areas where the Trump administration had made a concerted effort to improve some portion of critical infrastructure.

Sam Visner, who leads major federal cyber initiatives for the MITRE Corporation, pointed to DHS-led improvements in securing election infrastructure, which “appear to have been helpful in maintaining the integrity of the nation’s 2018 election.”

Matthew Eggers, director of cybersecurity policy at the U.S. Chamber of Commerce, pointed to Commerce Department efforts to establish minimum cybersecurity baselines for new generations of Internet-connected devices, such as “smart” speakers, cameras and car navigation systems.  

Other experts who said critical infrastructure is safer today, however, credited the companies that control that infrastructure rather than the Trump administration.

“In the Internet and cloud space, where ‘critical infrastructure’ is often directly governed by private companies, we’ve seen great strides by those companies to provide more safety and resilience,” said Andy Ellis, chief security officer at Akamai Technologies.

Mark Weatherford, a former top DHS cyber official, also said the Trump administration deserved less credit for security improvements than the private sector.

“I feel pretty confident in saying that board of director[s] and shareholder expectations have had more of an impact on private-sector critical infrastructure companies than the 2017 [executive order],” Weatherford said.

THE NETWORK

— More responses to The Network survey question on whether critical infrastructure cybersecurity has improved since the 2017 order:

  • No: “Cybersecurity largely results from the interaction of defenders' sophistication (which is rising), attackers' sophistication (which is also rising), and the size of the attack surface (which keeps expanding). When it comes to nongovernment systems (most of the critical infrastructure is in private hands), government is on the outside looking in.” — Martin Libicki, chair of cybersecurity studies at the U.S. Naval Academy
  • No: “The largest challenge in securing legacy critical infrastructure is visibility — it is my guess that a huge percentage of embedded devices within our nation’s energy grids and water utilities have already been compromised, with dormant implants sitting and waiting to be activated.” — Jay Kaplan, CEO at Synack
  • No: “The longer the United States waits to lead on the creation of international law forbidding cyberattacks and outlawing cyberweapons, the less safe our critical infrastructure becomes.” — Sascha Meinrath, an Internet freedom activist who teaches at Penn State
  • No: "What counts (or should count) as critical infrastructure is ever expanding. Can our commerce and societies function without access to our mobile devices or Google Maps, given that so many devices are permanently connected? Can our cars or even our refrigerators run without digital connectivity? Critical infrastructure now crosses the public-private divide, and it's not clear we're prepared to take that into account." —  Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute
  • Yes: “There has been good continuity across administrations on this issue. DHS has made notable progress in the past several years, particularly with its new congressional authorities to fully implement the CISA reorganization.” — Chris Finan, a former White House cybersecurity official who’s now CEO of Manifold Technology
  • Yes: “Awareness and attention to the issue is causing small improvements across the board. The key is to continuously make systems safer. They will never be fully safe. But they can get safer every day.” — Marten Mickos, CEO of HackerOne
  • Yes: “DHS is prioritizing areas that need immediate attention such as power, chemical and transportation, but much more will need to be done.” — Bobby Chesney, a former Justice Department official who directs the Center for International and Security Law at the University of Texas at Austin
PINGED, PATCHED, PWNED

PINGED: The National Security Agency has shut down an anti-terrorism program analyzing Americans' domestic call and text logs that had been disclosed by former intelligence contractor Edward Snowden, the New York Times's Charlie Savage reported. Luke Murry, national security adviser for House Minority Leader Kevin McCarthy (R-Calif.), said on the Lawfare podcast that the Trump administration has not used the program in months. “I’m actually not certain that the administration will want to start that back up,” Murry said, according to the Times.

A 2015 update to the U.S.A. Freedom Act brought changes to the initial program that Snowden disclosed in 2013. Part of the program, which started after the Sept. 11, 2001, terrorist attacks, involved the government's bulk collection of Americans' domestic call logs. Under the 2015 law, that data remained with phone companies but could still be accessed by the government. “Problems with the system emerged last year, when the National Security Agency said it had decided to delete its entire database of records gathered since the Freedom Act system became operational,” the Times reported.

PATCHED: Most states across the country are still using outdated voting machines that need to be replaced before next year's presidential election, according to an analysis released today by the nonpartisan Brennan Center for Justice at NYU School of Law. The center surveyed election officials across the United States and found that 121 officials in 31 states said they must replace voting equipment in time for the 2020 election. Moreover, 45 states still use voting equipment that's no longer manufactured, making it difficult for officials to find replacement parts for the machines. Officials from 254 jurisdictions in 37 states told the Brennan Center that they intend to buy new voting equipment.

Election officials said more funding is needed not only for upgrading voting systems but to fulfill other priorities such as recruiting additional IT support staff. “County election officials are literally on the front-lines defending our election equipment, yet they are frequently the least well-resourced offices,” Lawrence Norden, deputy director of the Brennan Center's Democracy Program, wrote in the report. Additional funding would also help for training staff, holding post-election audits and securing polling places and storage locations, election officials said.

PWNED: Chinese hackers have targeted a slew of universities in the U.S. and around the world, seeking to steal research about maritime technology being developed for military use, The Wall Street Journal's Dustin Volz reported. "The University of Hawaii, the University of Washington and Massachusetts Institute of Technology are among at least 27 universities in the U.S., Canada and Southeast Asia that Beijing has targeted, according to iDefense, a cybersecurity intelligence unit of Accenture Security. The research, to be published this week, is the latest indication that Chinese cyberattacks to steal U.S. military and economic secrets are on the rise." iDefense says the campaign dates back to at least April 2017. "The majority of the universities targeted either house research hubs focused on undersea technology or have faculty on staff with extensive experience in a relevant field, and nearly all have links to a Massachusetts oceanographic institute that also was likely compromised in the cyber campaign, iDefense said... Some have been awarded contracts by the Navy. Others, including Sahmyook University in South Korea, appeared to be targeted due to their proximity to China, and relevance to the South China Sea, the analysts said." 

In separate research, a Chinese state-sponsored hacking group has carried out cyberespionage operations with the aim of bolstering China's naval capabilities since at least 2013, the cybersecurity company FireEye said in a blog post. The group, which FireEye called APT40, has targeted the engineering, transportation and defense sectors. The hackers have taken aim at the United States, Britain, Germany, Saudi Arabia and several other countries. “APT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation, phishing campaigns delivering publicly available and custom backdoors, and strategic web compromises,” the researchers wrote.

FireEye researchers said they have “moderate confidence” that APT40 is a state-sponsored Chinese group, adding that the hackers choose targets that are “consistent with Chinese state interests.” The group has also attacked organizations involved in elections in Southeast Asia, according to the report. “Despite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term,” the researchers wrote.

PUBLIC KEY

— French President Emmanuel Macron called for the creation of a European agency tasked with fighting election interference. “Our first freedom is democratic freedom: the freedom to choose our leaders as foreign powers seek to influence our votes at every election,” Macron wrote in an op-ed published by the Guardian. “I propose the creation of a European Agency for the Protection of Democracies to provide each EU member state with European experts to protect their election process against cyber-attacks and manipulation.” Macron's column was published in 27 other newspapers, according to the Guardian.

— The chief executives of Equifax and Marriott International, two companies that have been under fire for massive data breaches, are scheduled to appear before the Senate Permanent Subcommittee on Investigations on Thursday. The hearing will examine data breaches in the private sector. The subcommittee will also unveil a bipartisan report that will explore the “repeated failures” by Equifax over several years that ultimately led to the 2017 data breach, according to a news release from the office of Sen. Rob Portman (R-Ohio), the subcommittee's chairman.

— More cybersecurity news from the public sector:

Exclusive: No. 2 at Pentagon's digital warfighting unit to retire (Politico)

Federal CIO: Agencies Already Tracking Future Cyber Reskilling Graduates (Nextgov)

Ex-Trump Associate Sater Sued for Hacking Ex-Friend’s Computers (Bloomberg News)

PRIVATE KEY

— A survey of chief information security officers at financial institutions found that 67 percent of respondents reported an increase in cyberattacks over the past 12 months. More than a quarter of respondents said they faced attacks that aimed to destroy data and 32 percent of respondents said they encountered situations where hackers attacked their incident response operations, according to the survey by the cybersecurity firms Carbon Black and Optiv released today. “Attackers are fighting back to protect their position,” the report stated. “Rather than just avoid detection, they are taking counter-measures to thwart responders and maintain their presence throughout the network.”

— Alphabet-owned Chronicle is launching a new product called Backstory to help improve companies' access to threat data, the New York Times's Nicole Perlroth reported. “The idea, company executives said, is simple: Backstory will make Alphabet’s vast storage, indexing and search abilities available to other companies, allowing them to search through giant volumes of data, going years back, to trace the back story of a malicious attack,” according to the Times.

— More cybersecurity news from the private sector:

Firefox maker fears DarkMatter 'misuse' of browser for hacking (Reuters)

Hackers Sell Access to Bait-and-Switch Empire (KrebsOnSecurity.com)

Quantum Physics Could Protect the Grid From Hackers—Maybe (Wired)

SECURITY FAILS

Hack Brief: Google Reveals 'BuggyCow,' a Rare MacOS Zero-Day Vulnerability (Wired)

Flawed visitor check-in systems let anyone steal guest logs and sneak into buildings (TechCrunch)

ZERO DAYBOOK

Today:

Coming soon:

EASTER EGGS

Video shows massive avalanche crashing down Colorado mountain:

Videos taken March 3 showed an avalanche ripping down the mountainside at Ten Mile Canyon, Colo., after heavy snow fell in the area. (Video: The Washington Post)

More than 1,500 exotic turtles found duct-taped in luggage:

Customs agents at Manila’s Ninoy Aquino International Airport uncovered more than 1,500 rare, live turtles duct-taped in 4 pieces of luggage on March 3. (Video: Blair Guild/The Washington Post)

Another long night on the U.S.-Mexico border:

Across the U.S.-Mexico border, Customs and Border Protection agents are grappling with huge numbers of Central America migrants seeking asylum. (Video: Jorge Ribas/The Washington Post, Photo: Carolyn Van Houten/The Washington Post)