Heinz College Students Investigate Agency Hacks For U.S. Committee On Homeland Security
By Scott Barsotti
A team of Heinz College students was tasked with investigating security vulnerabilities at federal agencies, and strategizing how to make all Americans safer from cyber crime.
The staggering 2015 breach of the U.S. Office of Personnel Management (OPM) brought the issue of government cybersecurity to national attention, when hackers stole the records of an estimated 21.5 million people.
Apart from running the daily administration of a superpower, the federal government of the United States is a target of persistent cyber attacks for another reason: it is the largest employer in the world. In fact, the U.S. Department of Defense can claim that title by itself without counting the seeming googolplex of agencies and offices in which federal employees work and serve around the globe.
Within that vast network of employee records, transmissions, and communications lies a treasure trove of sensitive information, a stockpile of everything from schedules to secrets that malicious actors would love to get their eyes on—and with millions of potential weak spots to exploit.
The U.S. House Committee on Homeland Security recently tapped a group of Heinz College students from the Master of Science in Information Security Policy and Management (MSISPM) program to perform a comparative analysis of several high-profile security breaches at federal agencies. In each case, the students detailed the response of the affected agency and then made specific recommendations on how to shore up defenses and prevent future attacks.
Their report suggests that state-sponsored cyber criminals are a primary threat to national security due to the type of information they tend to target—often financial, health, and military data. Accordingly, the student group included relevant “critical infrastructure” breaches of private firms JPMorgan Chase (financial), Anthem, Inc. (health), and Lockheed Martin (military) alongside their analysis of public agency hacks.
There are fundamental [cybersecurity] hygiene practices that are just not in play right now.Summer Craze Fowler
Systems and training lag behind the times
The OPM hack—suspected to have originated in China—compromised the personal information of roughly 21.5 million current and former government employees, prospective employees, contractors, and family members who had undergone background checks related to federal employment. These records included social security numbers, addresses, birth dates, security clearance information, and even 5.6 million sets of fingerprints.
Hackers have also targeted the U.S. Department of State, the Department of Veterans Affairs, the Postal Service, the Internal Revenue Service, NASA, and the White House in recent years, with varying success.
From one breach to the next the culprits, the types of information sought, and the motivations at play may differ, but the overarching trend paints a clear picture: the U.S. government is an extremely attractive target for cyber criminals of all stripes, and that problem will only intensify in the coming years. In their analysis, the students saw consistent opportunities to improve the U.S. government’s cyber posture, and produced a list of recommendations that could be implemented across the board by all federal agencies.
The students’ recommendations seek to move agencies toward a culture of cyber vigilance and accountability that all users share in, including additional layers of security as well as providing the entire government workforce with more robust training in information security and the pervasiveness of threats.
Summer Craze Fowler, Risk and Resilience Manager for the CERT Division of Carnegie Mellon University’s Software Engineering Institute, was the project’s faculty advisor. She said when breaches occur, 70 percent of the time it’s a known vulnerability being exploited.
“There are fundamental [cybersecurity] hygiene practices that are just not in play right now. If we shored up our defenses from that standpoint, we could stop a lot of these attacks from occurring,” said Fowler.
In the case of the OPM breach, the students determined that OPM had not, to date, followed cyber security best practices and had relatively poor (or even non-existent) endpoint security. According to previous audits, numerous systems at OPM failed security inspection or were operating without authorization, data had been insufficiently encrypted, and adequate cyber security leadership was not in place.
In the time since the breach was announced to the public in the summer of 2015, OPM has implemented many of the changes suggested by the students, including multi-factor authentication, strengthening access controls, and modernizing legacy systems.
The students affirmed that while system failures, weak controls, and physical thefts can account for some breaches, it was human error, misuse, and insider threats that accounted for the majority of cyber incidents. They argued that while investment must be made in infrastructure and in updating systems, it is simultaneously essential to devote resources to strengthening cyber policies and practices, right down to the employee level.
The SEAL Lifecycle: a cyber culture blueprint
In order to simplify the implementation of their recommendations, the students developed an innovative strategy called the SEAL (Screen, Enforce, Assure, Learn) Lifecycle. This layered method is intended to continually improve an organization’s cyber security through clear and simple processes regarding risk identification, policy application, incident response, and documentation.
The Heinz students presented their final paper on Capitol Hill; their recommendations to lawmakers, if fully implemented and baked into future policy and law, could strengthen information security not just for the U.S. government, but for the entirety of the American public.
How many grad students get to claim that?
This Capstone Project, titled “Fortifying America’s Cyber Posture: Applying Lessons Learned to Mitigate Future Threats,” was completed by Sarah Chandel, Marcelle Drakes-Ruffin, Teresa Mock, and Drew Spaniel.