The Complex

The White House: Cyber attacks against critical infrastructure are way up

Here's the White House's response to Killer Apps' request for comment on last night's Wall Street Journal article citing current and former administration officials saying that Iranian hackers have penetrated the networks of U.S. energy firms.

Basically, National Security Staff spokeswoman Laura Lucas confirmed that our critical infrastructure, including the energy sector, is under cyber-attack, with DHS responding to 177 attacks in 2012, and that the administration is hustling to share as much information as possible about cyber-threats with critical-infrastructure providers. Notice the statement below doesn't confirm or deny the WSJ's claim that Iranian hackers specifically are responsible.

Each and every day, the United States faces a myriad of threats in cyberspace, from the theft of U.S. intellectual property through cyber intrusions to distributed denial of service attacks against public-facing websites to intrusions against U.S. critical infrastructure companies, including those in the energy sector. We have observed a trend over the last year, exemplified by this recent activity, of malicious actors increasing their focus against critical infrastructure. Secretary Napolitano has noted these trends in hearings before Congress. For example, in March she cited a campaign of intrusions targeting oil and pipeline companies. Last year DHS responded to 177 incidents against industrial control systems up from just nine three years earlier. The U.S. government is, of course, researching attribution and investigating specific events.

We are concerned about all threats to the security of our networks and critical infrastructure and are actively collaborating with our public and private sector partners to detect and mitigate disruptions and attacks against the nation's critical cyber and communications networks. We are leaning much further forward on providing warning to specific industry and international partners and are working to get ahead of the threat by providing actionable warnings and possible mitigations to all partners. This is part of our effort to implement the President's executive order. We will continue to share information with companies in our critical infrastructure sectors and are working with many institutions to establish a common understanding of malicious tactics and techniques, share network defense best practices, and provide technical assistance. What is critical is that our partners understand the nature and implications of this activity, evaluate the sufficiency of network defenses, remain vigilant, be prepared to respond and recover when such activity does occur, and work with industry organizations and the government to share information about any observed activity.

The WSJ article comes the same week that Richard Bejtlich, of the cybersecurity firm Mandiant, told Killer Apps that his company is seeing a suspected Iranian presence inside his clients' networks for the first time. Last fall, we reported that foreign hackers had penetrated the networks of U.S. energy firms in an effort to scout their weaknesses.

"There's some amount of reconnaissance that is required to infiltrate a large critical-infrastructure network, understand which systems are deployed, and how an attack should be structured to be most effective," Ashar Aziz chief technology officer of cyber security firm FireEye told Killer Apps over coffee this week when asked about foreign hackers infiltrating U.S. power networks. "There's scout malware and there's killer malware. I would not be surprised if scout malware has scouted all the vulnerabilities in critical infrastructure" in the United States, he said.

"I'm sure we have done the same thing" to potential U.S. adversaries, added Aziz. "Basically, we've got our fingers on the trigger very close to the brain of the [power] grid on the other side, and I would not be surprised if our grid was in the very same situation. If somebody felt threatened and wanted to pull the trigger, it would not be hard for them to do that."

Getty Images

National Security

A software flaw left DHS employees' personal info vulnerable to thieves since 2009

Software used by the Department of Homeland Security to hold the personal information of thousands of employees has been vulnerable to unauthorized access since 2009, according to a DHS warning.

That's right, software used by DHS between July 2009 and May 2013 to assist with background investigations on candidates for security clearances or law enforcement jobs has had a gaping hole in it that could have given anyone access to its employees' names, Social Security numbers, and dates of birth.

"DHS has determined that other information provided in the SF-86, the standard security questionnaire, was not accessible," reads this DHS announcement

Still, name, Social Security number, and birthday; can you say identity theft goldmine?

DHS says that while it has "no evidence" of anyone's information being compromised, this week it began alerting employees to the possibility that their personal info may have been accessed, "out of an abundance of caution."

What's the solution DHS offers (besides firing the software vendor and immediately fixing the vulnerability)? Giving employees the numbers of credit reporting agencies so they can see if anyone's been spending under their names. The announcement also says that "DHS is evaluating all legal options and is engaged with the vendor to pursue all available remedies."

So, who specifically at DHS needs to worry about their info having been stolen?

"Employees and contractors who submitted background investigation information, and individuals who received a DHS clearance, between July 2009 and May 2013, primarily for positions at DHS HQ, Customs and Border Protection (CBP), and Immigration and Customs Enforcement (ICE)," states the announcement.

DHS is also reviewing its contracts with other vendors to make sure this isn't a widespread problem.

So, while these guys have been guarding our borders, some software vendor hasn't been guarding their identities. Well done, team. Remember, DHS is supposed to be the lead agency in protecting the United States from cyber-attacks.

Getty Images