How to Practice Safe Cyber

By: Katie Olson
Acting Director, Defense Digital Service

When I first met my partner, we had to have The Talk. I worried anxiously, “Do you practice safe cyber?” Luckily, he knows all about VPNs, MFA, etc. so I felt very comfortable. I don’t know that I have the same level of comfort within the federal government.

In honor of Cybersecurity Awareness Month, I have some observations from my time working at Defense Digital Service and with partner organizations. The events of the past two years, some expected (a national election) and some unexpected (a global pandemic) has given our team a front seat to cyber actors, and our role has evolved into a more mission-critical one in the DOD that includes a keen eye on cybersecurity threats.

According to a Financial Trend Analysis report from the Treasury Department issued last Friday, we’ve seen a 30% increase in suspicious ransomware-related activities reported to the Financial Crimes Enforcement Network. The report only covers January-June 2021, so that number will no doubt be much higher by the end of the year.

Of course, none of this is surprising. What’s even more concerning is that the government often lags behind the private sector in technology, and some of what I’ve witnessed since joining DDS in 2019 is often bad cybersecurity hygiene. 

In May 2020, at the height of the COVID-19 pandemic, we were tapped by the then Deputy Secretary of Defense, David Norquist, to co-lead cybersecurity efforts for Operation Warp Speed, the race against time and our scientific capabilities to bring COVID-19 vaccines to Americans as quickly and safely as possible. 

Alongside the National Security Agency, we worked with organizations across industry and government to ensure the security of critical data and systems involved with research, testing, manufacturing and distribution of vaccines. What we found in terms of security practices at public agencies (and to be fair, private entities as well) was troubling. 

For the most part, minimum cyber hygiene standards were not being met. DDS discovered unheeded best practices such as the lack of two-factor authentication, which even the average individual uses to access a private email or online banking. Vulnerable software was not upgraded in a timely manner, and security findings from previous penetration tests were not being addressed. In some cases, security testing on public-facing websites or products were not even being performed prior to launch. If DDS and NSA had not stepped in, a number of issues could have impacted OWS: exposed API keys, vulnerable websites and data leakage. 

This is, unfortunately, so often the case within the USG. Since joining DDS, I’ve seen us overlook the implementation of (what should be) standard operating procedures around cybersecurity. One example was learning that we weren’t using STARTTLS, a commercially-recognized certificate authority that authenticates and validates digital communications over the internet. In layman’s terms, this means unclassified DOD emails weren’t encrypted, potentially exposing the content to potential surveillance and man-in-the-middle attacks whereby an adversary may access and edit this content. Imagine the thousands of emails we send per day. These vulnerabilities have presented a significant risk to the DOD’s mission and our national security. 

DDS also conducted a Domain Name System (DNS) pilot to see if we could improve the DOD’s ability to prevent its devices from resolving malicious domains. In the first 24 hours, we found over 17,000 unique domains that were being allowed to resolve by DOD devices, potentially allowing adversaries to gain access to our systems, hijack or redirect DOD users, and exfiltrate data. 

Last year’s SolarWinds breach was a strategic supply-chain hack, packaging malicious code into its Orion product software updates. We find ourselves surprised at the sophistication of the attack, even as we learned that SolarWinds' update servers could be accessed with a password of “solarwinds123”. 

DDS, NSA, CISA and others are making a dent instituting cybersecurity best practices because of our collaboration through Operation Warp Speed. DDS and CISA also co-developed Crossfeed, a tool that continuously monitors public-facing government websites to identify and act on vulnerabilities, to secure OWS and the 2020 election. Not only was this a unique collaboration between two cybersecurity-focused organizations in government, but we successfully transitioned long-term ownership of Crossfeed to CISA so that they can leverage and evolve the tool for other cybersecurity projects.

Separately, the Department of Homeland Security launched StopRansomware.gov and the U.S. Department of Treasury are taking steps  to tackle ransomware attacks. 

But it’s not enough. The SolarWinds breach, the Colonial Pipeline hack, the recent ransomware that threatened operations in the agricultural supply chain underscore my concerns and demonstrate that the U.S. government needs to take significant actions -- immediately.  

We are at a critical juncture where we can wholly improve and upend the status quo that is failing us. We can and should establish and execute against the basics, including bug bounties, two-factor authentication, secure DNS, and email encryption. We can and should establish and strengthen the security programs of individual agencies and the federal government as a whole. Until then, more and more system breaches and ransomware attacks will continue for decades to come. 

Experience is the best teacher. Our team (along with experts within government and across industry) is committed to making sure the events of the past couple years, coupled with the improvements and recommendations we have made, are part of our journey towards better cyber hygiene. We all have to do our part to practice safe cyber.