Federal Computers Dodge Global Malware Attack ... This Time | KERA News

Federal Computers Dodge Global Malware Attack ... This Time

May 22, 2017
Originally published on May 22, 2017 9:56 pm

The ransomware attack on worldwide computer networks earlier this month largely spared those of the federal government. While the government dodged a bullet this time, experts say, its systems are still vulnerable — although perhaps less so than in the past.

When the global malware attack — dubbed "WannaCry" — was first detected, a government cybersecurity response group moved quickly.

It determined that this time, government networks were largely protected from the intrusion. Agencies had downloaded a patch Microsoft sent out in March that closed the vulnerability in its most recent operating systems.

That precaution was a response to a hard-earned lesson, according to Bruce McConnell, who was a top cybersecurity official in the Obama administration.

McConnell says previous hacks, including the one at the Office of Personnel Management two years ago in which the data of some 21 million people was stolen, convinced the feds something had to be done.

"I think the federal government had several wake-up calls in the last few years, so the Obama administration put quite a bit of emphasis on getting things patched, getting things up to date and cleaning up unsupported operating systems," McConnell says.

But McConnell says the WannaCry attack was relatively unsophisticated, and that more sophisticated attacks will be harder to stop.

In an executive order signed earlier this month, President Trump called for more robust deterrence against attackers. Frank Cilluffo, who directs the Center for Cyber and Homeland Security at The George Washington University, says, "In essence we've been blaming the victim in terms of cybersecurity, and we need to put a little more pain on the perpetrators and the adversaries."

He says that means not shaming users, but going after and prosecuting individual hackers, and continuing to impose stiff economic sanctions on nations behind state-sponsored attacks. And not relying only on cybersecurity measures.

"If you think about it, in the physical world, it would sort of be like every time you get robbed you call the locksmith," Cilluffo says. "We're never going to build high-enough walls, protected by deep-enough moats, protected by bigger and bigger locks."

In Congress, lawmakers are also moving to increase security for government networks. In a rare bipartisan vote, the House last week approved a measure that aims to nudge federal agencies to modernize their technology, including more use of cloud computing, which is generally more secure.

The bill, known as the Modernizing Government Technology Act, would provide $500 million for IT modernization over the next two years. And agencies that save money through system upgrades could use those savings for other IT projects.

Republican Congressman Will Hurd of Texas was the bill's lead sponsor. "This is not a technology problem," he says. "This is a leadership problem. [We pay] cybersecurity the right amount of attention then we're going to be able to defend our infrastructure."

And cybersecurity expert McConnell, now global vice president of the EastWest Institute, says there are other potential vulnerabilities,
including so-called zero-day bugs, weaknesses unknown to the software developer and discovered by hackers before they can be patched.

"It's like taking care of your body or taking care of your car," he says. "You have to keep at it. It's not buy and forget."

McConnell says users, including the government, can't afford to let down their guard.

NPR's Geoff Bennett contributed to this report.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

ARI SHAPIRO, HOST:

U.S. government computers were mostly safe from last week's ransomware attack on computer networks around the world. While the government may have dodged a bullet this time, experts say its systems are still vulnerable, though maybe less so than in the past. NPR's Brian Naylor reports.

BRIAN NAYLOR, BYLINE: When the global malware attack dubbed WannaCry was first detected, a government cybersecurity response group moved quickly. They determined that this time government networks were largely protected from the intrusion. That's because agencies had already downloaded a patch that Microsoft sent out in March that closed the vulnerability in its most recent operating systems.

Bruce McConnell was a top cybersecurity official in the Obama administration. In a Skype interview, McConnell says previous hacks, including the one at the Office of Personnel Management two years ago that stole the data of some 21 million people, had taught the feds a lesson.

BRUCE MCCONNELL: I think the federal government had several wake-up calls in the last few years, so the Obama administration put quite a bit of emphasis on getting things patched, getting things up to date, cleaning up unsupported operating systems.

NAYLOR: But McConnell says the WannaCry attack was relatively unsophisticated and that more sophisticated attacks will be harder to stop. In an executive order signed earlier this month, President Trump called for more robust deterrence against attackers. Frank Cilluffo, who directs the Center for Cyber and Homeland Security at the George Washington University, says that's an important step.

FRANK CILLUFFO: In essence, we've been blaming the victim in terms of cybersecurity, and we need to put a little more pain on the perpetrators and the adversaries here.

NAYLOR: He says that means rather than shaming users, going after and prosecuting individual hackers and continuing to impose stiff economic sanctions on nations behind state-sponsored attacks.

CILLUFFO: I mean, if you think about it in the physical world, it would sort of be like every time you get robbed you call the locksmith. And we're never going to build high enough walls protected by a deep enough moats, protected by bigger and bigger locks.

NAYLOR: In Congress, lawmakers are also moving to increase security for government networks. In a rare bipartisan vote, the House approved a measure that aims to nudge federal agencies to modernize their technology, including more use of cloud computing. The bill would provide $500 million for IT modernization, and agencies that save money through system upgrades could use those savings for other IT projects. Republican Congressman Will Hurd of Texas was the lead sponsor.

WILL HURD: This is not a technology problem. This is a leadership problem. And if you have the right leadership that focuses on making sure we're constantly modernizing and that we're paying cybersecurity the right amount of attention, then we're going to be able to defend our infrastructure.

NAYLOR: Cybersecurity expert Bruce McConnell says there are other potential vulnerabilities to government systems, including so-called zero-day bugs. Those are weaknesses unknown to the software developer and discovered by hackers before they can be patched.

MCCONNELL: It's like taking care of your body or taking care of your car. You have to keep at it. It's not buy and forget.

NAYLOR: McConnell says users, including the government, can't afford to let down their guard. Brian Naylor, NPR News, Washington.

(SOUNDBITE OF TOSHIKO AKIYOSHI'S "KISARAZU ZINKU") Transcript provided by NPR, Copyright NPR.