According to a report from the Center for Public Integrity (CPI), on October 1, moments after the government shutdown started, the Federal Election Commission (FEC) was the victim of a massive attack against its networks. The incident is being called the worst act of sabotage in the FEC's 38-year history, and the fact that it happened just as the people responsible protecting the network were ordered home, only compounds the issue.
The CPI says that the network attacks were confirmed by three government officials that are involved in an investigation into the matter, who speculate that China is behind the incident. However, the report doesn't say how they came to this conclusion. The FEC confirmed the attack in a statement, but offered no additional details.
Looking back, the CPI report says, the FEC knew that such an incident was bound to happen.
An audit by Leon Snead & Company in 2012, warned that the FEC's security posture was poor, noting that their "computer network, data and information is at an increased risk of loss, theft, manipulation, interruption of operations, and other adverse actions."
"Tests of selected IT security controls found numerous instances where applicable best practice controls were not implemented by the FEC, and we were unable to locate substantive analysis of the risk to the agency of not adopting these minimum best practices...We continue to believe that the FEC's information and information systems are at high risk because of the decision made by FEC officials not to adopt all minimum security requirements that the Federal government has adopted."
The FEC disagreed with the auditor's recommendation, noting that they're a FISMA exempt agency, and follow the guidelines that they're required to follow. To which, the auditor responded that instead of making security decisions based on whether the agency is legally exempt from government-wide requirements, the FEC should focus on the practices and requirements that better protect their digital assets.
The audit report chastised the FEC for several issues including passwords that never expire on user accounts, disabled accounts that remained within Active Directory, and using the same "easily guessed" passphrase for all contractor laptops. Moreover, poor patching processes and outdated software were also highlighted by the auditors.
Due to the poor rating from the auditor, when combined with the attacks during the shutdown, FEC Commissioner Steven Walther said that staff director and head of the IT division, Alec Palmer, should be removed from one of his two positions. “We have simply not addressed our security needs, and there is no excuse for not giving this attention,” Walther said in an interview with the CPI.
Speaking to the Hash about the incident, Veracode's Chris Wysopal, the Co-Founder and CTO said:
When the shutdown started a concern security professionals had was would system administrators be considered essential personnel and on the job and if so would they be strained with extra tasks preventing them from performing security tasks. Systems need to be patched and monitored continuously to provide security in the current rapidly changing threat environment. I wouldn't be surprised if the furloughs did degrade the state of security at the FEC and other government agencies. In this case there were known security deficiencies from an earlier audit and the system security needed to be improved or a breach was inevitable.
Adding to that, Chris Eng, VP of Security Research at Veracode, shares similar thoughts:
If an auditor found the systems to be at high risk over a year ago and the FEC did nothing about it, there should be no surprise that they were compromised. If even an auditor could find that many things wrong, it's a reasonable bet that a penetration tester or a malicious attacker would find many more. They have probably been attacked more times than they realize.