The Department of Commerce’s inspector general was able to wreak simulated havoc on the bureau in its testing, prompting a list of 13 recommendations.
Listen to this article
0:00
Learn more.
This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
An internal Department of Commerce watchdog found that the bureau that’s focused on safeguarding national security via export controls lacks the capabilities to detect and respond to cyberthreats effectively.
According to a June 11 report from Commerce’s Office of Inspector General, the Bureau of Industry and Security couldn’t thwart the watchdog’s simulated cyber incidents — including simulations that set up malicious software within its networks and exfiltrated thousands of fictitious personally and business identifiable information, such as Social Security numbers. BIS had also “misconfigured critical security controls for its export control networks,” and “mishandled classified and other privileged credentials,” the watchdog found.
The cybersecurity capabilities of BIS are important as the bureau is responsible for export controls that help restrict proliferation of weapons of mass destruction and how they’re distributed. That work makes the bureau and Commerce “targets for sophisticated state-sponsored adversaries,” the report said.
“If BIS does not improve its current capabilities, advanced adversaries could significantly harm sensitive U.S. export control efforts, which in turn affects national security,” the report said. “Whether the threat comes from external actors or insiders, BIS must be ready to handle future attacks.”
As a result, the department’s inspector general made 13 recommendations to increase its cybersecurity posture, including advising the bureau to “establish procedures to respond to incidents” and “restrict network and user access.” Per the report, BIS is working on the recommended actions.
During the simulated activities, the report said the watchdog assumed the role of either an attacker who had already broken into the system or as an insider threat. Its actions in those scenarios included working to make unauthorized transfers of business and personally identifiable information, establishing persistent access (long-term access in a system), and making unauthorized changes to the bureau’s computers, among other things.
“We found that BIS did not effectively detect and respond to our simulated malicious activities. BIS could not detect our attacks until we intentionally acted to trigger alerts,” the report said. “Once BIS was alerted, its response was not effective at containing the potential damage and eradicating our access to its networks.”
For example, the bureau tried to stop one of the simulated attacks by disabling an administrator account that the inspector general staff set up for its testing, but the watchdog had also set up different access methods before that response.
“Because BIS did not identify the root cause of the attack, which was our ability to install and hide malicious software, its attempts to contain and eradicate our access to the system were not effective,” the report said.
The inspector general’s review of BIS’s plan for incident response found that it lacked detail. Actions such as “remove any rootkits the attacker installed” failed to note specific steps, which could result in different responses between different people, according to the report.
Misconfigurations in crucial security controls for the networks used for export controls allowed the inspector general to obtain information on the software components, user accounts, network hardware and other data in its simulations, which is a tactic that attackers use to get a “roadmap for exploiting a system” after gaining access.
The mismanagement of usernames and passwords allowed the watchdog to find federal system credentials stored in plain text, which is a security risk and against department and federal protocol. That included finding “20 files that contained approximately 120 plain-text credentials for accessing federal systems.” Its review also found that many of the employees’ passwords were weak.
“In fact, across the three networks we tested, we were able to guess passwords for 847 of 6,638 accounts (13 percent), 814 of which were using the default password originally created by the BIS helpdesk,” the report said.
The recommendations include establishing detailed procedures for incident response, configuring network security devices properly, searching its networks for classified credentials and establishing a process to regularly search for credentials in plain text, and implementing a method of generating strong unique passwords for each account.
In a letter response to the inspector general included in the report, BIS said it “concurs with the recommendations and will prepare a formal action plan upon the issuance of OIG’s final report.”
That letter, dated May 15, indicated the bureau had already taken action on recommendations such as scanning for plain text credentials and generating strong passwords, and had plans to work toward the others.
