The BBC this week cites reports made by the New York Times which claim that Russian hackers accessed the White House IT network last year. The breach, which occurred last October, saw hackers ‘only' able to penetrate and read President Obama's unclassified emails, but was more serious than previously admitted because sensitive information was held in that unclassified system.
This revelation comes just two months after presidential candidate Hillary Clinton jostled with US federal rules on communications by using a personal email account instead of an official governmental one.
It is thought that the unclassified data in this instance could have included schedules and email exchanges between ambassadors and diplomats. Deeper access to the closely guarded servers dedicated to President Obama's personal BlackBerry do not appear to have been accessed.
The New York Times confirms that White House aides have said: “[Most of] Mr. Obama's classified briefings – such as the morning Presidential Daily Brief – are delivered orally or on paper (sometimes supplemented by an iPad system connected to classified networks).”
Far flung floundering
With the many arms of the US state department so far flung internationally, some have now called into question the degree to which so-called ‘unclassified' communications at a governmental or business level can ever truly be considered to be secure.
Partner in PwC's cyber security practice Kris McConkey spoke to SCMagazineUK.com this weekend to say that incidents of this nature are becoming more frequent. His own firm's threat intelligence practice has identified several attempts by multiple threat groups to intercept the email traffic of government departments and corporate entities.
“Where there is sensitive data of value - whether that is insight into international relations and diplomatic tensions, M&A strategies or drug trial results - it will be of interest to someone, who could just as frequently be an organised crime group as a nation state. Mapping out where key data is stored and how it can be accessed, as well as understanding who is likely to be interested in it, can help organisations identify which assets need to be protected, and how best to do so,” said McConkey.
Technical director at F5 Networks Gary Newe agrees that these kinds of attacks are on the rise and that it is difficult to comment on what exactly happened here without knowing all the details, “However, what is clear is that firewalls alone are not enough anymore. Attacks are frequently focusing on the application layer (Layer 7), or in a lot of cases Layer 8 (the human factor), exposing the entire system. If we have learned anything from WikiLeaks, it's that nothing can be treated as private anymore. Political leaders need to take this into account,” Newe said.
But it's not a question of regulations says Newe. “There are already enough regulations in place to cover this: the Computer Fraud and Abuse Act in the US; The Computer Misuse Act in the UK; and the proposed EU Cyber Security Directive. The real difficulty is in catching the perpetrators, which, in some cases, will be outside the jurisdiction of where the actual attack takes place,” he added.
Incident response SWAT team
The US Secretary of Defense has stated that the intrusion was detected and responded to within 24 hours. Importantly then, PwC's McConkey says that this ‘echoes a trend' he sees from his firm's clients who are increasingly investing in incident response preparedness in order to be able to act swiftly and decisively when needed.
Certified SANS Instructor at the SANS Institute Steve Armstrong provides more colour here and told SC that the point that this was an unclassified system is somewhat moot as history and experience shows that information often flows to the most prevalent system with ‘local workarounds' (aka unofficial code words) to facilitate sensitive discussions. “We regularly hear that secure communications systems are not widely used as they are restrictive and highly controlled, with staff choosing to communicate via less controlled and thus easier to use systems; Hilary Clinton's personal email server being a case in point,” he said.
The only outstanding question now is why both the White House and the hackers responsible waited until now to make a statement regarding the attack says Armstrong. “The modus operandi of most hacking groups is to wait until either something significant is found and to then disclose the 'best bits' publicly, as is often demonstrated by hacktivism groups like anonymous,” he said.
“The alternative APT-style approach being to remain quiet until access is lost. So the lack of disclosure before now suggests that the hacking group were not after information for public disclosure but were in fact either looking to covertly regain access or were passing their findings on to others,” said Armstrong.
The route of the ‘unclassified' flaw?
What this also shows is that the very system of ‘classification' itself is flawed, especially when it involves a manual process. This is the opinion of Guy Bunker, SVP of products at Clearswift. Bunker told SC that we should consider a simple email invite to go to lunch – which would probably be ‘unclassified'. “But if the response was ‘we can discuss the takeover of company X', which should now be classified as ‘top secret' you can see how challenging classification is. All business email should be treated with care and protected at all times. We saw in the recent Sony breach how devastating to reputation leaked internal email can be.”
George W Bush abstained from use of any email system or device usage during the tenure of his presidency. Today it is known that many US governmental departments and agency service organisations operate with a two-computer system: one secure classified and the other being effectively ‘non secure' for unclassified communications.