Tuesday, President Obama called for new cybersecurity laws that would enhance the power of the Department of Homeland Security by facilitating information sharing about cyber threats between private companies and the federal government. But before DHS starts sharing security information with third parties, it needs to figure out what it's trying to protect in the first place.
The agency has no strategy or organizational structure to protect federal buildings' internet-connected access systems from hackers, according to a new Government Accountability Office analysis.
The report suggests that DHS has barely considered how things like power control systems, heating and ventilation systems, surveillance cameras, and automated key card door locks could be hacked. In fact, DHS doesn't even have specific employees tasked with hardening or overseeing these systems, has "no strategy" for dealing with an attack, and doesn't even really know what resources it needs in order to protect federal workers from hackers.
The federal government has considered these things as being "high-risk" information systems worth protecting since 2003, an oversight that cybersecurity experts consulted by the government found quite troubling.
"A majority of them felt this was a threat that needed to be dealt with immediately. The government shouldn't sit around and wait for an attack to occur, given the sophisticated types of attacks that can happen," Mark Goldstein, the Government Accountability Office's director of physical infrastructure issues, told me. "They don't have a strategy in place because they haven't assigned roles and responsibilities about who would take charge. That's one particular problem."
Goldstein said that DHS has likely been tied up protecting computer systems from more traditional-style hacking and has also been worrying about physical terrorist attacks, and that this appears to be an oversight ("they've had their hands full," he said).
That said, it's certainly not outside the realm of possibility for hackers or terrorists to do some physical damage.
In 2009, a hacker named Jesse McGraw installed malware at the Dallas hospital he worked at, which gave him remote access to the heating, ventilation, and air-conditioning system. In 2011, there were 140 incidents of hacking involving "industrial control systems." Last year, there were 243, an increase of 74 percent.
In an age of increasingly sophisticated cyber attacks on any and everything that's left unhardened, it's possible to imagine a scenario where a terrorist group remotely unlocks doors, closes ventilation systems, and causes some sort of trouble, Goldstein said.
"We didn't specifically run scenarios, but hypothetically, it's possible someone could gain access to control system and cause malicious harm, and one could see it could be done in conjunction with an active attack potentially," Goldstein said. "[That] it does occur in the private sector means that it's not fantasy and there's the prospect of it occurring more in the future."
The report suggested that the oversight would allow hackers to do the following:
- damage temperature-sensitive equipment, such as in data centers
- cause life-safety systems such as fire alarms or sprinklers to give false alarms or fail to alarm in the event of an emergency, malfunctions that could result in injury or a loss of life
- disable facilities due to lack of power or other environmental needs
- provide access to information systems
- temporarily evacuate facilities
- damage the government's credibility if it was unable to protect its employees.
The report notes that DHS is in charge of "some highly symbolic" federal buildings, in addition to laboratories and warehouses that store weapons and drugs, so it'd probably be a good idea to lock those down in a meaningful way. Goldstein noted that many federal buildings are leased from third parties, and that systems such as elevators and air conditioners are often owned and operated by third parties even within federally owned buildings. It can be tough to figure out how, exactly, to lock all this stuff down.
But that's not to give DHS a free pass. Today, Obama gave a speech suggesting we give DHS agents more power over cybersecurity. But, maybe before we give the agency more responsibility, its overseers should require it to get its ducks in order on some of its most basic responsibilities.