Federal networks are under constant attack. The bigger the agency's public profile and more sensitive the data it stores, the more likely a target it makes. The Department of Health and Human Services is no exception.
Certainly, personal health information (PHI) is a treasure trove of data for fraudsters and no department in government holds more of that data than HHS, and in particular the Centers for Medicare and Medicaid Services. But pouring through pages of incident records Federal Times obtained through a Freedom of Information request showed other components — like the Centers for Disease Control and Prevention and National Institutes of Health — seem to be the prime targets for attackers looking to embed malicious code.
Considering the work being done at those agencies, the ramifications could be dire.
"This is one of the most important federal agencies in the size, scope and array of challenges that it is managing and has been taking on, just by the nature of the agency," said Leo Scanlon, acting HHS chief information security officer. "Every agency is unique, but HHS is made up of components which are very distinct in their mission and have challenges which are unique, even within HHS."
Tracking cybersecurity incidents at HHS and four major components over a 30-month period. Click to enlarge.
Photo Credit: John Bretschneider/Staff
The records — which include a tally of security incidents reported by HHS components between January 2013 and September 2015 — provide a very high-level view of the challenges the department faces. On the whole, HHS reported 26,381 incidents over a 30-month period: 40 percent of which were categorized as unauthorized access; 14 percent as scans, probes or attempted access; and 12 percent as malicious code.
But certain trends become apparent after parsing the data.
For instance, over that time period, CMS reported 7,600 incidents of unauthorized access, a category the National Institute of Standards and Technology defines as "a person [gaining] logical or physical access without permission to a network, system, application, data or other IT resource." These incidents — accounting for 56 percent of all reported incidents — could signal a network breach by a malicious actor. More often than not though, such incidents are merely an employee or contractor accessing a system outside the scope of their work. That's a violation of protocol perhaps, but not malicious.
In contrast, CMS only discovered 250 instances of malicious code embedded in its systems, the lowest among the major incident categories reported, accounting for less than 2 percent of its total reported incidents. The majority of HHS components followed this same track, though not to the same extreme.
CDC and NIH were exceptions. For both, malware stood as a predominant threat vector.
Breakdown of cybersecurity incidents by major component and category. Click to enlarge.
Photo Credit: John Bretschneider/Staff
The reports — which are coded using categories established in NIST Special Publication 800-61 rev1 — define malicious code as "a virus, worm, Trojan horse or other code-based malicious entity that successfully infects a host."
CDC security reports show the agency discovered 954 instances of malicious code on its systems since January 2013, 37 percent of all incidents recorded. Hackers are also testing CDC's networks regularly, with 516 instances of scans, probes and attempted access reported during that same time period, or 20 percent.
NIH reports are inverted, with 2,569 records of scans, probes and attempted access (36 percent of total incidents) and 1,115 instances of malicious code discovered (16 percent). Both agencies also reported hundreds of incidents of unauthorized access, but nowhere near the levels of CMS and other major components like the Food and Drug Administration.
But numbers in a vacuum mean very little. To make sense of the data, three questions need answers: What are the stakes, what do the numbers mean for HHS and what are they doing about it?
The stakes
As mentioned above, hackers would be expected to attack CMS and other HHS components that store PHI on individuals, as these records contain everything needed to perpetrate financial fraud. But CDC and NIH networks house very different kinds of information — data that could have a significant impact on public health and national security.
CDC employees, in particular, work on some dangerous research projects, ranging from testing ways to inoculate people from viruses and bacteria to weaponizing some of those same diseases. While the U.S. has signed international agreements banning the use of biological weapons, not all enemies abroad are following the same rules. In order to prepare for the worst, CDC researchers have to work with weaponized strains to understand how best to combat them.
If that information leaked to an adversary with the ability to turn that research against us, such a breach would pose a real threat to national security.
The issues at NIH are less frightening but equally problematic.
The research being done at NIH could have similar economic ramifications to data maintained at FDA (see link to story below). If information about a breakthrough could affect the marketplace, having advanced knowledge before it goes public would allow someone to game the system.
However, due to the nature and potential impact of NIH research, there is also a possibility for disruptive hacking.
Imagine NIH researchers were on the verge of curing cancer when a hacker — motivated by malice or working for other vested interests — infiltrates the network and makes slight alterations to the data; not enough to be noticed but significant enough to disrupt the research and stall progress for untold years to come.
While those possibilities are stark, the incident report data doesn't go deep enough to provide any insight as to how likely they are or whether known incidents have led to such leakages.
Former HHS CIO Frank Baitman
Photo Credit: Social Security Administration
Frank Baitman, who served as HHS CIO for four years before retiring in December, said the agency dealt with attacks and attempted intrusions every day, as does every large organization.
"Obviously there were incidents along a spectrum. There were a large number of investigations that we would undertake to see whether or not something actually happened," he said. "In the vast majority of those we decided nothing actually occurred. A lot of the numbers [in the report] are related to people knocking on our door, basically."
And Baitman wasn't shocked that components like CDC, NIH and FDA were seeing more activity than other bureaus, mostly due to name recognition.
"Take a look at those three agencies: They are among the three largest in HHS," he said. "They have a very high public profile. Whereas many Americans may never have heard of HHS, they certainly have heard of FDA, NIH and CDC ... It's sort of self-fulfilling."
What the data means
While the data only provides a high-level view of what's going on, the reports give HHS an idea of the systems getting the most attention from bad actors and the avenues they're using to attack.
"You've got a profile of the way you're being attacked," Scanlon explained. "We're always getting clobbered — that's the name of the game. In each case, [the data show ] a trending metric that corresponds to the profile of the organization and we aggressively manage those risks."
Having a robust, transparent reporting structure in place is key to building a strong security posture, officials said.
"The data is a reflection of a well-oiled security machine," Baitman said. "The fact that we have the means to identify incidents and that we have a culture that allows us to share that information, kudos goes to the cybersecurity team across HHS."
Baitman, Scanlon and acting HHS CIO Beth Anne Killoran all asserted that higher numbers actually show a strong cybersecurity posture, as an incident reported is an incident discovered rather than ignored.
But agency leaders need to see that data if they're going to make good use of it — something that requires a change in culture from top to bottom.
"That's one of those things you're always fighting against in cybersecurity: People feel like, 'If I don't share the information then no one's going to know we had something bad happen,' " Baitman said. "You need to convince people that reporting doesn't make you look worse. It helps you identify the challenges and where you need to allocate your resources to address those challenges."
"One of the great things about this report and the other reports, tools and alerts that we have is we use them in aggregate," Killoran said. "While this might be one mechanism to alert us, we have others as well ... This is just one tool in our toolkit."
A scientist checks Ebola blood tests in a CDC mobile lab. Hackers regularly attempt to access CDC networks.
Photo Credit: John Moore/Getty Images
What they're doing about it
"Once we know how we're going to get attacked, we apply that to our unique situation," Scanlon said. "HHS does that in a very fascinating and aggressive way."
HHS agencies have been "early and frequent adopters" of the government's latest cybersecurity tools, Killoran said, pointing to major initiatives like Homeland Security's Einstein and the Continuous Diagnostics and Mitigation (CDM) program.
The agency currently has the first two phases of the Einstein firewall on its systems, which detects malicious traffic at the Internet service provider level. HHS is in the process of getting the third phase added to its networks — Einstein 3A — which will also block bad traffic at the perimeter, before it ever touches the network.
The first phase of the CDM program is also in full swing, adding to the department's already advanced continuous monitoring capabilities. The contracts to put in place strong asset management tools were awarded in late 2015 and vendors are already at work integrating software to identify and track data across the network.
Work on the requirements for the second phase — which includes tools to manage user access and privileges — is happening now, with the solicitation expected this year.
Agency leaders are also actively addressing the most vulnerable threat vector for any organization: the users themselves. In the modern cyber landscape, "amateurs attack machines; professionals attack people," Scanlon said.
CMS, for one, has been phishing its own employees with emails that appear legitimate but contain potentially malicious links. Rather than embedding malware, those links enroll those who click in a training program that highlights the dangers posed by phishing attacks and offers tips on spotting spoofs.
Killoran said the agency has seen a dramatic decrease in the number of successful phishing attacks since beginning the internal sting operation.
"The amount of incidents — for the size of our organization — shows HHS really is vigilant in making sure we are preventing and responding to cyberattacks and vulnerabilities that we have in our system," she said. "And we've been doing that consistently."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
