CNN reports that the Department of Homeland Security is putting an emphasis on getting election security programs up and running again after they were temporarily halted due to lack of funding during the shutdown.
Chris Krebs, Cybersecurity and Infrastructure Security Agency Director, told CNN that any election security programs that were put on hiatus during the shutdown were put on “the top of the priority list for restart”. The agency, overseen by DHS, is responsible for protecting the networks of nearly 100 civilian federal agencies.
He said routine vulnerability assessments were paused, including a “couple of the election-security related” assessments that were focused on state networks. Krebs pointed out that if an active threat occurred during the shutdown, his agency responded and searched out the threat.
Krebs told CNN that he was unaware of “any appreciable uptick in threats”, despite fears of cybersecurity experts that the shutdown would put federal systems at risk for a cyber attack. However one “ongoing” incident prompted an emergency directive to agencies across the government.
On January 22, one month into the government shutdown, the agency issued its first ever emergency directive ordering federal agencies to immediately take steps to protect against “hijacking and tampering” incidents aimed at Domain Name System records. Kreb said the Cybersecurity and Infrastructure Security Agency’s job is protect the “.govs”, and more rarely the “.coms” and “.orgs”, across government systems.
Kreb said, although there was “a sense of urgency” with the directive, the attack was apparently unrelated to the shutdown, instead appearing to be related to the holiday season. “It’s almost as if the actor took advantage of the holiday period between Christmas and New Year’s, when folks were all on holiday or on vacation leave and maybe weren’t looking at things as closely,” he said.
Tuesday was the deadline for agencies to comply with the actions required by the directive. Agencies were required to audit DNS records, change passwords, add Multi-Factor Authentication to DNS accounts, and monitor logs.
The bulk of federal agencies were able to meet the deadline and comply with the directive and the CISA is satisfied with the response. The agency is working with the outliers to create “road map plans” for compliance.
This type of attack, according to Kreb, is not a sophisticated one but is not a type of attack the organizations under his protection monitor for. He acknowledged this was a “big blind spot” and that there are steps the agency can take to harden security.
FireEye, a private security company, stated that there is evidence that the operators are conducting the attacks out of Iran and in support of the Iranian government. Krebs says the CISA doesn’t have enough information at this time to make that assessment but is continuing to work with agencies to implement the needed security measures.