Microsoft is trying to kill passwords. It can’t happen soon enough. Microsoft called passwords a “relic from the early days of computing” that “has long outlived its usefulness.”

password-security

Microsoft Corp. is trying to kill the password, and it’s about time. This month, the company said the next test version of its stripped-down Windows 10 S operating system will strip out passwords too, by default. If you go through setup as recommended, you’ll never get a password option.
Los Angeles Times

But killing the password altogether will take more work and time — and the problem may get worse before it gets better.

That’s a shame. Passwords are the bane of modern digital existence. On a big-picture level, insecure passwords cause an estimated 80% of breaches, according to a 2017 report from Verizon. On a human level, they’re paralyzing; right when you need to access your utility bill, you can’t remember if you replaced the “a” with a 4 or an @ symbol. Or when, say, a missile alert has gone out to your entire state and you can’t find your password to give an all-clear.

Passwords have amassed their share of enemies. Microsoft’s latest move follows pushes from Apple, Google and others to shake up the old passcode and password system with fingerprint scans, face scans or temporary codes. There’s no question passwords aren’t adapting to a modern age. “It’s quite clear to us, that the era of the password is passing. Based on the significant amount of accounts that now exist, it doesn’t scale as a system,” said William Beer, a principal at business management consultancy EY.

Microsoft has been waging a war on passwords for a while. Like others, it has poured effort into other types of authentication, namely biometric scans of your face or fingerprints — it introduced facial recognition unlocking for Windows PCs in 2015. It also has built a smartphone app to provide an ever-changing code to act as your password.

“This relic from the early days of computing has long outlived its usefulness, and certainly, its ability to keep criminals at bay,” an official blog post from Microsoft said in December.

Now Microsoft is edging even closer to pushing passwords off a cliff, at least in its lighter version of Windows — though not every feature that gets tested in early versions of operating systems makes it to consumers.

But we don’t have a lot of time to work on a slow revolution. The way we handle security is about to hit an even bigger test.

One reason passwords are awful is that there are so many of them. Dashlane, a password manager company, found in a survey of its own customers that they have an average of 130 accounts with passwords.

And password overload is poised to get worse before it gets better. Tech companies are pushing into more areas of our lives by giving “smarts” to any item that can accommodate a chip — toilets, car, beds. Securing all of those gets messy, and it’s not remotely feasible to create a secure, unique password for every home appliance, even though those appliances collect very personal data.

Another big issue: Finding the perfect password is difficult, as it requires a unique balance of “easy to remember” and “hard to hack.” And since you need more than one password, you have to find that sweet spot over and over again. In the pursuit of safety, companies often require passwords to have a complex combination of capital letters, symbols and other requirements. But those requirements can actually cause people to reuse their complex passwords or refuse to change them once they’ve committed them to memory. In 2016, Britain’s National Cyber Security Centre recommended simplifying password requirements to encourage people to change them.

All of these issues point to a system that doesn’t work, and it makes sense for companies and people to get on the bandwagon to replace it.

Yet passwords they linger like roaches in the corners of our digital lives. Alternatives such as fingerprint scans, retinal scans, voice recognition and other technologies can be hard for companies — particularly non-tech companies — to implement well. Those solutions are also imperfect, as some pairs of twins can tell you. If something requires new costs to implement and is still flawed, many companies may stick with the devil they know. (Even Microsoft is simply proposing getting rid of passwords, and only on a light version of Windows, instead of replacing it with another security alternative.)

Plus, even when companies offer something more, it’s often difficult for people to get used to a new routine, Beer said.

Changing habits will require more effort such as those from Microsoft, and a slow introduction to different methods to change people’s habits. Beer said that many of the businesses he looks at are now at least combining the old username and password combination with something else — a fingerprint scan, voice print or temporary code for those cagey about sharing biometric info (or for companies unwilling or unable to secure them).

Ultimately, Beer said, the real path to killing the password is not technology, but education.

“We’re putting all the focus on technology and not thinking about explaining to people,” he said. “I would suggest that while technology is great, it needs to be accompanied by a significant awareness campaign to explain and support users as they go through these changes.”

Tsukayama writes for the Washington Post.

157 new emoji coming to #iOS, #Android . Are you ready for a ton of new emoji? If not, you better hurry to prepare yourself and your phone.

180208091102-new-emojis-780x439

New year, new emoji.
Kaya Yurieff | CNN

The Unicode Consortium — a nonprofit that sets the global standard for emoji — announced on Wednesday 157 new emoji options would be coming later this year. The latest collection includes a cupcake, lobster, pirate flag and more expressive smiley faces.

Emoji will soon have a variety of new hairstyles, such as curly or bald, and more hair color options such as red and white.

There will also be more animals, such as a kangaroo, llama, swan and mosquito. More fun smiley faces include a “cold face” with dangling icicles, a partying face and a “woozy” emoji.

New superheros and villains join the lineup, and popular activities like lacrosse, knitting, sewing and skateboarding are also represented.

After Unicode releases its guidelines, software makers such as Apple and Google design versions for their respective platforms. That’s why emoji on iPhones look different than those on Android phones.

180208113832-new-emojis-2-b-780x439

The new emoji usually begin appearing on mobile phones later this year. Apple typically previews its versions in June and releases them in the fall with the next iOS update. Android will release its emoji later this year.With the latest additions, the total number of approved emojis will total 2,823. In recent years, Unicode has made a bigger effort to include more diverse skin tones, occupations and flags.

 

Dark Caracal Targets Thousands in Over 21 Countries. The Electronic Frontier Foundation and Lookout Security released a report detailing several active Dark Caracal #hacking campaigns that successfully targeted mobile devices of #military personnel, medical #professionals, #journalists, #activists, and others in over 21 countries.

the

Dark Caracal: Hackers Spied on Targets in Over 21 Countries and Stole Hundreds of Gigabytes of Data

International Business Times UK | By India Ashok

A new and massive cyberespionage campaign, believed to be the work of Lebanese hackers linked to Lebanese General Security Directorate (GDGS) in Beirut, has been uncovered.

A new report by the Electronic Frontier Foundation and Lookout Security revealed that the cyberespionage group, dubbed Dark Caracal, has conducted numerous attacks against thousands of targets in over 21 countries in North America, Europe, the Middle East, and Asia.

The hacker group successfully targeted mobile devices of military personnel, medical professionals, journalists, lawyers, activists and more. It has stolen hundreds of gigabytes of data, including photos, text messages, call records, audio recordings, contact information and more.

The cyberespionage group stole this massive trove of information using its custom-developed mobile spyware called Pallas. The spyware, which Lookout discovered in 2017, is found in malware-laced Android apps — knock-offs of popular apps like WhatsApp, Telegram and others that users downloaded from third-party online stores.

“People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal,” EFF director of Cybersecurity Eva Galperin said in a statement. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”

According to the report, Dark Caracal has been active in several different campaigns, running parallel, with its backend infrastructure also having been used by other threat actors. For instance, Operation Manul, which according to the EFF targeted journalists, lawyers and dissidents of the Kazakhistan government, was launched using Dark Caracal’s infrastructure.

According to Galperin, the Dark Caracal group may be offering its spyware services to various clients, including governments, The Register reported.

Dark Caracal hackers also make use of other malware variants such as the Windows malware called Bandook RAT. The group also uses a previously unknown multi-platform malware dubbed CrossRAT by Lookout and EFF, which is capable of targeting Windows, Linux and OSX systems. The report states that the APT group also borrows or purchases hacking tools from other hackers on the dark web.

“Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform,” said Mike Murray, VP of security intelligence at Lookout. “The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about.”

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF staff technologist Cooper Quintin. “This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.”

Ransomware Posing as Flash Player Download A new strain of ransomware hit organizations throughout Eastern Europe earlier this week. Spread through compromised websites, the Bad Rabbit ransomware poses as an Adobe Flash Player download, and after infecting one machine, can quickly spread through an organization’s network without being detected.

imagesRHVA6HVG

The Latest Ransomware Presents Itself as an Adobe Flash Player Download

Nextgov | By Keith Collins |

A new strain of ransom ware, called Bad Rabbit, began hitting organizations throughout Russia and Eastern Europe on Wednesday (Oct. 25). The malware is being spread through compromised websites, presenting itself as an Adobe Flash Player download.

“When users visited one of the compromised websites, they were redirected to 1dnscontrol[.]com, the site which was hosting the malicious file,” according to a blog post by Talos, Cisco’s threat intelligence team.

Once infected with the ransom ware, victims are directed to a web page on the dark web, which demands they pay 0.05 bit coin (roughly $285 USD) to get their files back.

After one computer on a network is infected, Bad Rabbit can quickly and covertly spread through an organization without being detected. Although the ransom ware has been detected in several countries, it appears to be concentrated in organizations in Russia and Ukraine, particularly media outlets.

U.S. Takes Down International #ID #Theft Ring the U.S. Justice Department indicted 36 people in connection with an international identity theft ring known as #Infraud. #cyberfraud

untitled.png

International Cyber Crime Ring Smashed After More Than $530 Million Stolen

CNN | By Ben Westcott

US authorities have indicted 36 people for stealing more than $530 million from victims across the world in one of the “largest cyber fraud enterprises ever prosecuted.” In a statement, US investigators claimed the accused were taking part in a massive operation known as the Infraud Organization, which stole and then sold other people’s personal information, including credit card and banking information. “Today’s indictment and arrests mark one of the largest cyberfraud enterprise prosecutions ever undertaken by the US Department of Justice,” Acting Assistant US Attorney General John Cronan said in a statement. Cronan said it was believed the group had intended to cause losses totaling more than $2.2 billion during their seven years of operation. Authorities have already arrested 13 people from a range of countries including the United States, Australia, the United Kingdom, France and Italy. The Infraud Organization has been in operation since October 2010, according to the statement from the US Justice Department, when it was launched by a 34-year-old Ukrainian man Svyatoslav Bondarenko. He had wanted to grow the organization into the internet’s largest “carding” group — that is, a criminal group who buy retail purchases with counterfeit or stolen credit card information. Their motto was, “In Fraud We Trust.” According to the Justice Department statement, there were 10,901 registered members of the Infraud Organization as of March 2017, who were divided into specific roles. They ranged from the “administrators” who oversaw the organization’s strategic planning and approved membership, all the way down to the “members” who used the Infraud forum to facilitate their criminal activities. Law enforcement agencies from across the world collaborated on the investigation into Infraud, including Italy, Australia, the United Kingdom, France and Luxembourg, among many others.

#SID2018 Is the Internet Safer? Today is the annual Safer Internet Day, an effort to promote safer and responsible use of the internet and mobile phones that is celebrated by over 120 countries. Several cyber experts and companies weigh in on the dangers that younger internet browsers face, and how government, industry, parents, and others in the community can help reduce usage risks.

th
#SID2018: Is the Internet Safer?

Infosecurity Magazine | By Dan Raywood | February 6, 2018

Today is the annual Safer #InternetDay, where the reality of online threats are detailed in the effort to encourage users to take better safety steps online.

According to research released by the UK Safer Internet Centre, a study of 2000 eight- to 17-year-olds, found that 11% had “felt worried or anxious on the internet,” while respondents had felt inspired (74%), excited (82%) or happy (89%) as a result of their internet use in the previous week.

This year’s event is using the slogan “Create, Connect and Share Respect: A better internet starts with you” with a strong emphasis on using the internet and what makes users feel good or bad. In a time where more is being done to deliver a safe experience online – including free SSL certificates, the launch of a new version of the TLS protocol and the ability to filter out certain words on Twitter – it does seem that more is being done to provide a safer and better experience for all online.

Margot James, Minister for Digital and the Creative Industries, said that the internet does have a positive effect on young people’s lives, but we must all recognize the dangers that can be found online. “Only by working together can government, industry, parents, schools and communities harness the power of the internet for good and reduce its risks.”

At the recent White Hat Ball, it was revealed that in 2017, there were over 12,000 counselling sessions in which children spoke to Childline about experiences of online sexual abuse, bullying and safety.

Will Gardner, a director of the UK Safer Internet Centre and CEO of Childnet, said: “Safer Internet Day gives us the unique opportunity to collectively promote respect and empathy online, inspire young people to harness their enthusiasm and creativity, and support them to build positive online experiences for everyone. It is #inspirational to see so many different organizations and individuals come together today to build a better internet.”

After all, a #safer #internet means more young people are encouraged to learn more about the internet and its workings, and therefore see the benefits of a career in cybersecurity.

Raj Samani, chief scientist and fellow at McAfee, said the reality is that we need to continue raising awareness for codes of best practice online. “Cyber-criminals are constantly on the lookout for slip ups and mistakes which allow them to access lucrative private data – from bank account details to medical history: consumers must be aware of the threats online – not least because the blurring of work life boundaries today means bad habits online can quickly slip into the office.”

As a result, Samani recommended that businesses should offer staff training to build up a strong security culture across their entire organization.

He added: “Implementing the right technology is vital but, at the end of the day, it’s about looking for a blended approach which suits your specific organization. This means finding the right combination of people, process and technology to effectively protect the organization’s data, detect any threats and, when targeted, rapidly correct systems.

“Safer Internet Day acts as a timely reminder for organizations to ensure the correct training is in place so staff can remain cyber-savvy online.”

To tie-in with the day, ENISA published the Cybersecurity Culture in Organizations report, in order to promote both the understanding and uptake of cybersecurity culture programs within organizations. ENISA said that a decent culture is achieved by:

• Setting #cybersecurity as a standing agenda item at board meetings to underline the importance of a robust cybersecurity culture

• Ensure that employees are consulted and their concerns regarding cybersecurity practices are being considered by the cybersecurity culture working group

• Ensure that business processes/strategies and cybersecurity processes/strategies are fully aligned

“While many organizations and employees are familiar with related concepts such as cybersecurity awareness and information security frameworks, cybersecurity culture covers a broader scope. The idea behind this concept is to make information security considerations an integral part of an employee’s daily life,” ENISA’s announcement said.

Part of this was to appreciate that “cyber threat awareness campaigns alone do not provide sufficient #protection against ever evolving cyber-attacks,” and that technical cybersecurity measures need to be in accordance with other business processes, and it is important that employees need to act as a strong human firewall against cyber-attacks.

A safer internet is better for all, although a cynic of such awareness days would suggest that there should be year-round awareness of the issues and part of developing a culture is the constant awareness. Regardless, some action is better than none and it is reassuring to see such positivity about internet usage in 2018.

Army to Modernize Tracking System for Cyber Attacks

US Army Cyber CommandThe U.S. Army is preparing to modernize Blue Force Tracking, its friendly forces tracking system, to ensure continued operability in the event of cyber and electronic warfare attacks.

The Army Wants to be Able to Track Friendly Forces During a Cyber Attack
C4ISRNET | By Daniel Cebul

Washington — The U.S. Army is preparing to modernize its friendly forces tracking system so that it will continue to operate through cyber and electronic warfare attacks.

The service’s situational awareness network, known as Blue Force Tracking, already receives periodic updates, but a more significant upgrade is needed if troops are to be adequately equipped for future warfare. “This capability improvement is necessary as the United States faces increased cyber and electronic warfare threats from near-peer adversaries,” Lt. Col. Shane Sims said in an Army press release.

Defense News reported in November 2017 that Russia’s Zapad exercise took place in a largely EW-hostile environment. Because Russia proved it can jam its own forces relatively easily, military officials are concerned about how well NATO forces are prepared to operate in GPS- and communication-denied environments.

To address these issues, the program office partnered with the Army’s Communications Electronic-Research, Development and Engineering Center, or CERDEC, and ran concurrent studies that examined the capabilities and limitations of current blue force tracking technology.

The work included:

A traffic study that explored how the current blue force tracking system generates and receives data, as well as the requirements of moving data digitally to identify any network vulnerabilities.

A cyber and electronic warfare study that aimed to identify what emerging technologies need to be developed to stay ahead of adversaries. The Army announcement notes, “assured positioning, navigation and timing, known as PNT, for soldiers in GPS-denied environments was the primary goal in this study.”

A network study that examined how to communicate future data more efficiently within the network.

A transport study that identified the physical infrastructure — radios, satellites and antennas — needed to move larger quantities of information. Part of the solution is to build in redundancies into the network to use different radios and different frequency bands.

This might entail deploying satellites of higher technological quality in larger quantities. A new satellite infrastructure that could handle more data and transmit information faster was credited with the improvements soldiers observed the last time the BFT system was upgraded in 2011.

“The goal of the next-generation BFTs is to reduce the cognitive burden on soldiers by creating a simply and intuitive network,” Sims said.

The Army issued a request for information on the system this month, and CERDEC is set to meet with Army leaders to discuss an acquisition strategy in February.

The Army hopes to issue a request for proposals from industry in early 2020, and could begin fielding the new BFT by 2025, the release said.

The Risk of Insider Threat

Research demonstrates that most fraud risk is attributed to insider threat. In a study almost one third of all cyber attacks were committed by ex-employees.

It’s Not Just Cybercriminals: Insider Threats Still a Top Cyber Risk for Corporations
Property Casualty 360° | By Rhys Dipshan

As cyber espionage and ransom ware attacks wreak increasing damage on the world economy, it makes sense that many companies think their biggest threats comes from external actors.
But most risk still emanates from inside the organization, according to the Kroll’s Global Fraud & Risk Report.
The report was based on a survey conducted among 540 senior executives across six continents and found that a significant amount of companies’ fraud, cybersecurity and security incidents were caused by current or former employees.
Risks from current & former employees
Ex-employees, for example, were key perpetrators in 37% of security incidents that happened outside the cyber realm. What’s more, 25% of security incidents were caused by middle- or senior-level employees, while 26% were by junior employees.
Junior employees were also the most likely to cause fraud incidents, followed by ex-employees.
And while most cybersecurity incidents were caused by random cyberattackers, at 34%, ex-employees still accounted for 28% of all attacks, while senior or middle management employees accounted for 19%, and junior employees 16%.
Alan Brill, senior managing director with Kroll’s cyber security and investigations practice, noted that oftentimes, organizations will concentrate too much on high-tech cybersecurity needs, such as protecting their networks, and miss the fact that their biggest “risk factor comes from those who have access to sensitive information.”
Ensure former employees don’t have access
One major shortcoming among organizations is not properly ensuring former employees do not have access to enterprise systems. “You need to be able to not just plan the steps the company is going to take [when an employee leaves], but you have to have a way of knowing that the steps are actually being done. I think in many cases, there is a disconnect from what managers believe is being done and what is happening on the ground,” Brill said.
Brill also advised organizations to ensure that “the right agreements are [in] place” to limit employees’ and contractors’ access to sensitive information, and train employees on the appropriate data handling procedures.
Most companies surveyed took measures to mitigate the risk of insider threats. Over 80%t restricted employees from installing software on company devices and had employee training programs. Over 75% had internal cybersecurity policies and procedures.
But Brill noted that it’s not enough to just have security programs and policies without constantly reviewing their usefulness. He said that many companies need to use “metrics to understand if what they’re doing is effective,” and build their security programs around tested results.
Fraud, information theft
Such proven programs are becoming increasingly necessary given the wide range of fraud and cybersecurity incidents that organizations face in the current economy. The survey found, for example, that 29% of respondent companies suffered fraud, which resulted in information theft, loss or attack, while 27% had theft of physical assets or stock, and 26% uncovered a conflict of interest.
Information theft and conflict of interest incidents were experienced by 5% more companies in 2017 than in 2016, the biggest increase among all types of fraud incidents.
Brill noted that such conflict of interest incidents are becoming more common as enterprises rely on more vendors in their supply chain and as compliance offices become “more able to detect conflicts of interest” through the use of better compliance technology.
More vulnerable to all types of threats in 2018
With regards to cyber incidents, the survey found the amount of companies attacked by malicious viruses rose 3% to 36% in 2017, while those suffering email phishing attacks rose 7% to 33%, which Brill attributed to such scams becoming more sophisticated.
When compared with the 2015 survey results, respondents believed they’re more vulnerable to all types of threats in 2017 than they were two years prior, with the exception of theft of physical assets or stock. Areas where respondents believe their vulnerability had increased the most since 2015 included IP theft, management of conflicts of interest, and market collusion.

Should Agency Websites Shutdown with the Rest of Government?

Some government websites were inaccessible during this week’s government shutdown. Content on other government websites was accessible, but only content published prior to the shutdown. In one instance, the National Science Foundation (NSF) suggested that maintaining its website during a government shutdown could pose cyber security risks. In contrast, the National Endowment for the Humanities (NEH) website remained opened but not updated. The NSF may run its own physical web server(s) onsite, while NEH and other agency sites that continued without interruption are hosted on the enterprise cloud. Conclusions cannot yet be drawn that government-run web servers went dark and cloud hosted sites remained up.

Could The Cloud Save Government Websites From Going Dark In The Next Shutdown?
Forbes | By Kalev Leetaru

Last April I wrote that rumors of the EPA’s open data website disappearing were merely the bureaucratic outcome of a potential government shutdown, but that perhaps the renewed attention to where the government’s scientific agencies host their data might yield changes that would make them more resilient to future government shutdown threats. Unfortunately, it appears that not all agencies learned from last year’s public outcry and earlier this week the US Government shutdown ended up turning off the lights on some US Government websites. How can it be in 2018, with the web such an important way of interacting with government agencies, that entire agency websites could simply vanish at the metaphorical stroke of midnight?
During this past weekend’s US Government shutdown, the EPA open data portal was spared, as was the USDA website, which simply added a brief message about the site not updating during the shutdown, in contrast to the 2013 shutdown, when they just removed their entire site. The data.gov portal largely shut down, though it made an archive of its metadata available via BitTorrent.
The National Science Foundation’s (NSF) website was a different matter. As with the EPA scare last year, I was first alerted to the disappearing site when I started receiving messages from colleagues looking for datasets, critical PDF documents, forms, references and other data from the now-vanished National Science Foundation’s website. Visitors to the NSF website were greeted with an homage to the simpler days of the web: a text-only one-page HTML homepage generated in Microsoft Word.
In contrast, the website of the National Endowment for the Humanities (NEH) remained completely open with the only modification being the addition of a small link to the agency’s shutdown plan. Unlike NSF, NEH’s shutdown directive provides that “public NEH websites such as http://www.neh.gov and edsitement.neh.gov will remain up, but will not be updated.” This is what one might expect from a government agency in 2018: websites simply freeze in time until the government resumes, but whatever was there prior to the shutdown remains accessible.
Similarly, websites for NIH, NASA, USGS, DOE and countless other agencies remained active.
When reached for comment, an NSF spokesperson responded that the agency had shut down its website in 2013 as well and that “The OMB memorandum [OMB-M-18-05] provides further guidance on continuity or suspension of IT operations for an agency, stating that continued access to agency websites does not warrant the retention of personnel or obligation of funds. Consistent with OMB guidance, NSF evaluated the potential operational impact and cyber security risks of maintaining agency websites, and decided it would be most prudent to suspend website operations.”
It is remarkable that NSF cited cyber security risk as a reason for shuttering its website during the shutdown. Given that many other agencies left their websites operating, does this mean they simply tolerated a higher risk of their sites being compromised? Or have they adopted a better cyber security posture that makes their sites more able to weather a shutdown without being hacked?
This also raises the question of what happens to US Government computing systems during a shutdown if they come under cyber-attack and whether website defacement and computer breaches would be detected and/or remediable during a shutdown. If NSF felt it would be unable to adequately detect or respond to a cybersecurity breach of its web site during a shutdown, does this mean that the US Government needs to develop a special cybersecurity policy to assist agencies during shutdowns?
Despite apparently feeling that the cybersecurity risks of leaving its website online during the shutdown were severe enough to warrant its deactivation, the agency did not suspend its social media accounts. When asked why it felt those accounts were not at risk from being taken over during the shutdown, the agency did not respond other than to confirm that it left its social accounts online, but did not update them.
The agency also did not respond beyond its statement above as to why it believed that it could not safely leave its website online, even while many of its peer agencies did so. When asked how “NSF determined that ‘cybersecurity risks’ warranted the deactivation of its website, while its peer agencies continued to operate their sites as normal” and whether “NSF has comment on whether its web infrastructure is notably different from its peers and thus at greater cybersecurity risk?” the agency responded “The OMB guidance stated that agencies should both evaluate potential operational impacts and cybersecurity risks of maintaining agency websites. Like in 2013, we decided it was most prudent to suspend website operations.”
Given that NEH felt so confident in the ability of its website to function unattended during the shutdown that it actually codified in its written shutdown policy that the site would continue to be available, it raises questions of why NSF believes its own website could not safely remain available. After all, if NSF believes its site is so vulnerable that it would be at risk during a shutdown, what does that say about its security posture and safety that it believes it cannot withstand even a few days on its own? NSF did appear to concede that it might learn from its peer agencies, saying “NSF is reviewing its plans and identifying ways where we can make changes while still complying with the law.”
While the agency itself would not comment on why it was unable to leave its website functioning, one clue might be a 2016 bulletin that suggests the agency may run its own physical web server(s) on premises, rather than outsourcing its website hosting to the enterprise cloud. In contrast, websites for NEH, NIH, and NASA all continued without interruption and all resolve to IP ranges in Amazon’s AWS cloud, meaning they could rely on Amazon’s enterprise-grade infrastructure and security to continue functioning even in the absence of Government IT staff to monitor them. DOE’s website, which resolves to an IP hosted by BlackMesh hosting services, similarly remained up. At the same time, however, data.gov, which was shut down, resolves to an AWS and CloudFront IP address, while the USGS website appears to resolve to a US Government IP range and remained up.
Thus, it is not as clear cut as saying that government-run web servers went dark and cloud hosted sites remained up. If the Department of Interior and NSF both indeed operate their own web servers, why is it that the Interior was able to configure those servers to safely and securely continue to function during the shutdown, while NSF felt it was unable to continue making its websites available without placing them at an unacceptable operational and cybersecurity risk? Why did data.gov shutdown even though it is hosted in the commercial cloud, while other sites also hosted in the same cloud remained available? GSA did not respond to a request for comment as to why data.gov was disabled during the shutdown.
Clearly, agency decision making played a key role as to which agencies decided to leave their sites running and which made the decision to wipe their agency from the digital world with a single keystroke in an erasure that would make Orwell’s 1984 government proud.
Putting this all together, it is remarkable that in 2018 a government shutdown could result in entire agency websites and the open data portal of the United States going dark. Even more remarkable is that at least one agency responded that its website shutdown was due at least in part to cybersecurity concerns of running its site unattended, suggesting the US Government may need a unified cybersecurity policy to protect agencies during shutdowns. It is noteworthy that it appears that even those agencies that shuttered their websites appeared to leave their social media accounts online, instead of similarly suspending them out of fears that attackers could leverage social engineering or other approaches to take them over while they were unattended during the shutdown.
That the Government’s outsourced communications platforms on Twitter, Facebook and elsewhere largely remained online even as some websites were turned off, raises the question of whether the US Government should simply outsource the rest of its public digital presence to the firms that power the modern digital age? It appears that many federal agencies have already outsourced their web hosting and that those cloud-hosted sites from the White House (Akamai) to the Department of Energy (BlackMesh) to NEH, NIH and NASA (Amazon AWS) largely remained up during the shutdown, though with the notable exception of data.gov.
In the end, many US Government agencies that shut down in 2013 seem to have learned their lessons and remained available this time, while others chose to wipe their agencies from the digital world in lieu of 1990’s-style one-page homepages written in Microsoft Word. The trend towards outsourcing Government hosting seems to have helped, with even those agencies shuttering their websites electing to keep their cloud-hosted social media accounts running. Perhaps as the last technology holdouts finally join the modern era and as Government moves the rest of its hosting infrastructure to the cloud, the US Government will no longer go digitally dark during the next shutdown.

DHS: More Fed Cyber Services Could Be Outsourced

Barry West, the Department of Homeland Security’s senior accountable official for risk management, believes that federal agencies may pursue outsourced cyber security services from contractors more frequently, due to the ongoing global shortage of and competition for cyber talent.

Government Could Shift to Security-as-a-Service, DHS’s West Says
Fedscoop | By Carten Cordell

With cyber talent in high demand, Barry West said Thursday that the government may soon to lean more heavily on the private sector for cyber security help.

West, the Department of Homeland Security’s senior accountable official for risk management, said that an ongoing global shortage of cyber talent could soon push agencies to more frequently pursue outsourced cyber security services from contractors rather than try to compete with the private sector.

“When I look at a visionary view of cyber, I think this is really where we are headed,” he said at ATARC’s Federal CISO Summit. “This would have been far-fetched probably five years ago, saying you were going to have a private sector company perform your security.”

West pointed to research from Gartner that predicted that there would be a global cyber shortfall of 1.8 million by 2022 — with the federal government struggling to compete with the private sector for talent, it may be more beneficial for agencies to contract for it, he said.

“This isn’t to say that there’s not going to be government oversight; there’s still not going to be a [chief information security officer] in charge,” he said, “but I really think we are headed for a model where we are going to see security-as-a-service and you are going to see [security operations center, or SOCs] as a service.”

West added that DHS is already in talks to consolidate 12 to 13 “disparate SOCs” — which help monitor cyber security posture from across the agency’s networks — saying that it is a key priority for Secretary of Homeland Security Kirstjen Nielsen.

“She really wants to see that happen,” he said. “It really shows when you have a major incident — when we had the WannaCry incident last year, it became real clear some of the disorganization we had around reporting.”

Consolidation would precede SOC-as-a-service, West said, with DHS beginning to merge SOC operations in the National Capital Region.

“I think it’s the way we’re headed. I think you will hear more of the SOC consolidation at DHS next year. That’s going to be a big focus for us,” he said.

After that, West said, DHS would likely craft some prototypes to test the SOC-as-a-service model over the next three to four years.

“I think we have to start thinking about it now and planning, but I think it’s the way of the future,” he said.