DHS prioritizes restart of election security programs post-shutdown

(CNN)Since the shutdown ended, the Department of Homeland Security has prioritized the resumption of its election security programs, some of which were forced to go on hiatus during the lapse in government funding, according to Cybersecurity and Infrastructure Security Agency Director Chris Krebs.

"Coming out of the shutdown, anything that had paused on election security-related activities was put on the top of the priority list for restart," he said.
Krebs told CNN that if there was an active threat during the shutdown, the department was able to respond by conducting assessments and hunting down the threat.
"What paused was the more routine vulnerability assessments," he said. Those included a "couple of the election security-related" assessments run by the department, specifically focused on state networks.
    During the shutdown, the agency said in a statement that it had "ceased a variety of critical cybersecurity and infrastructure protection capabilities," but no specific details were provided.
    Despite fear among cyber experts that the shutdown was a ripe time to target the government's networks, Krebs said he wasn't aware of an uptick of attacks directed at the federal system.
    "I don't believe we detected any appreciable uptick," he said.
    Amid the shutdown, the Cybersecurity and Infrastructure Security Agency made an emergency directive on Jan. 22 for federal agencies to take immediate steps to protect themselves from ongoing "hijacking and tampering" cybersecurity incidents aimed at Domain Name System records, like ".gov" and ".com."
    According to Krebs, although there were a "couple outliers," the bulk of federal agencies have been able to comply with the department's first-ever emergency directive.
    "Across the board ... we've been satisfied with the response, in responding and implementing the measures," said Krebs.
    One of the outliers was an agency that outsourced some of its web services and it turned out that the contractor doesn't have the ability to implement multi-factor authentication -- a requirement of the directive.
    "We are working with them on their future road map plans for shifting the service," said Krebs.
    The directive also required agencies to update passwords and monitor logs, within 10 business days.
    The deadline to comply was this week.
    "(W)hether it's a .gov -- there are limited cases of .coms and .orgs across the federal government -- it's the agency's responsibility to ensure that those domains are appropriately protected," said Krebs.
    The Cybersecurity and Infrastructure Security Agency, overseen by DHS, is the lead agency tasked with protecting the networks of more than 98 civilian federal agencies, from the very large to the tiny.
    Krebs said there was a "sense of urgency that we needed to act" on the directive given the shutdown, but the timing of the attacks wasn't related to the lapse in government funding.
    If the timing was related to anything, the attacker may have taken advantage of the holiday season, said Krebs.
    "It's almost as if the actor took advantage of the holiday period between Christmas and New Year's, when folks were all on holiday or on vacation leave and maybe weren't looking at things as closely," he said.
    Although the majority of the impact was overseas, "there were a number of agencies that were affected," said Krebs.
    The Cybersecurity and Infrastructure Security Agency says it doesn't disclose additional details on the impacted agencies because of confidentiality requirements.
    The private cybersecurity company FireEye previously reported that it had found evidence suggesting these attacks were being carried out in support of the Iranian government.
    "We continue to see evidence suggesting that operators are operating out of Iran, and going after targets that would be of interest to a government," said Benjamin Read, FireEye's senior manager of cyber espionage analysis, when the alert was issued.
    Krebs said his agency doesn't have enough independent information at this point to make that attribution, but he said the issue is "ongoing, it's still happening today, that's why we are continuing to work with agencies that need help in the implementation."
      Krebs said this type of domain name attack is not particularly sophisticated or innovative, but it's also something that agencies and organizations typically don't monitor for.
      "We had a big blind spot, and we knew there were a series of steps we could take to harden and secure the agencies," he said.