The cybersecurity emergency directive came in the middle of the longest government shutdown in U.S. history.
And it came from a brand new agency within DHS where many workers are furloughed, the Cybersecurity and Infrastructure Security Agency (CISA).
It announced, quite suddenly, that cyber attackers were hijacking government agency web traffic and even emails before routing those things to where they should go.
While the CISA cybersecurity alert about the DNS Infrastructure Tampering Attack outlined ways to mitigate the risk, it also raised questions and led some in Congress to call for more information about what exactly prompted the alert.
Now, Christopher Krebs, Director of CISA, has written a blog post that answers the call for more information and comes across as both personal and authentic.
Here are significant excerpts:
- While we continue to assess the impact on Federal infrastructure, we know enough to be concerned.
- We know an active attacker is targeting government organizations.
- Using techniques that aren’t especially innovative, we know they can intercept and manipulate legitimate traffic, make services unavailable or cause delay, harvest information like credentials or emails, or cause a range of other malicious activities.
- We know that this type of attack isn’t something many organizations monitor for or have tight controls around.
This is roughly equivalent to someone lying to the post office about your address, checking your mail, and then hand delivering it to your mailbox. Lots of harmful things could be done to you (or the senders) depending on the content of that mail.
Because it’s our responsibility to take actions to protect Federal systems, we felt an urgent response was required to address the risk.
In several cases, the actions we’ve crafted are basic good practices anyway, and many agencies may have already taken the necessary mitigation steps. Monitoring Certificate Transparency, which is a recent contribution from the internet security community, may be new for some agencies. CISA is committed to using modern security tools and techniques to assist the nation’s defenders.
While the Emergency Directive only applies to Federal civilian executive branch agencies that are not part of the Intelligence Community, the Directive includes common sense guidance and mitigation steps any organization can take to prevent DNS infrastructure tampering. We encourage anyone with questions to reach out.
And the way he finished his CISA blog post is with another piece of evidence that all the talk about government and private sector collaboration in cybersecurity is increasingly leading to action:
"We also recognize we don’t have all the answers, and we welcome feedback and collaboration. Thanks to our private sector partners that alerted us to this issue and brought us along with you. Working together as a team in a Collective Defense model, we can shift the advantage back to the defender and make the internet a safer place for everyone."
