Charles Lyons-Burt
Soon after our informative November conversation with Tom Afferton, president of the cyber mission sector at Peraton, the Department of the Treasury experienced a swift blow to its security apparatus. According to Reuters, on Dec. 8, Cybersecurity and Infrastructure Security Agency partner BeyondTrust, a cybersecurity provider, reported that its systems had been compromised. What is now believed to be a state-sponsored Chinese hacking group infiltrated “a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” per the Treasury Department.
“With access to the stolen key,” the department continued, “the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
Afferton, being deeply involved in protecting federal information and equipment, immediately had reactions to the hack and thoughts on how agencies can better prepare for such attempts in the future.
ExecutiveBiz: Did the Treasury hack come as a surprise and what does it tell you about the progress (or lack thereof) that the federal government has made in its cybersecurity practices?
Tom Afferton: It is not surprising that the Treasury Department was a target, as the attack focused on the part of Treasury that executes economic sanctions against our adversaries. Likewise, the method of attack appears to be in line with recent attack vectors by nation state actors, focusing on the supply chain and compromising security credentials. However, the speed with which the incident was attributed to the People’s Republic of China was impressive and a reflection of the government’s coordination across all agencies and industry—in this case the Treasury, the Cybersecurity and Infrastructure Security Agency, FBI and the U.S. intelligence community—to respond to these incidents.
EBiz: How might AI have been implemented to prevent the Treasury incursion?
Afferton: Without knowing what tools were in place, it’s difficult to say whether AI could or could not have helped. What we do know is that AI is an enormously helpful tool to quickly make sense out of threat intelligence and malware data that is often distributed in a variety of formats, like manually generated reports and scraped webpages. Speed is the key, and AI can allow us to act quickly to either limit exposure and/or remove threat and then begin remediation activities. At Peraton, we’re currently piloting this capability with a government agency, which could help analysts spot anomalous behavior ahead of a complete compromise in the future.
EBiz: How should Treasury and other federal agencies move forward?
Afferton: You can’t prevent a threat if you don’t strengthen your vulnerability points. Agencies need to continue prioritizing and implementing zero trust architectures and multi-factor authentication and understanding their supply chains with tools like software bills of materials. You also can’t defend against what you can’t see. Agencies need to collaborate with CISA to take advantage of its end point detection and response tools and provide persistent access to the data from those tools. There is a new executive order on the horizon to potentially make that persistent access mandatory. Monitoring and data access is critical.
EBiz: What do you anticipate is on the horizon for the federal government’s cyber protections? Moreover, if nothing changes, what will happen?
Afferton: I am hopeful that cybersecurity will grow as a priority, especially collaboration across government and with industry. We can’t afford the risks of inaction, especially in the face of nation-state adversaries. We must continue to respond in a whole-of-nation manner, which means “naming and shaming” when we can attribute actions to specific actors, both to apply global diplomatic pressure and to accelerate threat-intel-sharing across government, industry and our allies. Peraton is proud to be part of these efforts across the Department of Defense, IC and civilian agencies.
One example I’m especially proud of is the recent recognition some of our staff received for efforts that supported major global cyber operations, helping to bring cyber criminals to justice and combat mis/dis/mal-information. If there is any lesson learned from this, it is that we must all remain vigilant.
