Despite the growing importance of cybersecurity to law enforcement, many agencies were left vulnerable to attack due to a weakness known as Heartbleed. This vulnerability was found in software used to secure a variety of websites and online applications. After the bug was disclosed, government agencies scrambled to plug the leak, just like everyone else.
Heartbleed impacts everyone
The Heartbleed bug is not a virus; rather, it is a weakness found in OpenSSL, open source cryptographic software. With the right know-how, anyone on the Internet can access private, protected information, leaving civilians, companies and even federal agencies at risk for attack. Heartbleed is a threat that should be taken seriously by all Internet users and system administrators, as the potential to exploit this fault was present for two years without detection and may already have impacted the security of critical information.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable—they can all get broken into,” Jason Healey, a cybersecurity scholar, told The Washington Post. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”
The government claims it had no advanced notice of Heartbleed. Because they also rely on OpenSSL, federal websites were not exempt from the cyber threat. HealthCare.gov was affected, forcing users to change passwords after the server was fixed, and the Department of Homeland Security investigated possible exploitation of the U.S. power grid. Most federal organizations were able to alert users after the fact, but the next steps should focus on anticipating critical software problems and fostering cooperation with tech companies.
Government must participate in open source initiatives
Open SSL was created to improve security by freely distributing software and cryptography libraries. The 16-year-old open source project is used by two-thirds of all Web servers. About a half million of those computers were considered vulnerable to attack when Heartbleed was announced. Only four people, working with a budget of less than $1 million, comprised the team tasked with monitoring the system.
When technology is dependent on “many eyeballs” to keep it running, small teams and budgets are quickly taxed. The government could invest in under-resourced open source projects as a way to improve their cybersecurity, and thus prevent widespread distribution of security holes. Had there been more resources available to OpenSSL for security reviews, the Heartbleed bug may have been squashed immediately.
The technology community is already prioritizing the need for open source resources. The Linux Foundation launched a Core Infrastructure Initiative to provide oversight for open source code through additional funding and staffing. The government has an opportunity to work with this group—including Google, Dell, Facebook and Microsoft—to construct new processes that value security detection and prevention. They will need to be sensitive, however, to the existing culture and not over-regulate a system that rewards rapid innovation.
Learn to plan for cyber disasters
Because it disrupts and threatens the well-being of many citizens, Scientific American compared cybersecurity breaches to natural disasters. When tornadoes or hurricanes strike, well-trained first responders mobilize in sufficient numbers to make a difference. With Heartbleed, the government was not prepared to offer leadership in how to address the problem or mitigate its potential impact. The same end-to-end preparation applies to improving emergency response in cyberspace as it does the physical world.
The majority of cybersecurity incidents within the public sector can be traced back to employee actions. If personnel are better equipped to recognize and fix these threats, they can avoid the potential problems. Agencies could leverage their collaborative discussions with technology partners to promote security best practices when training their workforce. Practicing response skills with simulated computer breaches would foster awareness of real-world communication and technical coordination needs.
Monitoring internal network activity for new exploitative attempts and expanding knowledge of where security systems are used on servers throughout the world can generate information that could quicken response to a breach. Additionally, by evaluating existing case studies of past cyber attacks, first responders can learn to identify and overcome shortcomings, helping continue the cycle of preparedness before the next cyber threat surfaces.
Just as with natural disasters, a swift, efficient response to network vulnerabilities will limit potential damage. A coordinated security team dedicated to protecting companies, agencies and civilians could become a valuable line of defense again cyber threats like Heartbleed.
News brought to you by Envisage Technologies, building software for law enforcement, public safety and the military. Ready. By Design.