The bigger the organization, the slower it adapts to changes and challenges, and no organization is bigger than the U.S government. So, when I hear news of the DHS or FDIC being hacked through careless or vindictive employees or that the White House’s Chief of Staff, John Kelly, had his smartphone compromised for months before it was discovered, I am no longer surprised.
The DHS was purportedly compromised when hackers used Kaspersky antivirus to steal top secret documents from an employee’s home computer; a computer he should not have been working on with such documents. We have no information on whether or not this computer was an endpoint on the DHS network, but if it was, then the DHS network could easily have been penetrated.
Kelly’s smartphone was compromised last December, which could go a long way towards explaining why leaks were emanating from the White House. It is highly likely that, if Kelly’s phone was accessed, it could have been turned on to record meetings, take photos, read emails, and listen in on phone calls, among other things.
According to one source, “It’s not known which brand and model of phone is involved, but Kelly is seen using an iPhone in a number of photos, including the AP shot by Susan Walsh above.” There is a mistaken belief that iPhones are safe from attacks that employ remote access trojans (malware that can take full remote control of a device), but there is a good reason why the government prefers Android phones. Well, actually, there is only one good reason. Apple denied the U.S. government access to the details of its operating system while Android (Google) agreed to work with them. Nonetheless, both systems have been hacked and continue to offer bad agents portals through which government networks can be penetrated.
Adding to the bad news for government agencies is a new report from the Office of Inspector General that the FDIC had been hacked 54 times between 2015 and 2017 and the personal information of over 113,000 individuals was stolen. This information included “names, telephone numbers, home addresses, social security numbers, driver’s license numbers, dates and places of birth, credit reports, education and employment histories, and the results of background checks”. What’s worse is that it took the FDIC an average of 9 months to inform those affected, if they were informed at all. According to a report on the incident by ZDNET, “at least seven of the incidents occurred when outgoing FDIC employees left the agency with downloaded files of personally identifiable information, including Social Security numbers and loan and banking information of US citizens.” Ugh.
There seems to be a common weak point underpinning all of these attacks; rogue or careless employees. Some were knowingly or unknowingly undermining instituted security policies while others were intentionally leveraging their insider position for personal or political gain. Some have yet to be discovered but, without a doubt, they are out there.
Worse yet is that even those who should know better have been hacked. You would think that the heads of major government agencies would be more wary of being attacked than others, since they hold the keys to the most sensitive information, but this simply does not seem to be true. Kelly is not alone in his careless or cybersecurity naïve behavior. Other major government leaders to be hacked include
Director of National Intelligence James Clapper
CIA Director John Brennan
Homeland Security Secretary Jeh Johnson
Former Secretaries of State Colin Powell and Hillary Clinton.
and let’s not forget all of the members of the DNC.
What this means is that government agencies will always be trapped between two unavoidable facts. First, there will always be rogue employees no matter what regulations are put in place. Some are wittingly malicious, like the leaker, Reality Winner, and some are unwitting victims, like John Kelly. The second unavoidable fact is that all personal devices, all agency endpoints can be hacked by skilled hackers. IT teams are then faced with a seemingly unresolvable dilemma; a dilemma that must understandably make many IT staffers want to give into despair and hopelessness.
The problem is that, no matter what the breach, government agencies respond with the same counter strategies which normally amount to more regulations on employee behavior, more device management, and more layers of software security. These will all work for a while, but they are all destined to fail over time. However, there is another way to look at this problem which may hold a solution.
Let’s make a wild, yet valid, assumption. Let’s just assume that employees will not follow all regulations to the letter. Let us also assume that all devices will be hacked. In fact, let’s not even worry about this at all. Just let employees be imperfect and hackers be, well…hackers. But let’s put one caveat into the mix. Suppose we design a device’s architecture in such a way that it has two separate operating systems that cannot directly communicate with each other. That’s right; two separate operating systems on the same device. This could be accomplished through hardware separation, not through pseudo-separation as can be found in numerous varieties of sandboxes, since these strategies are really software solutions that shares the same hardware architecture. It is no secret that sandbox mechanisms have been successfully hacked.
In true hardware separation, employees can do whatever they want on one side of a device but, if they want to work on sensitive material that may be connected to a government or corporate network, they must work on the other side of the same device. Here is such a technology as developed by InZero Systems. Notice that each side has its own kernel. In other words, it is true hardware separation.
Since malware is software, it must use available software resources on a device to begin an attack. If the hardware barrier is well-constructed, the malware will not be able to make the breach into the other operating system on the device. In fact, it may not even be able to detect that the device has another operating system. Here is what could happen if the normal user side of such a device was attacked. (Of course, most users would want to use good security on the open side of the device, but attacks can always happen.)
The extent to which the work side of the device is exposed to attack depends on what network policies are instituted. The work side could be completely shut down with no internet access or it could be allowed to access trusted sites. The WorkPlay Technology shown above includes a hardware-connected virtual machine on the work side which prevents even the most sophisticated malware from communicating with its C&C servers, as always occurs in a remotely controlled attack.
The responses to breaches on government agencies have always followed a predictable pattern. Maybe it’s time for the government to seek solutions that are more unconventional, less predictable, and more up-to-date. After all, what have they got to lose that they haven’t already lost.