The Federal Election Commission was hit by a massive cyberattack hours after the government shutdown began, according to a report from the Center for Public Integrity. The CPI report claimed the Chinese were behind “the worst act of sabotage” in the agency’s 38-year history. Three government officials involved in the investigation confirmed the attack to CPI, and the FEC acknowledged the incident in a statement. However, the CPI report did not explain why the officials believed China was involved, or provide any details of the network intrusion beyond the fact that attackers crashed several FEC computer systems. When asked for a statement, FEC referred Security Watch to the Department of Homeland Security and did not provide any information. The fact that an attack during the 16-day shutdown occurred should not be a big surprise, since many security experts had warned that attackers might take advantage of IT personnel being furloughed to launch an attack. With less people watching the networks, there was a lot of opportunity for attackers. In fact, the FEC had furloughed all 339 agency employees as none of its staff had been considered “necessary to the prevention of imminent threats” to federal property, according to CPI.
Hindsight is 20/20, but the attack happened almost a year after an independent auditor had warned the FEC that its IT infrastructure was at “high risk” for attack. The auditor pointed out that while the FEC had some policies in place, they were not sufficient and immediate action was required to reduce the risks. The FEC disagreed with the majority of the auditor’s recommendations, arguing its systems were secure.
“The FEC’s information and information systems are at high risk because of the decision made by FEC officials not to adopt all minimum security requirements that the Federal government has adopted,” auditors from Leon Snead & Company wrote in November 2012.
Issues included passwords that never expired, had not been changed since 2007, or had never been used to log in. Disabled accounts remained in Active Directory and laptops issued to contractors used the same “easily guessed” password, according to the report. Even though the FEC required two-factor authentication on its computer systems, the audit identified 150 computers which could be used to remotely connect to FEC systems that didn’t have the additional protection enabled. Auditors also flagged poor patching processes and outdated software.
“The controls in place reflect the appropriate level of security and acceptable risk to support the mission and safeguard the data of the agency,” the agency said in its response to the audit.
It’s not clear whether the attackers took advantage of the poor passwords or any of the other issues flagged in the report during the October attack. Considering the agency had dismissed the criticisms in the audit report, it is likely many of the issues remained unsolved as of October.