A recent Commerce Department watchdog report has revealed critical deficiencies in the Bureau of Industry and Security’s (BIS) ability to detect and respond to sophisticated cyberattacks, which the report says places national security at risk.
The June 11 report from the Department of Commerce’s Office of Inspector General (OIG) found that BIS was unable to detect and respond to the OIG’s simulated malicious cyber activities.
“BIS could not detect our attacks until we intentionally acted to trigger alerts,” the report says. “Once BIS was alerted, its response was not effective at containing the potential damage and eradicating our access to its networks.”
To test BIS’s cyber defenses, investigators employed the MITRE Corporation’s Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) framework – a toolset that mimics the behavior of real-world threat actors.
Operating under the assumption that malicious actors had already breached BIS systems or were acting from within as insider threats, the evaluation team simulated a series of advanced attacks. These included the exfiltration of fictitious personally identifiable information and business identifiable information, the establishment of persistent backdoor access, unauthorized changes to BIS computers, lateral movement across networks, and attempts to guess BIS user passwords.
“We found that BIS did not effectively detect and respond to our simulated malicious activities,” the report says.
The OIG also said that its testing revealed additional information security vulnerabilities. Specifically, the OIG said that BIS lacked effective detection and response capabilities to handle the simulated attacks, misconfigured critical security controls for its export control networks, and mishandled classified and other privileged credentials.
“If BIS does not improve its current capabilities, advanced adversaries could significantly harm sensitive U.S. export control efforts, which in turn affects national security,” the report says. “Whether the threat comes from external actors or insiders, BIS must be ready to handle future attacks.”
The OIG made 13 recommendations to BIS to increase endpoint and network protection, proactively seek and mitigate threats, establish procedures to respond to incidents, restrict network and-user access, and improve the security of network credentials. BIS concurred with all of the recommendations.