ITA Must Do Better at Safeguarding its Cloud-Based Systems

The International Trade Administration (ITA) under the Department of Commerce is responsible for providing expertise and advocating for U.S. firms and enforcing U.S. trade laws and action against foreign government imposed trade barriers. It must be unlikely a nation-state would pose a threat to ITA systems, right? Probably not. Yet, the Commerce Inspector General (IG) found several substantial weaknesses within the agency’s process of authorizing systems into operations and maintaining and protecting cloud-based systems. Specifically, the IG reported that:

ITA lacks process in system security categorization 

Security categorization is defined as labeling the impact level of a system to an organization as high, moderate or low in case of an information breach. As such, those systems with higher impact levels must have stricter security controls. In order to categorize a system’s impact level, the type of information that is processed, stored and transmitted must be identified. The IG found that ITA both failed in implementing a process of identification and categorization of information in its systems and the authorizing official for the categorization did not carefully review and approve categorization documents. This results in systems being either over protected and wasting resources or worse, under protected placing the system at a risk for the U.S. economy.

ITA did not sufficiently secure its cloud infrastructure

The IG reviewed 10 ITA cloud-based systems, 9 of which used Amazon Web Services (AWS) infrastructure as a service (IaaS). A description of each system is provided in Appendix B of the report. While AWS provides the resources for its customer’s infrastructure configuration, the ITA was found noncompliant with department requirements in user access controls and password regulations. Moreover, ITA granted unrestricted network connections for a remote console service running on two of its virtual servers hosted by cloud network services. The unrestricted remote connection could have potentially allowed for an attack on those servers from any network or even allowed an attacker to control the servers remotely had the console service been breached. Further, ITA stores its backup data in the cloud using Amazon Simple Storage Service (S3). However, the IG found that ITA has provided anyone access to upload or delete data to several of the S3 buckets the agency uses. Since the ITA depends on AWS to back up data for all of its systems hosted on the cloud, this lack of access permission questions the integrity and availability of ITA’s back up data. Additionally, the lack of controls could lead to the agency unable to recover its operations in case of a data loss.

ITA failed to implement key security controls for its systems

To conduct its audit, the IG reviewed and tested security controls in 10 cloud-based systems supported by 198 virtual servers. Eight of those systems are application systems and two are infrastructure systems. What the IG found from its inspection is fearsome. ITA failed to conduct vulnerability scanning for 29 of its 198 virtual servers. Of those, 19 of the servers were not communicated properly to be added to the scanning target list, five were being prepared for removal and the other five could not be located by ITA staff. The IG also conducted database scans and identified high-risk vulnerabilities that were not discovered by the agency’s own web application scanning tools! To add icing on the cake, the IG also found that ITA could not remediate vulnerabilities in a timely manner; it found that 102 servers had a total of 513 critical vulnerabilities that were not patched and remediated for over 150 days when standards require a maximum of 60 days. In response, the ITA explained that it did not have the technical capability to test patches prior to deploying on virtual servers.

The IG provided nine recommendations to the Under Secretary for International Trade to direct the ITA Chief Information Officer (CIO) to implement:

1. Follow the NIST RMF to revalidate all the security categorizations for ITA systems.
2. Establish a reporting mechanism to ensure that ITA’s authorizing official correctly reviews and approves ITA’s security categorization process.
3. Ensure security controls are appropriately assessed and supported by sufficient evidence.
4. Periodically review the configuration of ITA cloud-based infrastructure to ensure that the configuration adheres to Department policies and encourage implementing industry best practices.
5. Establish a process to ensure effective coordination between the security and operation teams.
6. Use existing vulnerability scanning tools to include periodic database scans, and evaluate the use of additional web application scanning tools available through the Department Continuous Diagnostic and Mitigation (CDM) program.
7. Enhance ITA patching process by reconciling management differences, following patching time frames and testing patches prior to deployment.
8. Document and maintain a list of authorized ports for each ITA system and disable all unauthorized ports.
9. Establish contingency plans for each ITA system according to Department policy.

While many of the issues found in the report were due to management weakness in streamlining process and communication, lack of resources played a role in the weaknesses found. As such, investment in both IT enterprise cyber planning and operational services and IT management in policy formulation and guidance are needed. In its response to the IG report, the ITA OCIO states that “ITA notes the challenges of its global users and cloud-based environment. Therefore, it continues to make significant investments in cyber security and improvements in its governance procedures and security operations of its cloud-based systems.”

That said, the ITA’s total budget is slated to be $56M, according to the FY 2019 IT budget. Of that, interestingly enough, less than $1M is dedicated to ITA’s Enterprise Cybersecurity investment (about $600K) while $3M is dedicated to ITA IT Management – both line items practically unaltered from FY 2017 and FY 2018 levels.