Cybersecurity: DHS Issues Emergency Directive to Address Agency DNS Tampering

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) recently issued its first directive to federal civilian agencies since it was established in November, 2018.

CISA’s Emergency Directive 19-01, “Mitigate DNS Infrastructure Tampering,” directs agencies to address the risks to their information and systems presented by attackers who surreptitiously gain access to, and alter, agency Domain Name Systems (DNS) to then intercept, exploit and possibly manipulate agency web traffic, email and user-submitted information.  

In a blog post discussing the reason for the directive, CISA Director Christopher Krebs highlighted industry help in identifying a global DNS infrastructure hijacking campaign, noting that “this type of attack isn’t something many organizations monitor for or have tight controls around.”

Krebs also outlined the following four actions that civilian agencies must take within 10 business days from the date of the memo to mitigate risks from the threat:

1. Verify their DNS records to ensure they are resolving to the intended location and not redirected elsewhere.
2. Update DNS account passwords to disrupt access to accounts by any unauthorized users.
3. Add multi-factor authentication to all accounts that manage DNS records to harden accounts from future attacks.
4. Monitor Certificate Transparency logs for certificates issued that the agency did not request to help alert defenders to anyone attempting to impersonate them or spy on their users.

Contractor Implications

CISA directives only apply to federal civilian executive branch agencies, not to the Department of Defense (DoD) or the Intelligence Community (IC), nor to systems that defined in statute as “national security systems.” Krebs notes, however, that “the Directive includes common sense guidance and mitigation steps any organization can take to prevent DNS infrastructure tampering.” This includes industry partners and private companies that have not already addressed these issues.

Further, the directive memo begins with a paragraph describing the statutory authorities granted to the DHS Secretary to direct agency heads to take action “with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat” (emphasis added.)

Clearly, this encompasses contracting firms that are either operating government systems or processing agency information upon their company’s internal systems. This is not a new issue – both the DoD and the Office of Management and Budget (OMB) began requiring contractors to increase safeguards to Defense information and bolster protections around sensitive information on contractor-operated or owned system several years ago.

The evolution of shared risk, shared information and continued interdependence will continue to include increased transparency and required protections on the part of contractors as a requirement for doing business with federal agencies.