What the Census Bureau Can Learn From the IRS About Detecting Cyberattacks
Inspectors general from Commerce and Treasury present a tale of two testing regimes.
In separate reports, agency watchdogs demonstrated the difference proper implementation of detection controls can make in limiting the impact of attempted cyber intrusions: one, a foiled ransomware attack against the Internal Revenue Service; the other, an internal penetration test of the Census Bureau’s resilience.
IRS personnel told the Treasury Department’s Inspector General for Tax Administration, or TIGTA, that their centralized information security hub responded to—and neutralized—a ransomware attack it detected in May, according to a Nov. 23 report.
The TIGTA report credited the successful detection and response to testing procedures that the IRS incorporated into its policies under guidelines from the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency.
Another inspector general report—from the Commerce Department—showed how incomplete implementation of similar policies can deliver starkly different results, in this case at the Census Bureau.
The Census Bureau is required “to record and monitor the activity on its network and to respond to alerts about potential security incidents,” but failed to do so, the Commerce IG wrote in a Nov. 22 report based on a covert penetration test it conducted from August 2021 to March of this year.
The Commerce IG conducted the test in reaction to a January 2020 attack on the Census Bureau in which outside malicious hackers successfully exploited security holes. During the more recent exercise, the Commerce IG’s “red team” was able to avoid detection while gaining access to personally identifiable information, or PII, stored by the Census Bureau.
The Commerce IG suggested the agency establish “a process to periodically test and inspect Bureau websites and web applications for vulnerabilities and susceptibility of malicious input,” along with other recommendations, all of which the Census Bureau concurred with.
In contrast, the Treasury's IG had no recommendations for the IRS. That report described an active and comprehensive system for responding to indicators of malicious behavior at the IRS’ Computer Security Incident Response Center.
“The CSIRC provides daily operational coverage for monitoring and analysis for intrusion attempts or anomalous activity,” the IG wrote, noting reports “are assessed to determine the nature and severity of events to formulate a prompt response for containment and eradication, thereby minimizing impact. Reported incidents are documented within the CSIRC centralized Incident Tracking System and further triaged to determine the validity, severity, and impact of the event.”
In the case of the May ransomware incident, CSIRC personnel found patterns in their analysis of web browsing logs that suggested the presence of ransomware and were able to locate and pull the implicated device from the network, according to the report.
Commerce’s IG, on the other hand, “found that even though the malicious activity was mostly captured in logs … The [Census] Bureau had not configured its security tools to generate alerts on these specific indicators of attacks and activities,” allowing the red teamers to go undetected.
The Commerce IG made 10 recommendations for the Census Bureau, including that it, “Develop alerts that align with common detection methods for known attacks and periodically verify that these detection methods remain current and effective [and] … Update logging configuration requirements to collect information necessary for reporting breaches related to sensitive PII.”