CISA orders US civilian agencies to remove tools from public-facing internet

The Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal civilian agencies to remove devices from the public-facing internet in an effort to solve one of the government’s most prevalent security issues.

Dozens of federal civilian agencies expose a variety of the technological tools they use to the internet to make it easier for employees to access them.

But these devices have become a hotbed for hacker activity in recent years due to their ease of discovery and exploitation from anywhere in the world.

CISA Director Jen Easterly said hackers “are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise.”

On Tuesday, CISA issued Binding Operational Directive (BOD) 23-02 – an order that all federal civilian agencies are required to abide by. The order says agencies have two weeks after the discovery of an internet-exposed networked management interface to either remove it from the internet or institute access control measures like zero trust architecture.

Zero trust is a strategic approach – pushed heavily by the federal government in recent years – that removes the concept of implicit trust and forces users to be continuously validated at every stage of a digital interaction.

Agencies will also have to implement technical or management controls to “ensure that all management interfaces on existing and newly added devices, identified as in scope for this Directive,” are only accessible from an internal enterprise network or protected by access controls.

“Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise,” Easterly said. Although the directive only applies to federal civilian agencies, CISA urges all organizations to adopt its guidance.

Several platforms like Shodan, GreyNoise and Censys provide a variety of information on internet-exposed devices at organizations across the world. For example, Censys published a blog post on Tuesday about a popular file transfer tool that many organizations have exposed to the internet. Nearly 8% of those found exposed to the internet are from governments or militaries, potentially exposing sensitive data to hackers interested in exploiting recently-disclosed vulnerabilities in the product.

The government of Nova Scotia, the Illinois Department of Innovation & Technology, and the Minnesota Department of Education are just a few of the organizations that said citizen data was accessed by hackers exploiting the vulnerable file transfer tool.

CISA said several recent hacking campaigns have underscored the “grave risk to the federal enterprise posed by improperly configured network devices.”

Their goal with the directive is to “further reduce the attack surface of the federal government networks.”

In its guidance document, CISA said it plans to scan for devices and interfaces exposed to the internet and notify all agencies of its findings.

CISA will also create a reporting interface and remediation plan for agencies alongside other efforts to keep offices protected. They also plan to proactively reach out to agencies and provide guidance on how they can harden specific devices.

Patrick Garrity, a security researcher at Nucleus Security, said this kind of guidance is “industry best practice that every organization should be following already.”

But he noted that the fact that CISA had to issue a directive shows that many organizations “do not have visibility, resources or an appetite for change.”

“CISA is building a great program to build accountability for security within the federal government and provides support to federal agencies who need help,” he said.

“This is critical for national security.”