The Department of Transportation has recently completed a set of thorough security tests on software used in the Transportation Secretary’s office, yielding surprising results about the software’s vulnerabilities.
The testing program, which was partly motivated by three cybersecurity incidents at the department in the last year, began with software “we thought was pretty rock-solid,” DOT CIO Vicki Hildebrand said. “[W]e were pretty sure we wouldn’t find vulnerabilities. And we did.”
A team of researchers from security-testing company Synack carried out the assessment of the DOT software, which uncovered flaws in commercial products and networked systems. DOT’s security team worked with Synack to promptly fix the vulnerabilities, according to Mark Kuhr, Synack’s co-founder and CTO.
Hildebrand, a former executive at Hewlett Packard Enterprise, said she wanted to expand the testing program to other parts of DOT’s vast IT enterprise. “There’s going to be a team approach to whacking these [vulnerabilities] as they’re identified,” she said. Hildebrand and Kuhr spoke to reporters Thursday at the Billington Cybersecurity conference in Washington, D.C.
Part of the impetus for the program was a series of three “cyber incidents” that Hildebrand said occurred not long after she became CIO in October 2017.
“I was there for my first three months and I had a few cyber incidents that I had to address,” she said, adding that the episodes highlighted the need for a comprehensive program for mitigating such security issues.
Asked to elaborate on the incidents, Hildebrand described at least one of them as “bitcoin-related,” and said they were not targeted attacks. The episodes may have caused “some disruption” to end users but did not have widespread impact, according to Hildebrand.
It has been six months since the third incident, she said, “and we’ve been in pretty good shape.”
Those security incidents did not occur in the Office of the Secretary, where the Synack testing took place, but the security-testing program’s expansion would help prevent such security issues from recurring at DOT.
Kuhr said the DOT security-testing program is evidence of the department’s willingness to proactively address IT vulnerabilities.
“This is certainly a way that DOT is moving faster than a lot of the other government agencies out there,” Kuhr said. “You can’t manage the risk well if you don’t know what the risks are. So this is part of a process to just own that risk, and be proactive about how you conduct your operations to manage it sufficiently.”
DOT has nine “modes” of transportation under its umbrella, including the Federal Aviation Administration and the National Highway Traffic Safety Administration. Hildebrand said the FAA’s IT security posture is more mature than other components of DOT because “they’ve put more energy and resources into it.” She said she is therefore focusing on strengthening cybersecurity at the department’s eight other modes.