May 15, 2020 | Insight

Project Vampire: TCIL Effort Seeks to Mitigate Real-Time Threats to the Home Networks of U.S. Government Workforce

May 15, 2020 | Insight

Project Vampire: TCIL Effort Seeks to Mitigate Real-Time Threats to the Home Networks of U.S. Government Workforce

With the COVID-19 pandemic forcing a radical realignment of where and how the American workforce works, more and more sensitive business operations are being handled on home networks. Operating outside of enclaves secured by our own nation-state cyber defense resources has become a seemingly unavoidable cost of business. Therefore, now is a critical time for Washington to bolster the cybersecurity of senior U.S. government (USG) executives’ home networks, which adversaries and criminals are exploiting at an increasing pace.

Over the last two years, well before COVID-19 arrived on our shores, FDD’s Transformative Cyber Innovation Lab (TCIL) began working on the issue of household-level defense of senior-level USG employees and appointees working in the national security arena. As part of that effort, known as Project Vampire, TCIL has developed a first-echelon detection system that captures packet traffic at the household level and applies filters to triage between suspicious and non-suspicious traffic.

TCIL operates outside the traditional limitations of Washington think tanks, which often issue cyber policy recommendations divorced from technical realities. Too often, policy and technical solutions emerge from isolated silos; thus, decision makers are often dependent either on technology experts who may not comprehend policy mechanics well enough to formulate realistic proposals, or on policy experts who may not understand the technical implications of the recommendations they propose. TCIL’s interdisciplinary nature helps bridge this gap, and our experts are able to explain technical vulnerabilities in clear terms so that decision makers can make more effective policy choices.

At the highest levels of government, more and more people now work outside of their protected office networks, including many of the USG’s roughly 14,000 Senior Executive Service (SES) and Senior Intelligence Service officers as well as many of the 5,200 political appointees, members of Congress with high-level security clearances, and senior ranks of the uniformed services. These are the USG officials whose daily work focuses on the most sensitive and critical information, which constitutes the richest prize for hostile foreign intelligence services.

According to a 2017 Office of Personnel Management (OPM) telework status report to Congress, approximately 903,000 people, or 43 percent of the nearly 2.1 million-strong federal workforce, are able to telework. Although there are no published numbers yet on how many more have been teleworking since the COVID-19 lockdowns began, the Department of Defense (DoD) alone has been reducing its on-site workforce by as much as 50 percent.

The Office of the Director of National Intelligence, the agency that oversees the other 16 U.S. intelligence agencies, has also reduced staffing through staggered shifts and flexible schedules.

Even in the best of times, U.S. government teleworking safety and security have been suboptimal. In 2017, OPM audited 51 USG agencies to see how they were incorporating telework considerations in their existing plans. Of the 51 reporting agencies, only 26 had a telework emphasis as part of their existing Continuity of Operations (COOP) plans. Now that the pandemic has led many agencies to activate their COOP and Continuity of Government plans, many are operating without a teleworking strategy. Even those agencies whose plans have a teleworking component may not be implementing it.

This has led to a massive federal workforce working at home with few security measures in place.

Through public records and commercial data services, Russian, Chinese, Iranian, and other hostile nation-state actors can easily locate the homes of U.S. government officials and employees. Through targeted attacks, these nation-states can infiltrate the home networks of influential Washingtonians, steal data, eavesdrop on conversations, and/or insert malware into systems that are much less protected than the networks in the office.

To test several baseline assumptions about the nature of the threat, TCIL has produced a first-echelon detection system. Weeks prior to the mandatory stay-at-home orders, TCIL successfully tested this system on the home network of a former SES-level DoD official. TCIL detected and documented suspicious traffic whose features cannot be explained by normal internet behavior, providing the earliest indications that his system may have been compromised.

Within a week of the quarantine, another recently retired SES-level official, currently working in a sensitive role for a major component of the U.S. national security apparatus, contacted TCIL. This official also raised concerns that nation-state actors were compromising his home network in order to infiltrate a larger USG enterprise.

After a forensic examination of the attack, we determined with high confidence that it was a nation-state actor and not an ordinary criminal perpetrator. To help protect the individual and his work while other authorities are brought to bear, TCIL developed a near-term, brute force contingency. The remediation plan was a three-part solution in which:

  1. the compromised devices were disconnected and securely transported to appropriate parties in the USG for examination;
  2. connectivity for the house was re-established in a such a way that minimized the effectiveness of any remaining malware; and
  3. critical functionalities (voice, email, etc.) were restored in a maximally secure manner. This initial response was implemented within hours of contact with the victim.

TCIL’s detection system is derived from open-source software, and its analytics are informed by decades of combined experience in defending DoD-scale information systems. The remediation plan used only commercial-off-the-shelf technologies and services.

What is needed – immediately – is a USG cyber rapid-response force that can move fast to implement at scale household-level defensive strategies for a prioritized list of the thousands of potential government targets now working from home.

As with other TCIL pilot projects, our cyber research, combined with our technical work, showcases both the threat the United States faces and a possible way forward that has the advantage of economy, simplicity, and immediacy of impact.

Now the solutions we have proposed must be scaled and implemented.

TCIL, a project of FDD’s Center on Cyber and Technology Innovation (CCTI), aims to nurture technologically feasible, testable pilot projects that bridge the gap between technology, policy, and governance to drive revolutionary, society-wide improvement in cyber resilience. For more analysis from TCIL and CCTI, please subscribe HERE. Follow CCTI and FDD on Twitter @FDD_CCTI and @FDD. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


China Cyber Iran Russia