Senate sees exponential rise in computer attacks, might be time to rethink security posture, not just spend more to respond

In comments justifying a requested $15 million operating budget increase for fiscal 2011, the Senate Sergeant-at-Arms stressed the need to improve computer security in the face of an extraordinary rise in security “events,” which reported went from 8 million per month in 2008 to 1.6 billion (yes, billion) per month in 2009, and still climbing. The Senate security operations center apparently sees nearly 14 million attempted attacks or other events every day. Managing the IT security for the Senate’s computing and network infrastructure is among the responsibilities of the Sergeant-at-Arms, which also provides a variety of support services to U.S. senators and Senate and committee offices, such as printing, direct mail, audio and video recording studios, and wireless telecommunications services through Verizon, the Senate’s preferred provider. With that kind of increase in attack activity directed at your environment, you’d want more resources too, but it might also be a good time to look at your environment to see if there are any architectural or design characteristics that are contributing to the volume of attacks coming in, particularly including the visibility of Senate network infrastructure to outsiders.

The core computing operations for the Senate Sergeant-at-Arms reside in the Postal Square building in the shadow of Union Station in northeast Washington, DC. From this central location, the Sergeant-at-Arms oversees a wide-area network providing connectivity not only to Senate offices on Capitol Hill, but also to all home-state Senate offices across the country. The computing infrastructure is segregated according to political party, at least since the 2004 incident when Republican Senate staffers allegedly took advantage of the fact that Democratic and Republican files were co-located on the same server to gain unauthorized access to Democratic files. The Senate, like many federal agencies both large and small, does not use network address translation (NAT) and instead assigns IP addresses to its servers from its allocated netblock. Both the primary public-facing Senate web servers (www.senate.gov) and its intranet servers (us.senate.gov) are hosted by the Senate Sergeant-at-Arms, in contrast to the House of Representatives, for example, whose network configuration directs users requesting www.house.gov to edge content servers hosted by Akamai. Even without the use of NAT-ed IP addresses, it is somewhat surprising that the primary IP address for the intranet appears in publicly accessible nameservers, including the sen-dmzp.senate.gov primary nameserver for the senate.gov domain. The simple fact that the intranet server IP address is so publicly accessible makes it far more likely for network probes and attempted intrusions to be launched against the Senate’s internal network.

None of these configuration or network characteristics are new, so they have little explanatory value in getting to the root of the 200-fold increase in a single year in potentially malicious network security activity. It seems likely that the change in administration and, specifically, the change in the political alignment of the Senate coupled with the significance of some of the items it has taken up on its agenda, would serve to heighten its visibility and therefore make the Senate more attractive as a target, whether threats are intended to cause denial of service, disrupt operations, or just call attention to information security weaknesses. In light of the increased demands on security operations personnel, devoting a portion of what amounts to a less than 7 percent budget increase seems unlikely to help the Sergeant-at-Arms really get a handle on its environment. It is possible that by distributing some of the perimeter infrastructure and network computing services more attention could be focused on traffic filtering and intrusion detection and prevention, while also insulating the core support infrastructure for the Senate from potential disruption, data corruption, disclosure, or other loss.