Library of Congress
Facts: “The Library of Congress is the largest
library in the US, it is located in Washington, D. C., and maintained largely
by federal appropriations.” (1) Providing research facilities for members of Congress was
its original purpose; today it also provides research facilities for the
public. In fiscal year 2016 the library
employed 3,149 permanent staff and responded to 1 million reference requests
from Congress, the public and other federal agencies and delivered
approximately 18,380 volumes from the Library’s collections to congressional
offices. The Annual Report of the
Librarian of Congress in 2016 shows annual appropriations of $642.04 million. A
successful hack of the library’s resources could provide an un-authorized
disclosure of information on military operations, the budget, and other policy information.
Leadership: Carla Hayden is the 14th Librarian of
Congress and the Chief Information Officer is Bernard Barton.
To Provide Congress, and then the federal government, and American people
with a rich, diverse, and enduring source of knowledge that can be relied upon
to inform, inspire, and engage them, and support their intellectual and
Vision: The chief steward of America’s and the world’s record of
knowledge, and is a springboard to the future, while providing indispensable
services to Congress.
On July 17 2016 the Library of
Congress was the target of a massive distributed denial of service (DDOS)
attack by a group called the Turk Hack Team claimed credit for the attack on an
online message board. The hackers
attacked the firewalls and got into the website flooding the network with packets,
causing outages to websites and services.
The CIO Bernard Barton described the attack as “a massive and
sophisticated DNS assault, employing multiple forms of attack, adapting and
changing on the fly.” (3) They also defaced the website and changed the message
that was on the website.
In a blog post, Bernard Barton
explained, “The attack began on Sunday morning
and disrupted a number of services and sites hosted by the library including;
Congress.gov, the U.S. Copyright Office, the Congressional Research Service and
the BARD (Braille and Audio Reading Download) service from the National Library
Service for the Blind and Physically Handicapped.” (4) Congress employees were unable to visit internal websites, the
attack also impacted Library databases and incoming and outgoing email.
been the recipient of numerous cyber-attacks in the past including; SQL
injection attacks, website defacements, and inadvertent data leaks. In 2012 the
library of congress official website was breached and data stolen was posted on
a file sharing website called Pastebin. The
attack included “a SQL injection attack to the LOC’s back end database exposing
user names, passwords and email addresses.” (4) Hacktivist BlitzSec stated that
he the hack was due to legislation like the National Defense Authorization Act
and the Patriot Act for calling members “criminals” and “terrorists”. The group claiming responsibility said it used a SQL injection
attack to access the Library of Congress Website’s back end database and expose
user names, passwords and email addresses.
In the 2015 GAO
report stated that “The Library of Congress has established policies and
procedures for managing its Information technology IT resources, but
significant weaknesses across several areas have hindered their
effectiveness.” They identified a number
of risks including; no IT strategy, the lack of end-to-end processes to track
assets, the inability to test security controls and mitigate weaknesses in a
timely manner, lack of good technical security controls, no assessment of risks
to personally identifiable information (PII) in its systems, as well as issues
with stability in the position of the CIO. These and other weaknesses put the
Library’s systems at risk of compromise.
In the field these terms are often used
interchangeably but Cyber Security is defined as the body of governance,
policy, processes and measures to shield data and computer systems from
unauthorized access, incident or attack. However, Computer Security ensures that
availability, integrity and confidentiality are maintained. This means that authorized users will have
access to information when required, unauthorized modification of data is
prevented, and there is no unauthorized disclosure of data.
Organizations must do a balancing act
between making information available to employees and customers and protecting
the confidentiality and integrity. The 2015
GAO report clearly identified vulnerabilities at the library that needed to be
addressed, however the risks remained un-mitigated.
The 2016 Library of Congress denial of
service attack was designed to disrupt the integrity and availability aspects of
the CIA Triad. The attack directly
affected employees and other sites hosted on the Library of Congress network by
changing and defacing the website, revealing that unauthorized modification was
not prevented. Authorized users were
denied access to internal websites, databases and email and creating an
environment of confusion. It is also possible that confidentiality was breached
as the attack could have used an SQL injection to steal PII and other sensitive
On their website Akamai an American content delivery network and cloud
delivery platform states, “Over the past
15 years, distributed denial of service attacks, or DDoS attacks, have become
one of the chief threats to websites, servers and networks. DDoS attacks use
malware to remotely control thousands of computers, or botnets, and cause them
to send bogus requests to a specific target. Designed to overwhelm a machine or
network resource and render it unavailable to users, DDoS attacks can cause
severe damage to a company’s operations, reputation, productivity, and bottom line.”
System and Application software must be designed with
security in mind. Security should be planned initially as well as worked into
each phase of the software development lifecycle.
During the 2016 attack, hackers flooded and overloaded
the system with packets crashing the system which allowed the system to become
vulnerable and subject to further attack. Since the system was unable to
protect itself, hackers were able to bypass the system security and gain
unauthorized access to information on servers, and other sites hosted on the
Library of Congress network.
All websites are designed using HTML code. Hackers were
able to gain system access and elevate their privileges in order to edit the
HTML code used to display webpages. The elevated privileges gave them full
access to add, change or remove web page contents and to deface the Library of
It is clear that hackers were able to access both the
Simple Mail Transfer Protocol (SMTP) and the Post Office Protocol version 3
(POP3) and Interactive Mail Access Protocol (IMAP) email servers as the hack
prevented employees from accessing both incoming and outgoing email.
Programmers should regularly review systems software,
application software and software interactions to determine vulnerabilities
that could be exploited. Code reviews
should be done to inspect the program code in order to find mistakes overlooked
during the software development process.
The objectives are to determine best practices, discover errors,
identify common vulnerabilities and malware discovery and fix weaknesses in a
timely manner. White and Black Box testing should be done to ensure secure code
design and software usability.
Data Flow Across Networks
There are many common cybersecurity attacks which
include; malware threats, denial-of-service, session hijacking, hacking
applications, SQL injections, cross-site scripting, and hacking wireless
networks and numerous others.
Penetration Testing should be performed on the Library of
Congress network using some of the common attacks to determine the strength of
the network. Pen Testing or Ethical Hacking would include simulated attacks
performed by white hat and/or black hat testers to evaluate the system security
and help identify vulnerabilities within a network. These are vulnerabilities that may exist that
a hacker could exploit. This would
provide the organization direction on what areas need to be addressed in order
to secure the Library of Congress information systems and network.
In order to monitor activity on the network forensic investigators use Network `Forensic
Analysis Tools (NFAT). Some of these tools include;
When there are network anomalies it is important that
they be identified, researched and mitigated prior to doing any possible
Discuss the principles that underlie the development of an
enterprise cybersecurity policy framework and implementation plan.
Microsoft determines that “The key to securing your
enterprise now and into the future is knowing your current security posture and
its potential weaknesses.” (9) Cybersecurity Strategy should be designed based
on organizational vision, mission, goals, business requirements, and critical
areas of organizational risk. The strategy should be developed to be
quantifiable with each task measured by a metric.
The enterprise-wide security metric program should be
designed to ensure the organization is meeting its goals and reported to senior
leadership on quarterly, monthly or weekly basis. Metrics should be presented holistically
across they various cybersecurity areas in an electronic tool specifically
designed to measure strategy with a drill down capability of delving into
specific areas of issue. The implementation plan should be a further drill down
of the identified strategy with specific steps for implementing the
“A computer security model is a scheme for specifying and
enforcing security policies. A security model may be founded upon a formal
model of access rights, a model of computation, a model of distributed
computing, or no particular theoretical grounding at all.” Security models can
be categorized as positive or negative.
A positive security model would be like a whitelist which says what is
included and everything else is rejected.
A negative security model would list everything that is rejected an
anything else would be automatically allowed.
New Threats and Countermeasures in Digital Crime and Cyber
Terrorism, 2015 edited by Dawson, Maurice
Some of the security models include; Bell and LaPadula
(BLP) Confidentiality Model, Biba Integrity Model (opposite to BLP), Clark
Wilson Integrity Model, Information Flow Model, Non Interference Model, Graham
Denning Model, Harrison-Ruzzo-Ullman Model, Lattice Model. The Library of Congress would first have to
determine what security model it’s policy will be based on. Review the security models and determine
which model fits best with the type of customers, data and level of security
The Library of Congress should employ
the NIST Framework for Improving Critical Infrastructure Cybersecurity which “provides
industry a risk-based approach for developing and improving cybersecurity
programs”. The framework core identifies
specific functions; “Identify, Protect, Detect, Respond and Recover—that
provide a strategic view of the lifecycle of an organization’s management of
cybersecurity risk.” Harvard Paper
And finally, Defense in Depth should be employed across
the organization’s network to ensure
that there are various layers of security measures designed into the enterprise
cybersecurity policy framework and the implementation plan. This ensures that though an attacker gets
through one layer there are additional layers to penetrate in order to gain