The following are excerpts of written testimony by Randy Miskanic, Vice President of Secure Digital Solutions,United States Postal Service

The intrusion is limited in scope and nearly all operations of the Postal Service are functioning normally. Sadly, this incident is similar to a growing number of attacks reported by many other federal government entities and U.S. corporations. We are not aware of any evidence that potentially compromised customer or employee information has been used to engage in any malicious activity, and we are working with impacted individuals to mitigate potential misuse of such information.

Threat Assessment and Response Timeline
From the time we became aware of the potential threat to Postal Service information systems, our guiding principles were to protect our network from additional harm, to ensure our employee and customer data was secure, and to initiate an investigation that would not be detected by our adversary.

As our investigation of this incident progressed, it became apparent that the intrusion was very sophisticated and had been developed specifically to exploit the Postal Service computing environment. In fact, over the course of the investigation, we learned of the dynamic tactics employed by the adversary to evade detection by most commercial information security tools.

As the scale and scope of the intrusion became evident, we greatly escalated our response. One of our biggest challenges was maintaining secrecy regarding the remediation of several of our infected systems. Therefore, we worked closely with the U.S. Computer Emergency Readiness Team (US-CERT), the FBI and other forensic experts to develop a strategy for protecting our network.

Following is a high-level timeline of how the Postal Service learned of, investigated, mitigated and communicated the threat. I believe that you will find this timeline clearly reflects how—upon discovery that some of our information systems had been intruded—the Postal Service responded quickly and collaboratively, following the advice and guidance of federal and private sector cyber security experts.

Initial Discovery and Investigation
On September 11, 2014, the U.S. Postal Service Office of Inspector General (USPS OIG) reported that they received information from the US-CERT regarding four Postal Service servers that were sending unauthorized communication outside of the organization, indicating that these systems may have been compromised. Limited details were provided by US-CERT at that time.

During the period of September 12 through September 16, the USPS OIG alerted the Postal Service’s Corporate Information Security Officer (CISO) of the suspicious network activity. The CISO was advised that the investigation should remain confidential. Furthermore, the USPS activity, scanning, re-imaging, resetting account passwords, taking systems offline or searching IP addresses.

The guidance provided by the USPS OIG was consistent with subsequent direction received from US-CERT and other agencies who have been engaged with these types of actors. The Postal Service’s Chief Information Officer (CIO) was also subsequently notified of the threat during this period, and received the same security and operational warnings.

From September 16 through September 19, USPS OIG agents, Postal Inspectors, and members of the CISO team met daily to develop the steps necessary to properly investigate the suspected unauthorized network activity. Members of the investigative team performed forensic imaging and installed monitoring devices on servers suspected of being compromised. At this point all that was known is that four servers were sending unauthorized communications On September 19, the Postal Service CIO reported the suspicious network activity to the Postmaster General (PMG). The PMG was also advised at that time that the cyber intrusion investigation was ongoing and that only the USPS OIG and USPIS should take action to mitigate the threat and that any premature action could further endanger the network.

Subsequently, information regarding this incident remained highly confidential and restricted to only individuals directly involved with the investigation.

During the period of September 19 through October 2, USPS OIG agents and Postal Inspectors configured and installed the technical architecture and tools necessary to identify any impacted servers and workstations on the Postal Service network. These investigative actions resulted in the identification of three Postal Service user accounts and an additional 29 servers withindicators of compromise. Due to the broadening scope of compromise and resulting forensic analysis requirements, data was submitted to the U.S. Department of Defense Cyber Crime Center for forensic analysis.

On October 7, following five days of investigation that revealed suspicious remote communications emanating from several of the compromised machines, the USPS OIG and USPIS team learned that a large data file had been copied and removed from the Postal Service network. This file, however, was encrypted, limiting the ability of the investigative team to identify the data contained within. It was suspected that the file was copied to another server outside of the USPS network that was being controlled by an adversary. Extensive investigative efforts continued over the following days in an attempt to identify the content and location of the removed file.

On the evening of October 10, the CIO informed the PMG of the confirmed data exfiltration. The following day, the USPS OIG held a briefing with senior postal leadership to advise them of investigation and support mitigation planning.

From October 11 through October 15, USPS OIG agents and Postal Inspectors continued to monitor network traffic for additional compromised servers and workstations. During this period, USPS OIG agents conducted a forensic examination of the server containing the encrypted files. The ongoing investigation revealed that the adversary may have accessed and copied a Postal Service Human Resources file containing employee personally identifiable information (PII).

With the confirmation that employee PII had actually been compromised, and completion of initial remediation efforts, the Postal Service quickly activated its comprehensive communications plan developed for this incident.

Mass Data Compromise Response Plan Invoked
On October 16, the PMG and postal leadership were advised by USPS OIG investigators of the suspected contents of the exfiltrated file. The investigators cautioned, however, that further extensive and complex forensic analysis was necessary to determine if the file actually contained PII.

The Postal Service CIO concurrently invoked the MDCRP—declaring that the critical incident would be managed through a formal Incident Command structure. As the appointed Incident Commander, I subsequently formed teams to handle various aspects of the plan—specifically, Technical Branch, Communications Branch and Investigative Branch teams.

The Technical Branch was charged with developing the remediation and mitigation strategy, along with assisting in the overall ongoing investigation. The Postal Service Information Technology (IT) Team was assembled under this Branch and immediately began working with US-CERT to determine more detailed information about the threat. This Branch also began consulting with Carnegie Mellon University’s CERT-Coordination Center (CERT-CC), Microsoft Corporation, and other commercial firms specializing in computer intrusion incident response, network monitoring, and remediation strategies to assess the adversary’s capabilities and tactics. These partners were also involved with evaluating the protection of critical Postal Service cyber assets.

The MDCRP Communications Branch was tasked with developing a strategy to communicate the ongoing incident to necessary stakeholders, and to develop a comprehensive internal and external communications plan. A critical component that was discussed extensively and thoughtfully planned, was content and timing of employee messaging in the event that the suspected loss of PII data was confirmed. Strategic business partner and public notification were also critical communications elements that required extensive planning efforts.

The MDCRP Investigative Branch was bolstered by additional resources and assigned specific actions to identify the scope of compromise, along with the impact on Postal Service data systems. A strategic and tactical support request was submitted to the FBI. In response, the FBI provided cyber security intrusion experts, communication support for stakeholder and public outreach, and introductions to executive contacts within other intelligence agencies.

On October 17, the FBI Cyber Unit provided a Top Secret/Sensitive Compartmented Information briefing to the Postal Service Incident Command leadership and advised that the adversary was very sophisticated and that implementing mitigation activities or communicating the threat to employees or the public at that point could result in the threat being further embedded into the Postal Service network. The FBI also reemphasized the need to exercise a high level of operational security during the management of this critical incident.

During the following week, USPS OIG agents and Postal Inspectors continued to obtain forensic images and established network monitoring across the entire Postal Service organization.

Administration and Congressional Notification On October 20, the Incident Command staff provided a classified briefing to the White House Cyber Security Director and National Security Council staff. The White House Cyber Security Director was instrumental in aligning the Postal Service with the appropriate Federal resources to assist with all facets of managing the critical incident.

On October 22, the Deputy Postmaster General, U.S. Postal Service Inspector General, Chief Postal Inspector and I conducted separate classified briefings for House Oversight and Government Reform Committee and Senate Homeland Security and Governmental Affairs Committee staffs. The Committee staffs were informed of the current status of critical incident activities, the proposed plan to implement remediation within the Postal Service network, and the suspected compromise of employee PII data.

Also on October 22, USPS OIG agents learned that forensically recovered employee data appeared to originate from the Postal Service Human Resources Shared Service Center, however, contents of the encrypted files were still not known.

Communications Planning Intensifies
On October 23, the MDCRP Communications Branch team began working with select internal Postal Service department representatives to develop action plans for communicating with stakeholders during a hypothetical incident in which employee PII was accessed by an externalentity. While it was still unknown at that time if employee PII had in fact been taken, all department representatives were required to plan for this scenario during a series of confidential meetings. As a result of the follow-up exercises, pertinent areas of focus, necessary tasks, andservices required to assist potential victims were identified.A significant challenge in developing communications that would provide the necessary information and details regarding available assistance, was that the contents of the compromised data was unknown for much of the time between discovery and announcement.

As the technical analysis of the intrusion identified the scope of the breach, we tailored messaging to ensure all affected victims would be provided with the information necessary to assist in protecting them from the consequences of any illegal use of the compromised data.

Mr.-Miskanic-Testimony-Bio

House Hearing