Bureau of Industry and Security’s cyber threat response found lacking

FedScoop reports that the U.S. Department of Commerce's Bureau of Industry and Security was discovered by the department's Office of Inspector General to have subpar cybersecurity threat detection and response capabilities. Aside from failing to avert simulated cybersecurity incidents, the BIS also had critical security control misconfigurations for its export control networks, as well as improperly managed classified and other privileged credentials, according to the watchdog's report. Misconfigured security controls allowed access to various system information, including user accounts and software components, while credential mismanagement enabled the discovery of plain-text system usernames and passwords. "If BIS does not improve its current capabilities, advanced adversaries could significantly harm sensitive U.S. export control efforts, which in turn affects national security. Whether the threat comes from external actors or insiders, BIS must be ready to handle future attacks," said the report, which urged the BIS to not only develop extensive incident response processes and properly configure its network system devices but also adopt a robust password-generating system. Such recommendations were acknowledged by the BIS, which disclosed the adoption of plain-text credential scanning and strong password generation.