US flag Official website of the Department of Homeland Security

Frontline February 2016

Graphic showing cybersecurity motif
Always Vigilant
For CBP cybersecurity team, there’s never a day off
Article and photos by Paul Koscak

Photo illustration courtesy of DARPA


Pick a time, any time. Pick a day, any day. At that moment, thousands of attempts to break into U.S. Customs and Border Protection’s computer network are happening.

Now you have some idea of what CBP’s cybersecurity experts are up against.

It’s no secret hackers create havoc, threaten national security and scheme to steal your personal information. In the past year cyberattacks on the nation’s largest and most trusted companies made headlines. Target Corp. and The Home Depot had millions of customer credit card numbers stolen. Sony Pictures had its employee records and private emails exposed. And the biggest breach of all happened in the federal government’s Office of Personnel Management, where millions of workers had their personal information pilfered.

CBP’s cybersecurity experts protect all Americans. They safeguard the information entrusted by those who do business with the agency, everyone from shippers and brokers to those using the Internet to apply for entry to the U.S. or for agency jobs.

Shaun Khalfan, left, chief systems security officer, outlines security strategies with Gene Huie, vulnerability assessment team supervisor.
Photo of security strategies being developed

With more than 70,000 computers to protect, shielding that network from the world’s cyber thieves and rogue nations bent on breaking into CBP’s data banks is no short order. The odds favor the hacker. There are perhaps 1,000 ways to break into CBP’s computer network and the agency works to thwart them all. But the culprit needs to be lucky just once to bring untold damage, explained Shaun Khalfan, CBP’s chief systems security officer.

“There are always people out there looking for vulnerabilities,” he said. “It could be for political or economic gain, and it’s going to get worse.”


That’s because we’re a highly interconnected society, Khalfan. Everything from cars to refrigerators to home security systems to entire municipal power grids can be controlled through the Internet. Wireless phones with dozens of applications and social media sites provide even more playgrounds for hackers.

Like a beacon, CBP draws the cyber crooks simply by its size and intrigue. “We have a high profile,” noted Khalfan. “We’re the federal government. We’re law enforcement.”

Keeping CBP systems safe centers on vigilance and a combination of testing, intelligence and employees who report suspicious activities, said Gene Huie, who runs the agency’s vulnerability assessment team. The team is part of CBP’s Security Operations Center.

Combating an attack, on the other hand, is a three-step forensic strategy, according to Douglas McNealy, who runs the center’s computer incident response:

  • Detection. Confirm that something is wrong.
  • Containment. When the virus or malicious object is found, block it, isolate it and remove it by wiping the affected computer.
  • Remediation. Repairing and assessing the damage. Who needs to be informed? How did the malware break into the system? What countermeasures can we take and how do we prevent another mishap?

“We scan every asset to find vulnerabilities,” said Huie. Testing is a daily, ongoing effort to stay one step ahead of the hackers and find the weaknesses before they do. Testing can also be random, an unannounced probe of a targeted system to gauge defenses and readiness, he said.

A weakness isn’t always because of the way CBP plans its networks or operates its systems. It could be something a software vendor overlooked when developing a new product. The vulnerability could have already been there for years, “a bug in the system,” as Huie describes it. He compares it to a home break-in through an unlocked window.

Testing spots those open windows, but it takes an experienced eye to recognize an intrusion. Like a burglar who off-centers a window shade in an orderly house, the virtual intrusion leaves something that seems amiss. For the cyber warrior, it could be spotting a sharp spike in data flow at 3 a.m., a code that fits the profile of a virus or execution commands that are not logical. “You have to know what normal looks like,” to spot the anomalies, Khalfan said. On the positive side, these oddities leave identifying signatures that can be used to block future attacks.

The same is true for the end-user. Users become accustomed to seeing familiar pages on a computer or experiencing a certain navigation flow. When changes occur, even slightly, it could be a clue that something is being compromised.

Douglas McNealy, who manages computer incident response, searches for network vulnerabilities with Carlos Serrano, an IT specialist in the security operations center.
Photo of CBP employees discussing cybersecurity

The Security Operations Center also works with CBP’s Office of Internal Affairs to prevent violations of CBP’s Information Technology Rules of Behavior, such as visiting pornographic websites, and potential criminal abuses, said Khalfan. The center continues to grow, he said, because IT is increasingly complex and the threats to CBP’s computer system are more sophisticated.

If a hacker manages to breach CBP’s network, the computer incident response staff takes the offensive. The staff isolates whatever virus or malicious content the hacker let loose. Not only does that prevent the bug from spreading, it allows the team to study the intruder, gaining valuable insights on the best way to defeat it—and prevent it from returning. At the same time, the team takes immediate steps to triage the intrusion. Triage determines where the attack originated and ceases any communication with the sender.

Once isolated, the virus is destroyed by overwriting it several times, better known as “wiping it.”

Even when there’s no breach, vulnerabilities and are sometimes discovered in a vendor’s software. In that case, the vendor is responsible for fortifying the weak spot with a patch. Patches are pieces of code. Patches can also add features to software to make it more useful. Users will recognize patches as the “updates” that are issued periodically by a vendor or third party, such as Microsoft or Apple. It’s important to maintain the latest software to ensure that vendors support the product with patches and fix vulnerabilities as they emerge. Vendors won’t support products they no longer sell, such as Microsoft’s Windows XP or Windows Server 2003.

Program Manager Michael Bartholf performs a security test with IT Specialist Carlos Serrano at the security operations center.
Photo of CBP employees perfoming security tests

Intelligence reveals threats. Such intelligence includes interagency reports, CBP’s contacts in the intelligence community and the U.S. Computer Emergency Response Team, known as US-CERT. A Department of Homeland Security agency, US-CERT detects and responds to major incidents, analyzes threats and warns its partners.

They include all federal agencies, technology information centers and system administrators in state and local governments, academia and the private sector. As of Oct. 1, 2015, US-CERT requires all federal agencies to report any system compromise within an hour.

CBP is investing in new equipment and software to improve virus and malware detection, according to Khalfan. The improvements provide more timely warning and control to defeat the growing threats. Information that is days or even hours old can be worthless.

However, the end user—that’s you—can be the best defense against hackers. Be alert for anything suspicious. For instance, an email that’s disguised to look as if it’s from a high-level official is a common ruse. Called “phishing,” the message is usually baited with a virus, opening the virtual door for the hacker, said Khalfan.

Another trick is the fake website. Hackers will lure users to a page that at first glance looks official and asks for personal or proprietary information. The site might have agency or corporate logos, colors and font styles, but a closer look usually reveals misspellings, wrong layout, poor grammar or missing information.

“It may look like the real thing, but something is off,” he said.

Email and social media are the most prolific paths for hackers and scammers. Again, the odds are in their favor. They need to fool only a small percentage of those who receive the hundreds of thousands of emails they blast out for their ruse to pay off.

Common sense can reduce the user’s odds of getting hacked or scammed. Email that promises big money for little effort or claims money awaits you in a foreign country is likely bogus. This could be a “phishing” probe. These emails lure victims into clicking on a malicious link, opening an infected attachment or responding with sensitive information.

To guard against phishing, don’t open email without verifying the sender. Pay close attention to email from foreign countries or from Gmail, Yahoo, Hotmail and similar accounts, particularly if they arrive with attachments or links. Also, never provide personal information via email unless you can verify the sender is legitimate, said Khalfan.

The Trojan horse is a similar email scheme. The name is drawn from Homer’s “Iliad,” where Greek soldiers hid in a wooden horse left before the gates of Troy. The Trojans wheeled their wooden gift into the city and at night the soldiers slipped from the horse and conquered Troy. Trojan horse email contains a hidden surprise for users who carelessly wheel it into their computers.

The email may have an attachment containing a joke, a photograph or a patch to fix software. When opened, it may allow an attacker to observe your keystrokes, monitor your transactions or activities and get access to your files.

While a system can be vulnerable, users have a responsibility to use the Internet with caution. They need to be aware of these schemes and immediately report any unusual experiences to their system administrator.