Jeremy Grant was quoted in Federal News Radio on March 26, 2018, about GSA's central contractor website being hit with fraud now for a second time. GSA alerted vendors on March 22, 2018, after it found a third-party changed the financial information of "a limited number" of contractors registered on the government wide System for Award Management (SAM.gov) portal. GSA is now taking steps to further limit any attempts to fraud the government.
A GSA spokesman emphasized to Federal News Radio that what happened to SAM.gov was not a cyber or technical breach, but a case of fraud.
But Grant said this certainly sounds like a cyber incident. "If passwords to the SAM accounts were phished, then that is the definition of a cyber incident. It just happens to be a cyber incident that was used to perpetrate fraud. The fact that money was stolen instead of data does not change the fact that the attack method was based on exploiting weaknesses in the SAM authentication system," Grant said. “Symantec just this week released their 2018 Internet Security Threat Report, which noted that 71 percent of cyberattacks last year began with spear phishing. Given that the SAM system is critical to how government contracts are managed — and how contractors get paid — it's not surprising to see that SAM accounts would be a target for phishing attacks."
Grant said any federal website that depends on password alone for authentication and protection is destined to be a victim of a cyber attack. "Passwords are the single most commonly exploited attack vector in cyberspace," he said. "Given the importance of SAM, GSA should follow NIST guidance (SP 800 63-3) and require use of multi-factor authentication to protect accounts — preferably ‘high assurance strong authentication’ where at least one factor leverages public key cryptography."