Lessons Learned from the Treasury Department Attack

This post was coauthored by Kevin Kirkwood and Gabrielle Hempel.

Last year’s cyberattack on the Treasury Department raises some important questions about the U.S. cybersecurity landscape and serves as an important reminder that we need to critically evaluate the broader context of cybersecurity challenges.

Isolated Incident or Broader Threat?

CISA indicated that the attack was isolated to the Treasury Department, but the claim prompts a closer look. Is it realistic to think that the breach only affected one area of the U.S. government infrastructure? Furthermore, is it a plausible claim that FedRAMP-certified systems have never had a successful attack performed against them? It’s worth considering whether this reflects incomplete or misdirected information. It might also be time to reevaluate the U.S. government’s cybersecurity strategy.

Advanced Threat Groups: A Growing Challenge

Let’s examine some of the advanced threat groups that have successfully conducted operations within the United States recently:

• Salt Typhoon: Known for breaching numerous telecom companies, their focus appears to be intercepting sensitive communications. Secondary objectives may include lateral movement across government systems, law enforcement wiretap access, and remaining stealth to go undetected.
• Flax Typhoon: This group has built a botnet army comprising over 260,000 compromised devices like routers, NAS systems, and IP cameras. They’ve been linked to the Treasury Department breach, possibly aiming to gather intelligence on sanctions or test how critical economic systems could be disrupted.
• Volt Typhoon: Targeting critical infrastructure, they focus on routers and communication networks. Their ultimate goal may be to disrupt network traffic during crises, alongside gathering intelligence across various sectors such as manufacturing, transportation, and government.
• Velvet Ant (Cow Killer): This group leverages advanced, layered attack methods, often targeting high-value systems like F5 BigIP appliances and Cisco devices. Their persistence strategies make their attacks incredibly difficult to eliminate, reflecting a broader trend of stealthy, long-term espionage efforts.

These groups exemplify the evolving threats security teams face — persistent, strategic, and deeply embedded. While each has unique tactics, their collective activity aligns with a long-term strategic approach, potentially linked to larger geopolitical considerations.

With the U.S. being a key partner in the defense of Taiwan against China and the sophistication and persistence of these attacks, it’s unlikely they’ve only affected a single department of the U.S. government. Cybersecurity professionals should operate under the assumption of breached status, which allows for a proactive, rather than reactive, approach. It’s a reminder to stay vigilant and prepared for the possibility of undetected compromise across sectors.

Reevaluating Federal Cybersecurity Strategy: Beyond One-Size-Fits-All Solutions

The size and scope of the U.S. federal government represents an interesting problem for developing a strategic defense. There is no one-size-fits-all solution that can be taken off the shelf and applied, universally, to the equation that a cyber leader can point to as that foundation for defense.

There have been several attempts by presidents to establish a cybersecurity strategy by mandate:

• All departments in the government are to have Zero Trust architecture (ZTA)
• Partnerships will be established with the private sector to gain best practice
• All systems should be cloud first (because cloud is so much more secure)
• And there are a few more

The Flaws of Management by Fiat: A Closer Look at Cyber Mandates

Management by fiat — a leadership style where decisions are made and implemented through authoritative decrees or orders, rather than through discussion, collaboration, or consensus-building — is an interesting, yet untenable approach.

Take Zero Trust as an example.  Top-down mandates like “just implement Zero Trust” oversimplify complex strategies. Zero Trust is an adaptive philosophy, not a plug-and-play solution. When leadership treats it like a product rather than a framework, results suffer.

The federal government often expects private industry to align with public-sector models, despite paying less and lacking competitive mid-career incentives. This mentality undermines meaningful collaboration with industry.

FedRAMP, while well-intentioned, illustrates the inefficiencies of these mandates. It imposes extensive controls that often burden vendors more than it secures federal data — particularly when layered on top of hybrid cloud requirements.

Finally, structural contradictions persist. Agencies tasked with both attacking and defending cyber infrastructure face internal conflict. Offensive units seek out gaps; defenders aim to close them. These opposing goals create friction that weakens national cyber resilience.

Where Do We Go from Here? Comprehensive Cybersecurity Strategy for the Federal Government

Given the complex and fragmented nature of the U.S. federal government’s cybersecurity landscape, there is an urgent need for a more comprehensive, adaptable strategy. While mandates like Zero Trust and cloud-first policies provide a high-level framework, they fail to address the practical challenges posed by the diversity of federal agencies and the dynamic nature of cyberthreats. A risk-based, adaptive approach would better align resources, prioritize efforts, and ensure a more robust defense.

A Risk-Based Cybersecurity Approach

A risk-based strategy would allow federal agencies to prioritize their cybersecurity efforts based on the potential impact and likelihood of attacks. This approach ensures that agencies are not simply following a one-size-fits-all mandate but are instead tailoring their defenses to address the specific threats they face. For instance, high-value targets like the Treasury Department and critical infrastructure would benefit from more stringent controls, while less sensitive systems could be afforded more flexibility. A risk-based framework emphasizes the need to focus on the most critical assets and reduce exposure to high-risk scenarios.

Cross-Agency Collaboration and Shared Responsibility

Cybersecurity is not a challenge that can be tackled by individual agencies in isolation. To create a resilient defense, agencies must work together, sharing threat intelligence and best practices to close gaps and strengthen collective security. This can be achieved by setting up more formalized communication channels and fostering collaboration between key stakeholders. Cybersecurity information-sharing frameworks like the National Cybersecurity and Communications Integration Center (NCCIC) already exist, but these must be expanded and integrated into everyday operations, ensuring that no agency is left behind in the race to defend against evolving threats.

Additionally, fostering partnerships with the private sector should not simply be about adopting best practices. Rather, it should be about creating mutual accountability. Private companies can offer critical expertise and advanced technologies, but government agencies need to ensure that these partnerships reflect the unique needs of federal infrastructure and allow for rapid response to emerging threats.

Continuous Monitoring and Threat Intelligence

A foundational element of a comprehensive cybersecurity strategy is the implementation of continuous monitoring across all government systems. Rather than reacting to incidents after the fact, agencies must develop capabilities to detect anomalies in real-time and respond proactively. This includes leveraging threat intelligence platforms, machine learning, and AI-driven solutions to detect emerging threats, as well as establishing security operations centers (SOCs) within key departments.

Moreover, cybersecurity professionals within the federal government should shift their mindset from simply defending against known threats to anticipating new and evolving tactics. This proactive posture, which includes preparing for breaches as if they have already occurred, will enable agencies to respond quickly and effectively when an attack does happen, reducing potential damage and operational disruption.

A Unified, Flexible Defense Posture

Finally, adopting a unified and flexible defense posture across all government agencies is crucial. This would involve harmonizing cybersecurity policies, frameworks, and responses, while also being flexible enough to accommodate the diverse needs of individual agencies. For example, while one department may rely heavily on cloud infrastructure, another may still depend on legacy systems—each of these needs requires a tailored security solution. A centralized coordination body could help guide these decisions and ensure consistency across all agencies.

Preparing for the Future of Cybersecurity Threats

In conclusion, the cyberattack on the Treasury Department serves as a stark reminder of the complex and evolving nature of cybersecurity threats facing the U.S. government. As we have seen with advanced threat groups like Salt Typhoon, Flax Typhoon, and Volt Typhoon, the tactics used by adversaries are increasingly sophisticated, persistent, and often intertwined with larger geopolitical goals.

These threats underscore the necessity for a more adaptive, comprehensive cybersecurity strategy — one that goes beyond one-size-fits-all mandates like Zero Trust or cloud-first policies. The federal government must embrace a risk-based approach, prioritize cross-agency collaboration, and invest in continuous monitoring and threat intelligence to stay ahead of adversaries. By creating a unified and flexible defense posture that can be tailored to the diverse needs of various agencies, the government can better protect its critical infrastructure and ensure a more resilient cybersecurity landscape. The path forward requires not just reacting to breaches, but proactively preparing for them, ensuring that the government is equipped to handle the ever-evolving cyber threats of the future.