How Big Is the U.S. Government Cybersecurity Problem?
A look at recent data breaches and how the government is reacting.
It seems like the US government is more and more often falling prey to hackers, whether it’s from nation-sponsored organizations or independent organizations. Two government data breaches made the list of Network World’s list of ‘Biggest data breaches of 2015’ citing an IRS data breach and the massive US Office of Personnel Management data breach.
This year, the attacks haven’t let up, with four major national government organizations falling victim to data breaches.
In this blog post, we’ll be reviewing some of the biggest hacks of recent memory and detailing how the government is aiming to improve cybersecurity.
One of the 2015’s biggest data breaches exposed the US government’s security flaws
The biggest US government data breach of 2015 was the Office of Personnel Management data breach (OPM), which was the result of a longstanding hack that started in March 2014 (though as more data is revealed, there are estimates that the breach occurred even before March). The government announced the data breach in June 2015 and estimates of stolen records increased from an initial number of 4 million to 21.5 million. The breach led to the resignation of Katherine Archuleta, director of the Personnel Agency,
The complicated breach was a result of social engineering which led to hackers obtaining credentials of a third-party contractor. A malware package was deployed, creating a backdoor which allowed access to the OPM network. The fallout from the breach is still ongoing, with the Atlantic reporting in September 2015 that the fingerprints of 5.6 million people were compromised, 5 times more than originally reported.
2016 brought on more cyber attacks on federal organizations
In February, a seemingly rogue hacker targeted the FBI and DHS, publishing contact information for 20k and 9k employees, respectively, on Twitter. The hacker compromised the email of a DoJ employee, which gave him access to the information.
One of NASA’s drones was allegedly hacked by the known hacktivist group Anonsec, and data on over 2,400 employees, along with flight log and aircraft videos were released. A 300-page zine was released, detailing the information and security failings of NASA. The hack was executed through brute-forcing an administrator’s SSH password left with a default password, which led to root access to three network-attached-storage devices.
Lastly, the IRS was hacked in February and an estimated 700,000 social security numbers and other sensitive information was stolen, just months after its most recent hack in May of 2015 (not counting compromised information resulting from a lost flash drive in August 2015). The attack, which took advantage of the ‘Get Transcript’ program, allowing you to check your tax history, severely increased the risk of identity theft for all victims who had data compromised.
What is the government’s response?
The government is already reacting, knowing that no data breach is acceptable that cyber attacks are poised to get worse. However, the government can’t only address the risks and vulnerabilities that led to its most recent hacks. It must also evolve to combat the new security risks each new year brings. McAfee Lab’s 2016 Threats Prediction Report warns that nation-state attackers could target physical infrastructures through digital means, government-targeting ransomware will be on the upswing, and that exploiting employees will continue to be a mainstay target for attackers.
However, it does have a positive outlook given the fact that government organizations and private companies are working closer together to improve security.
The most recent budget proposal put forth by President Obama includes a $19 billion cybersecurity budget, 35% more than current spending, signaling a shift in priority. This coincided with the release of the Cybersecurity National Action Plan a detailed proposal that takes a short and long-term approach towards improving cybersecurity. Recently, the government announced the first Bug Bounty program to start in April, which would reward vetted hackers for testing and finding vulnerabilities in the government’s network.
These programs are common among enterprises and have been essential for finding and fixing vulnerabilities. While criticism has been levied at the government for their restrictions in the program, these movements are a step in the right direction towards improving cybersecurity.
The current state of government security
However, the effects of these plans won’t be felt immediately and the new budget allotted for cybersecurity is still in flux as the proposal has not been approved yet. We decided to take a closer look into the state of the government’s cybersecurity posture.
We compiled our research and findings into the 2016 Government Cybersecurity Research report, which measures over 600 government organizations across local, state, and national levels and ranks the top 10 most secure government organizations and 10 least secure organizations accordingly.
We also take a deeper dive into the FBI, NASA, and IRS security postures, analyzing their SecurityScorecard and detailing the vulnerabilities they have yet to solve.