Since 2004, October has been National Cyber Security Awareness Month (NCSAM). During this time, federal, state, and local governments examine how their systems and the U.S. are affected by cybercrimes. 2015 saw one of the largest breaches of a federal network system, with the Office of Personnel Management losing over 21 million former and current employees’ personal information. Alongside a dozen other digital breaches, these hacks show that the government is far from perfect in securing its own system against persistent threats while signifying a greater risk to national security.
This paper provides a list of 13 federal breaches not covered since the 2014 Heritage paper “Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation,” which covered a number of federal breaches extending before 2014.[1] This paper can also be used in conjunction with the “Cyber Attacks on U.S. Companies”[2] paper series and Heritage reports on “Congressional Guidance for Cybersecurity”[3] and “Encryption and Law Enforcement Special Access.”[4]
The date listed for each breach reflects when that hack was first reported to the public and does not necessarily reflect the actual time of the breach(s)—which at times could span anywhere from a few days to over a year.
- Department of Health and Human Services (HHS), August 2014. The HHS server that supports the Obamacare Web site was hacked in July 2015, presumably by a non-state actor. The attack did not appear to have targeted the Web site directly, and the servers targeted did not contain any consumers’ personal information. Instead, the breach was reportedly the result of malware on the Healthcare.gov Web site meant to launch denial-of-service attacks on other Web sites. Authorities were alerted soon after the attack was discovered, and the Department of Homeland Security along with U.S. Computer Emergency Readiness Team (US–CERT) helped to respond to the situation.[5]
- White House, October 2014. White House servers were temporarily shut down after system administrators noticed suspicious activity on their network. While no classified information was affected, sensitive non-classified information such as the President’s schedule was accessible. The attack was considered very sophisticated, having been rerouted through various international computers, according to the FBI, Secret Service, and other intelligence agencies investigating the breach.[6]
- National Oceanic and Atmospheric Agency (NOAA), November 2014. The federal weather network confirmed that four sites were hacked by an Internet-based attack. While the initial intrusion occurred in September 2014, NOAA officials did not inform the proper authorities that the system was compromised until much later, a violation of agency policy that requires communication of attack within two days of discovery. NOAA instead reported an “unscheduled maintenance” as a result of the attack. NOAA would not verify whether critical information was removed or whether malware was inserted into the system. The hack has been attributed to hackers from China.[7]
- United States Postal Service (USPS), November 2014. The personal information (names, birth dates, Social Security Numbers, address, employment dates, emergency contact information, etc.) of roughly 800,000 employees was compromised through a hack of USPS computers. While the breach was found around October, information was compromised as far back as January. According to the USPS, there is no evidence to suggest that customer payment data was compromised, but data collected from the call center could possibly have been affected.[8]
- Department of State, November 2014. Hackers in Russia—possibly working with the Russian government—are suspected in a series of attacks made in early October against the State Department’s e-mail system. Officials say that even an intrusion of the unclassified system is a major threat to the security of the agency, given that many classified materials are transported via this unclassified avenue. The information gathered from this breach reportedly helped these hackers go on to hack the White House servers.[9]
- Federal Aviation Administration (FAA), April 2015. In early February, the FAA discovered a circulating malware virus in its administrative computer systems. The agency reported that there was no identifiable damage done to any of the systems. The federal auditor report did state, however, that the “excessive interconnectivity between [the National Airspace System (NAS)] and non NAS environments increased the risk that FAA’s mission critical air traffic control systems could be compromised.”[10]
- Department of Defense, April 2015. Testifying in front of the Senate Arms Services Committee, Secretary of Defense Ashton Carter mentioned how Russian hackers were able to gain access to Department of Defense unclassified files earlier this year. The department quickly identified the hackers and removed them from the network.[11]
- St. Louis Federal Reserve, May 2015. Officials acknowledged the St. Louis Fed Web site was the victim of successful domain name service spoofing in late April, when hackers successfully redirected online communication.[12]
- Internal Revenue Service, May 2015. The successful breach of the IRS Web site allowed hackers access to taxpayer information, including Social Security numbers, birth dates, and street addresses. Originally reported to have affected roughly 100,000 taxpayers, the actual number affected was tripled to 334,000 by August. The breach did not involve the main IRS computer system, but the hackers did gather information that allowed them access to the IRS Get Transcript program and tax information.[13]
- U.S. Army Web site, June 2015. Army.mil was taken offline temporarily after it was found that hackers had gained accessed to the Web site and were posting personal messages. No critical information was accessed. The Syrian Electronic Army claimed responsibility for the attack on Twitter.[14]
-
Office of Personnel Management (OPM), June 2015. Possibly the largest cyber breach to federal networks, this drawn-out theft of government workers’ information is traced as far back as early 2014, when it was revealed that U.S. Investigative Services—a security clearance company—was breached, affecting as many as 25,000 individuals.[15] Additionally, KeyPoint Government Solutions, which conducts background checks of federal employees, was later hacked in December 2014, affecting as many as 49,000 individuals.[16]
The first of two significant OPM breaches, in which the personal information of as many as 4 million current and former federal employees had been compromised, was revealed to the public in June. A second breach was detected later that month. OPM partnered with DHS as well as the FBI to determine the full extent of the breaches. Regrettably, the cyber attacks “predated the adoption of tougher security controls.”[17]
After months of investigation, it was confirmed that the theft of federal employee information expanded to affect as many as 22,100,000 current and former employees. The breach accessed information like “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends”—all taken from the 127-page SF-86 forms.[18] It was later confirmed that over 5 million of those affected also had their fingerprint information taken.[19]
The personal information taken from these SF-86 forms is a worry for those in the political and intelligence community, as this information is stored and cataloged by foreign states and non-state threats tracking U.S. expats overseas. Meanwhile, biometrics are being sought as an alternative method of information security. Unlike passwords, however, biometrics like fingerprints cannot be changed easily. Fingerprint information essentially grants the holder a master key to whatever the fingerprint is securing.
- Census Bureau, July 2015. The Federal Audit Clearinghouse was infiltrated at the Census Bureau, resulting in the loss of federal employee data and information. While the Clearinghouse did not contain confidential data or personally identifiable information, the hackers were able to retrieve thousands of users’ organization user accounts, census data, and contact methods. Audit information that assesses an organization’s qualification for federal assistance funding was also stolen. The four files that were breached were later posted on the Web, available to the public. The hacker group Anonymous claimed responsibility for the breach.[20]
- Pentagon, August 2015. Pentagon Joint Chiefs of Staff’s e-mail system for 4,000 employees was taken offline for two weeks after a cyber breach was discovered on July 25. Sources indicate that the attack originated from within Russia. The hackers used a spear-phishing attack, which lures people into opening infected e-mails.[21]
It should be noted this list is incomplete. As Mike McConnell, former director of the National Security Agency, stated, the U.S. Congress, Department of Defense, State Department, and “every major corporation in the United States” has been the victim of a cyber hack.[22] Moreover, hearings following the OPM breach highlighted a number of agencies that had yet to meet their Federal Information Security Modernization Act requirements.[23] According to the Government Accountability Office, “federal agencies continued to have weaknesses in protecting their information and information systems,” even as those agencies reported a greater number of incidents to the US–CERT.[24]
As government departments and agencies become more technologically dependant on the systems they use and the amount of information shared across the whole of government continues to increase, successful cyber attacks will pose an increasingly significant threat to national security. It will be challenging to coordinate but important to continue partnering with private business and those in the cybersecurity community to make sure that government systems and cyber skills are up-to-date with the most current cyber risks and threats. Meanwhile, if the U.S. plans to stay ahead of these cyber threats, it must avoid harmful regulations that prevent companies from developing new technologies for information security.
Policymakers should:
- Remain vigilant in their fight against cyber aggressors. The U.S. needs to avoid becoming complacent in the face of these regular mega-breaches. The government will continue to be a target for cyber aggressors.
- Increase partnerships with private industries. The U.S. should ensure that its government systems are up-to-date. Government relies on private industry computers, and while both private and public networks are targets for future breaches, private industries arguably have the greater incentive, funds, and technical knowledge to respond to security risks in a timely and effective manner.
- Continue collaboration with international partners. Many cyber criminals find comfort hiding in anonymity behind cyber walls and international borders. The U.S. should ensure that domestic and international law enforcement have the right tools for combating cybercrime.
- Create better workforce incentives. A large number of cybersecurity experts move to the private sector after working in government. If the government wishes to retain more talent, simply relying on employees’ patriotic sense of duty is not sufficient. Greater job or monetary incentives are needed to retain talent, or government should be open to allowing outside businesses to handle greater cybersecurity for both government and private industry.
Conclusion
Policymakers should keep in mind that there is no silver bullet in matters of security. There is no single solution for countering cyber threats. Increasing information sharing and working more with international partners are just two initiatives in countering cybercrime, but these alone will not stop breaches. The U.S. should continue to pursue a multi-layered approach to securing its own networks. This can include relying on diplomatic methods to increase cyber cooperation or deter bad actors abroad, or enforcing a variety of sanctions to deal with uncooperative state and non-state actors.
—Riley Walters is a Research Assistant in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.