While mega-breaches of high-profile private companies are the norm for headline fodder, the federal government also has its share of vulnerabilities in cyberspace. A February 2017 report by the Government Accountability Office (GAO) highlights the federal government’s consistent shortcomings when it comes to protecting federal information systems.[REF] The GAO highlights the need for agencies to improve their cyber incident detection, response, and mitigation, and better protect personally identifiable information. The breach of the Office of Personnel Management (OPM) in 2015 and theft of 22 million personnel records by Chinese hackers is no less proof of the need for greater security.
Yet agencies continue to be plagued by cyber incidents. In fiscal year (FY) 2016, government agencies reported 30,899 information security incidents, 16 of which met the threshold of being a major incident.[REF] A second report by the GAO, released in September 2017, highlighted federal agencies’ continued weakness in protecting their information systems.[REF] At least 21 agencies continued to show weakness in the five major categories for information-security control: access, configuration management, segregation of duties, contingency planning, and agency-wide security management.
This Issue Brief is a continuation in a series of papers that highlight cyber incidents involving the federal government between 2004[REF] and 2015.[REF] Incidents are listed in chronological order by the date the incident is first reported to the public and does not necessarily reflect the time the breach originally occurred.
November 2016
Department of the Navy.[REF] The Navy was notified in October 2016 that a laptop containing the names and social security numbers of 134,386 current and former sailors was compromised.[REF] The laptop belonged to an employee of Hewlett Packard Enterprise Services which serves as a Navy contractor.
December 2016
Election Assistance Commission (EAC).[REF] Recorded Future, a threat intelligence firm, came across a Russian-speaking hacker looking to sell more than 100 potentially compromised access credentials of the EAC database.[REF] Some of the credentials contained administrative privileges. The hacker, given the name Rasputin, has no known affiliation to a foreign government and claims to have breached the EAC system. According to Recorded Future, Rasputin was in negotiations to sell the information to a buyer working on behalf of a Middle Eastern government. In February 2017, Recorded Future found Rasputin attempting to sell unauthorized access to a number of state and federal agencies though there was no sign of an actual breach.[REF]
January 2017
Department of Defense (DOD). Not all breaches are malicious. Since March 2016 the DOD and HackerOne—a bug bounty platform—have initiated a series of “Hack the Pentagon” campaigns.[REF] The campaigns allow U.S.-based hackers to hunt for vulnerabilities in the DOD’s public-facing networks in exchange for a reward. During a Hack the Pentagon campaign that ran from November 30, 2016, to December 21, 2016, a hacker was able to access an internal DOD network through the goarmy.com website.[REF] Only those with authorized access can normally access the Internet network.
March and April 2017
Central Intelligence Agency (CIA) and National Security Agency (NSA). Any public release of classified information, especially information reportedly originating from within the American intelligence community, should err on the side of caution when recognizing its authenticity. In March 2017, Wikileaks released what it believes to be a list of CIA hacking tools.[REF] The list, known as “Year Zero” or “Vault 7,” was reportedly acquired by Wikileaks while the information was being passed between government employees and contractors in an “unauthorized manner.”[REF] A month later, a group known as the Shadow Brokers continued releasing what it claimed to be NSA hacking tools.[REF] One of the tools included, known as EternalBlue, was associated with a number of cyber attacks that occurred throughout the summer of 2016.[REF] The Shadow brokers claim to have stolen these tools from a team reportedly associated with the NSA, known as the “Equation Group.”
Internal Revenue Service (IRS). The Data Retrieval Tool for the IRS’s Free Application for Federal Student Aid was breached as early as September 2016.[REF] Approximately 100,000 individuals may have had their taxpayer information compromised. Until the tool was turned off in March 2017, hackers were also able to file upwards of 8,000 applications[REF] and steal $30 million from the U.S. government.
August 2017
Department of Labor (DOL). A new Injury Tracking Application website by the Occupational Safety and Health Administration was suspended after the Department of Homeland Security notified the DOL of a potential compromise.[REF] One company was reportedly affected by the breach.
September 2017
Securities and Exchange Commission (SEC). The SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database was compromised in 2016.[REF] The system houses sensitive corporate and financial information and could be used by traders looking to gain an advantage in stock trading.
October 2017
Departments of State, Energy, Homeland Security, and Defense, the U.S. Postal Service, the National Institutes of Health, Fannie Mae, and Freddie Mac. A server belonging to the auditing firm Deloitte was compromised by a cyber attack ongoing since 2016.[REF] The server contained the e-mails of an estimated 350 clients of Deloitte.
Federal Deposit Insurance Corporation (FDIC). Between 2015 and 2016, the FDIC may have suffered 54 breaches.[REF] Of the 54 suspected or confirmed breaches, six were designated as a major incident and potentially compromised the personally identifiable information of 113,000 individuals.[REF] Just a year earlier, high-level officials at the FDIC were reportedly hacked by agents of the Chinese government during a three-year hacking campaign that lasted between 2010 and 2013.[REF]
U.S. Forces Korea and Republic of Korea (ROK) Armed Forces. A South Korean politician announced that North Korean hackers stole joint U.S.–ROK wartime operational plans in September 2017.[REF] The 235 gigabytes of data stolen may have also included information on key military facilities and power plants.
November 2017
U.S. Army Intelligence and Security Command (INSCOM). UpGuard, a cybersecurity company, discovered in September 2017 an Amazon cloud storage containing data belonging to INSCOM.[REF] The publically accessible cloud storage contained sensitive information not least including details of the DOD’s battlefield intelligence platform and a virtual system used for classified communication.
Government Networks Will Continue to Need Security
A breach of the Kansas Department of Commerce exposing 5.5 million social security numbers;[REF] the IRS relaxing commitments to protect taxpayers’ personal information;[REF] and the 21 states notified by the Department of Homeland Security that their election systems were targeted by Russian hackers[REF]—these additional incidents bear out the lesson of the list above. While the incidents may not apply to the federal level or reflect an actual breach in information, they no less represent the need for greater cybersecurity. To that end, the U.S. government should:
- Support the private sector with active cyber defense. The private sector is key in maintaining a strong U.S. cyberspace, whether it is creating new devices, implementing best practices, developing a strong cyber workforce, or defending U.S. network systems. Lawmakers should refrain from burdening the private sector with rigid regulations, instead looking to expand the private sectors’ capabilities with allowing for active cyber defense.[REF]
- Continue to work with international partners. Cyberspace knows no borders, but cyber criminals do. And they are often located outside the U.S. The U.S. should work with international friends and allies to take cyber criminals out of cyberspace and make them answer for their crimes in the real world.
No Panacea in Cybersecurity
No silver bullet exists for the problems of cybersecurity. The U.S. government should refrain from shooting the private sector in the foot with new regulations and focus on strengthening the security of its own information.
—Riley Walters is a Research Associate in the Asian Studies Center, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.