The U.S. Government is challenged to protect private citizens as it struggles to protect its own assets, systems and networks. Of the 16 critical sectors, the Government is the most targeted and often hacked. There are no shortages of stories detailing hacks of government assets through various threat vectors. It is no wonder private citizens are being exploited regularly without hope for a safe haven. Businesses have a slightly higher protection level because of their priority in the economy. However, their fate is no better than the effort a hacker group expends to breach their perimeter.
While politicians continue to argue the structure of agencies and budgets, hackers make off with data that can be converted to currency. Some of the departments and agencies that have been hacked are the Department of Homeland Security (DHS), Department of Defense (DoD) and the National Security Agency (NSA). The issue is that these are the organizations charges with defending the nation’s digital networks. They are also responsible for supporting other Government victims who have also been hacked. These other victims include the USPS, OPM, the Federal Reserve Bank and the national election infrastructure.
Which Government Agencies Have Been Hacked?
Here are just a few documented stories. There are potentially many others that will never be told but affect the future of all Americans.
DOD is challenged with protecting its weapon systems, which was recently hacked by authorized agents who found massive vulnerabilities. By using basic tools and methods, the “hackers” were successfully able to acquire control of systems and see, in real time, everything that the operators (government employees) saw on their computer screens. Authorized agents blame poor cyber hygiene, such as weak passwords and a lack of two-factor authentication, for the easy intrusion. Although DOD has taken steps to improve weapon systems cybersecurity, including, but not limited to amending policies and addressing cyber vulnerabilities, the agency still faces serious cybersecurity workforce training challenges.
In January of 2018, DHS fell victim to an internal data breach where the contact information, social security number, dates of birth, positions, grades, and duty stations of 247,167 current and former employees was compromised. The “privacy incident” occurred as a result of a former staff member from the Office of the Inspector General using poor cyber hygiene. The data theft was partly attributed to a lack of employee trainings but also a lack of awareness about threats to the organization.
In March of 2017, WikiLeaks disclosed documents that supposedly described the existence of hacking tools created by NSA and Central Intelligence Information (CIA). The agency supposedly lost a large portion of its hacking resources that includes malware, Trojans, viruses, weaponized “zero day” exploits, and associated documentation. The tools used to disturb hackers in their perch were now in the hands of hackers. This potentially made the tools “weapons of mass destruction.” The sheer power of U.S. Government made cyber tools in the wrong hands could tip the balance for even a low-level hacker. Not only would it give the hacker status, but also allow a low-level hacker to employ the community to go after much larger targets – like the U.S. Government.
The NSA appears to have been hacked and lost tools in 2016. A group called Shadow Brokers released tools to buyers. There is evidence the tools are being used in hacking operations around the world. Massive attacks on the Ukraine and other countries, as well as, companies such as American drug company Merck, have the digital fingerprints of the tools that were stolen. It’s not the first time NSA has been hacked and it will probably not be the last. When we prepare for attacks from nation-states we must now prepare for attacks executed with weapons we created.
The Dark Web
A Denver based company performed an analysis of whose information is most prevalent on the dark web. They found that U.S. defense agencies ranked higher than non-defense agencies for stolen data available in the online underworld. Data files related to the U.S. Navy and the U.S. Army were scattered about the marketplace. Apparently, the volume of data surprised even experts who follow the dark web economy. If the defense department has an issue protecting data and training its employees to protect their environment, how are regular citizens expected to follow an effective protection protocol?
There are many more instances of data theft, network exploitation and unauthorized access to these organizations. It is obvious that our strategies are not effective. There must be an opportunity to better manage our data environment and encase that which is special to us. For the citizen, there must be a beacon of hope in the Government. The Government’s inability to stand tall to the cyber threat may eventually make citizens simply give up and accept the costs of being a victim.