Even though there have been at least two dozen mass breaches of government computer systems since 2013, many federal agencies continue to have a lax culture and poor security provisions to repel the growing threat from hackers and cyberattacking states such as Russia, Iran and China, internal investigative reports show.
From the State Department to the Transportation Department, internal inspectors general have flagged, over the last few months, widespread vulnerabilities while noting that prior security recommendations have gone unheeded, the reports reviewed by The Washington Times show.
One of the nation’s premier cybersecurity experts said the ugly truth is that the U.S. government hasn’t done much more than private industry to fortify itself against the growing threat of cyberwarfare.
“It would be wrong to suspect that the federal government is any better at this than the private sector. They aren’t necessarily worse; they are about the same,” said Paul Rosenzweig, a former top Department of Homeland Security policy aide and now a visiting fellow at the Heritage Foundation.
The think tank recently released a report documenting at least 23 publicly disclosed computer system breaches at federal agencies. And experts say the actual number is likely much higher, with some breaches never disclosed.
“This is a broad attack on U.S. research and development,” said Shawn Henry, the FBI’s former top cybersecurity expert and now the president of CrowdStrike, a private company that helps businesses fight cybersecurity threats.
“It’s not like when a bomb goes off [where] we can see the damage from that. It’s not easy to see the damage from these attacks, so it really moves down the priority list,” Mr. Henry said.
In recent months the State Department, U.S. Postal Service, National Oceanic and Atmospheric Administration and the White House have all experienced system hacks that have interrupted their computer operations.
Many agencies have fallen behind on system updates, leaving federal networks ever more vulnerable, the inspectors general warn.
The State Department’s inspector general wrote in a recent report that the department, which holds many of the nation’s most sensitive diplomatic secrets and embassy cables, has failed to remedy several information system concerns that have piled up over several years.
“Although we acknowledge the department’s actions to improve its information security program, we continue to find security control deficiencies in multiple information security program areas that were previously reported in FY 2010, FY 2011, FY 2012, and FY 2013. Over this period, we consistently identified similar control deficiencies in more than 100 different systems,” investigators wrote in the audit.
In fact, the inspector general’s office identified 62 unresolved recommendations to make improvements, including 29 that date from at least 2013.
A recent Department of Transportation IG’s report highlighted similar system shortcomings due to a lack of monitoring and security safety training programs.
Hacks within the DOT are especially concerning when travelers’ lives are on the line.
“A weak information security program can create gaps in the physical security and continuity of operations at air traffic control facilities that may contribute to this sort of incident,” investigators wrote in an audit of DOT information systems released this month.
Worth the investment
Heritage’s Mr. Rosenzweig said he fears that federal authorities have not made system updates a top priority due to high costs.
“It’s clear that we are short on the degree to which we make this a priority,” he said. “It’s all cost. You don’t make your program more effective. You don’t make any more money if you just do cybersecurity. It all makes it harder for you, not easier, and you are spending money.”
But Mr. Henry and Mr. Rosenzweig agreed that the threat of more hacks was important enough to warrant spending the money.
“I think the impact is a higher cost than the cost to fix it. I think that perhaps people in our society should be considering the long- term danger that foreign governments have all of our stuff,” Mr. Henry said.
The State Department confirmed last week that it had been the subject of a successful cyberattack on its unclassified systems, and some experts have suggested that it could be of Russian origin and related to another recent breach on the White House email system.
Additionally, NOAA has attributed a recent breach of the agency’s weather network to hackers based in China.
“Based on information that I’ve seen, it appears to be nation-state-sponsored,” Mr. Henry said.
While none of the recent breaches has jeopardized highly sensitive information, experts worry that they could be an indication of more harmful attacks to come.
“Nonsensitive breaches are nice to have, but if you’re a bad guy, you want the crown jewels,” Mr. Rosenzweig said.
The private sector is also at great risk, as recent hacker attacks at Target, Home Depot and Neiman Marcus revealed.
“I think there’s a lot more information of value [in the private sector] than there are in the government industries. The government industries are more administrative,” Mr. Henry said. “They may be looking at people who work in these agencies. They may be collecting addresses, but what’s more important is collecting development information on manufacturing and technology.”
According to Heritage, the annual average cost per company of successful cyberattacks increased to $20.8 million in financial services, $14.5 million in the technology sector and $12.7 million in communications industries in 2014.
There have been at least 26 known hacks on U.S. companies since January, including AT&T, Apple iCloud and UPS.
The Department of Homeland Security told ABC reporters earlier this month that Russian hackers used malware to infect the systems that run much of the nation’s infrastructure.
Using a type of malware called “Black Energy,” hackers were able to penetrate systems that control power grids, oil and gas pipelines, wind turbines and water distribution and filtration systems.
In January 2008, President George W. Bush established the Comprehensive National Cybersecurity Initiative, a 12-point plan meant to ensure security of networks across all government agencies.
But according to Mr. Henry, while components of the plan are still in existence, the initiative has largely slipped away under the Obama administration.
President Obama planned to continue with the initiative and established an executive branch “cybersecurity coordinator” that would work directly with government agencies and departments to respond to cyberattacks. Longtime White House intelligence budget aide Michael Daniel now holds the post.
In 2003 the Department of Homeland Security’s cybersecurity division established the United States Computer Emergency Readiness Team (US-CERT), responsible for analyzing and reducing cyberthreats across all agencies.
“US-CERT is responsible overall for that. They do a good job in the area of responsibility they have, but it’s a much broader issue,” Mr. Henry said. “I think there needs to be a person that is in charge of cybersecurity across all government agencies.”