US Government Employee Hack & the Future of Warfare

Hacking-of-America-NBC-News-620x433.png

A massive hack of the federal government may have compromised personal information belonging to 9 million to 14 million people, far more than was initially believed. Multiple sources on Capitol Hill, within the federal workforce and around Washington have estimated that the final tally of people affected by the hack could easily eclipse the 4 million reported by the Obama administration.

Already, the theft of data from the Office of Personnel Management (OPM) is the largest data breach ever at the federal government. With an increase in the scope of the attack, which officials, speaking privately, have traced back to China, the Obama administration's response will face further scrutiny and more questions about the state of the nation’s digital security.
 
The Office of Personnel Management has faced repeated hacking attempt, including an incident last year when Chinese hackers tried to steal tens of thousands of files about US workers who had applied for top-secret security clearance. But a breach of federal data that was announced last month appears to be significantly worse than the federal government originally let on.
Hackers may have stolen personnel files for as many as 14 million people. That number, much larger than the actual federal workforce, suggests that the hack may have exposed the information about additional categories of individuals, such as family members or government contractors.
It’s also more than three times as many people as original reports suggested, according to The Hill and other outlets, citing officials who claim the attack originated in China.
Officials are still working to figure out whether the theft of data from the Office of Personnel Management may also include sensitive information about contract workers and family members of employees who underwent background checks. And it’s not clear whether hackers could use the data they have to identify U.S. spies or other intelligence personnel.
But it is clear that large-scale data theft is a major problem facing the United States. It has happened before and it will happen again.

In 2012, Verizon said that “state-affiliated actors” made up nearly one-fifth of the successful breaches it recorded that year. In 2013, hackers stole data about more than 100,000 people from the Department of Energy’s network. Officials in the United State blame China for years-long hacking attempts against the Veteran Affairs Department that began as early as 2010 and compromised more than 20 million people’s personal information. And even though the Office of Personnel Management had been hacked before, it appears the agency continued to be astonishingly lax about its own security.

From The New York Times:
The agency did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside to use the kind of basic authentication techniques that most Americans use for online banking. It did not regularly scan for vulnerabilities in the system, and found that 11 of the 47 computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
Fighting back against hackers at the government level, many experts say, will require agencies to fight back in real-time. “Like banks and technology companies, government agencies must move to a model that assumes hackers will always get in,” Michael A. Riley wrote for Bloomberg last week. “They’ll need to buy cutting-edge technologies that can detect intruders inside networks and eject them quickly, before the data is gone.”
Officials have warned that in addition to ignoring technical vulnerabilities, the United States hasn’t been forceful enough about deterring hackers. Several experts say the U.S. needs to be more aggressive about publicly reporting the scope of hacking attempts as well as identifying and punishing those who steal government data. The authors of a 2013 report by the Commission on the Theft of American Intellectual Property argued that laws should be rewritten to give the Department of Homeland Security, the Department of Defense, and law enforcement agencies the authority to use “threat-based deterrence systems that operate at network speed” to fight back against unauthorized intrusions into national security and critical infrastructure networks.
“These conditions cannot be allowed to fester,” the authors of the report wrote. “China has taken aggressive private and public actions that are inflicting major damage to the American economy and national security. Robust and swift action must be taken by the U.S. government.”
Such deterrence systems could mean targeting hackers with some of their own weapons: government-sanctioned malware or ransomware, software that locks down a computer without a user’s consent—a tactic that the U.S. government has already explored. As The Intercept reported last year, top-secret files in the trove of documents leaked by whistleblower Edward Snowden revealed the National Security Agency was “dramatically expanding its ability to covertly hack into computers on a mass scale,” including infecting millions of computers across the globe with malware.

The concern is that the government will be able to justify its own covert hacking infrastructure by focusing on the threat of data theft from foreign governments—only to then use malware implants as mass surveillance tools against U.S. citizens.

The military, meanwhile, is beginning to explore what operational readiness and a “traditional war-fighting perspective” might look like when it’s adapted for a post-Cold War digital world. “There are more questions than answers,” wrote the authors of a 2013 Air Force Research Institute report about deterrence in the Internet age. “Organizing to fight through cyber attacks not only prepares the United States to operate under duress, but sends a strong deterrence message to potential adversaries.”
What remains to be seen is the extent to which old military models can even be useful in a new environment. The authors of the Air Force report argue that “human nature has not changed, making fear, honor, and interest no less drivers of human action today than they were in the time of Thucydides.” But the players in an emerging global power struggle that will largely take place online are all new, and they’re using tools that the U.S. government still doesn’t seem to understand. 

The Hill:  http://bit.ly/1I7qDWJ
DefenseOne:  http://bit.ly/1QZMdkC

« Enforcing Magna Carta in the Age of Cyberwarfare
Russian Hackers Posed as ISIS to Hack French TV Channel »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Axial

Axial

Axial Systems is one of the UK’s leading solution providers and systems integrators in network, security and services.

HID Global

HID Global

HID Global is a trusted leader in products, services and solutions related to the creation, management, and use of secure identities.

Comiq

Comiq

Comiq provide software quality assurance, testing and project management services. Areas of expertise include cybersecurity.

National Cyber Security Centre (NCSC) - New Zealand

National Cyber Security Centre (NCSC) - New Zealand

The role of the NCSC is to help New Zealand’s most significant public and private sector organisations to protect their information systems from advanced cyber-borne threats.

Business Continuity

Business Continuity

Business Continuity delivers integrated IT solutions for cybersecurity, virtualization, cloud platforms and operational security solutions.

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

TDRA focuses on regulating the telecommunications sector and enabling government entities in the field of smart transformation. It is responsible for the overall digital infrastructure in the UAE.

Industrial Defender

Industrial Defender

Committed to ICS Cybersecurity. Industrial Defender provides a fully automated solution to discover, track and report on assets across your ICS footprint.

Aligned Technology Solutions (ATS)

Aligned Technology Solutions (ATS)

ATS manage, monitor, and maintain everything from your network and servers to your workstations and mobile devices, and we do it proactively to eliminate downtime and keep hackers at bay.

SessionGuardian

SessionGuardian

SessionGuardian (formerly SecureReview) is the world's first and only technology which ensures second-by-second biometric identity verification of your remote user, from log on to log off.

Xscale Accelerator

Xscale Accelerator

Xscale's vision is to create world-class startups out of India by transforming sales and providing access to global markets.

Raxis

Raxis

Raxis is a cybersecurity company that hacks into computer networks and physical structures to perform penetration tests, assessing corporate vulnerability to real-world threats.

Wavenet

Wavenet

Wavenet has grown from simple beginnings to become one of the UK’s market leaders in unified communications, business telephony, and Cyber Security solutions.

Aquia

Aquia

Aquia are on a mission to enable innovation and drive transformative change to solve the world’s most pressing and complex cybersecurity challenges.

Automotive Information Sharing & Analysis Center (Auto-ISAC)

Automotive Information Sharing & Analysis Center (Auto-ISAC)

Auto-ISAC provides a forum for companies to analyze and identify threats sooner and share solutions that enhance vehicle cybersecurity.

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures is an early-stage investment vehicle focused on cybersecurity, data analytics and automation startups.

Quantum Bridge

Quantum Bridge

Our unbreakable key distribution technology ensures the highest level of protection for your critical infrastructure and sensitive data in an evolving digital landscape.