Published on August 31st, 2015 | by admin
Cyber Security Risks Series: Government
In our final exploration of how cybercrime is affecting different industry sectors, we’ll take a look at government bodies. Government and cyber security go hand in hand. Government is arguably where cybercrime began, with espionage being at the forefront of reasons why governments use security exploits against each other.
However, more recently we have seen a shift in the type of exploitation happening in government bodies, with the theft of data adding to the threats from cyber espionage and surveillance. In fact, cybersecurity is now such a massive problem for federal government that the U.S. Director of National Intelligence described cybercrime as the top national security threat above terrorism and espionage.
Governments and Cybercrime
The extent of threats is increasing and becoming ubiquitous in the day-to-day operations of government agencies. In a recent interview with CBS News, Secretary of State John Kerry said that it was highly likely that Russian and Chinese governments were reading all of his emails and described the cyber security landscape as being “..like the wild west…”.
Governments are always going to be at risk from threats by other nation states. A cyber war is being waged and critical infrastructures, including energy, military and financial are continuously at risk of attack. An example of such an attack was the Pentagon breach in 2011 that saw the theft of 24,000 files relating to new weapon development. This attack was likely a supply chain compromise via a government contractor’s privileged login credentials being the way into the Pentagon’s servers.
The types of attacks against Government are varied. As aforementioned, threats against critical infrastructures and military are par for the course. For example, in 2014 the U.S. energy grid was attacked at least 79 times. However, threats also include hacktivism, such as denial of service (DOS) attacks or defacement of government websites, as well as more conventional data security breaches. It certainly seems that there is a move towards the theft of personal information of government employees as recently exemplified by the attacks on the federal Office of Personnel Management (OPM).
Many of the attacks are initiated through phishing emails. The resultant malware can be advanced and persistent as in an APT. We also shouldn’t forget that government is high up in many supply chains and as such is particularly at risk of supply chain attacks, with malware often coming in through compromised supply chain privileged login credentials.
A recent survey by Lookout on mobile devices in federal government agencies, also reported how the BYOD culture is having an impact on government cybersecurity with government employees having a less than ideal attitude towards security; 18% of them having mobile malware on devices and 37% of them saying that they would sacrifice government security to use a personal device at work.
In the year 2013 – 2014 there were almost 61,000 cyber security attack attempts across federal government.
The cost of cybercrime on government agencies (public sector and defense) according to the Ponemon Institute shows an annual average of around $5 million.
The U.S. government on the back of these attacks has a proposed a bill (signed April 2015) known as the Cyber Intelligence and Sharing Protection Act CISPA. The bill asks that Information Sharing and Analysis Organizations (ISAO) be set up to help tackle the increasing threat of cybercrime. The ISAOs being given backing and legal weight to share security intelligence between commercial and government organizations, in the hope of a better and more collaborative way of curbing the increasingly sophisticated threats seen by both government and commerce.
Examples of U.S. Government Cyber Attacks
- US Military Breach of 2009: This was one of the largest breaches in U.S. government history. It affected around 70 million records of military veterans. The breach was due to a faulty RAID hard drive containing the details being sent out for repair without wiping the data first.
- Office of Personnel Management (OPM): This breach has to date stolen Personally Identifying Information(PII) from around 22 million previous, current and spouses of, OPM employees. It is believed the attack was initiated through the supply chain. A vendor’s privileged login credentials being stolen via a spear phishing attack. PII attacks against government employees are becoming more commonplace and the reasons behind this are not just about identity theft – they can also be about blackmail and coercion, as explored in a previous blog post about foreign state hacking attacks on government personal data.
- Internal Revenue Service (IRS): The IRS was hit earlier this year with cybercriminals exploiting their identity verification system by using previously stolen PII- most likely account data stolen in the Anthem breach. Cybercriminals were able to get away with over $50 million worth of fraudulent tax claims based on the hacked IRS accounts.
- White House Computer Network: An alleged Russian cyber attack in 2014 was said to have disclosed a number of private details on President Obama’s itinerary which identified his whereabouts at various times. The vector into the data was believed to be malware in a spear phishing email. A similar attack, again allegedly by Russian hackers, was against the Department of Defense (DOD) in early 2015.
- U.S. Department of Energy: A breach in 2013 in the department of energy resulted in the data of over 100,000 past and present employees being stolen. This was a PII attack similar to the OPM breach.
- National Oceanic and Atmospheric Administration (NOAA): In late September 2014 a number of weather satellites went offline. It is alleged to have originated in China and due to poorly protected servers.
Governing Cyber Security
Government has some unique issues to resolve in handling security threats. Nation state cyber espionage, terrorism and hactivism will always be a threat in the protection of, in particular, critical infrastructures and homeland security. However, the protection of personal data is becoming an increasing worry for government as this too has the potential to have impact on national security through the recruitment of insiders that can threaten network and infrastructure security.
National security is one area of concern, but an emerging area that is open to attack on a massive scale is citizen identity. A number of governments across the world have already, or are in the process of, creating citizen identity to allow citizens to transact with online government. Creating and verifying these identities, as well as maintaining their security, will be a challenge. As we’ve seen in the OPM breach, PII is a sought after commodity by cybercriminals and the idea of having 320 million U.S. identities will, I am sure, be a highly attractive prospect. The U.S. government has an initiative, the National Strategy for Trusted Identities in Cyberspace (NSTIC) that is looking at creating a framework of federated identities to work within government and commerce. The goal is to make the identities privacy enhanced and secure. NSTIC has come under some criticism as being too idealistic by civil rights campaigners like Electronic Privacy and Information Center (EPIC) who have said that “…online identity is complex problem and the risk of ‘cyber-identity theft’ with consolidated identity systems is very real. The US will need to do more to protect online privacy.” Citizen identity opens up a whole new area of cyber security threats and is one to watch.
Our final post in the Cyber Security Risk Series will be a roundup comparison of all the sectors covered over the last several weeks. Catch up here or by following SS8 on LinkedIn, Twitter, or Facebook.
Perimeter defenses are insufficient when protecting vulnerable industries, such as government. These vectors require a holistic approach to cyber security that allows them to rapidly remediate post-attack.