It’s hard to even begin to fully comprehend how the US Federal Government could attempt to justify the decades of blatant tech mismanagement involving major information security lapses and outdated network security. The old technology infrastructure, which has all of a sudden become a priority for security improvement, set the stage for the recent U.S. Office of Personnel Management (OPM) cyber security breach [1].
To Date, Over 21 Million People Were Affected
The figures keep increasing and new findings show that more than 21 million people were affected by the latest US Federal Government OPM data breach. This massive cyber security breach is an inexcusable hack that was waiting to happen.
The OPM Lack of Basic Security Measures
According to an audit, OPM lacked a commonly used, two-step sign-on system-wide authentication. One question, especially in light of the attack on the State Department's unclassified email system several months ago, is why was the lack of a system-wide authentication measure overlooked by the State Department. And, why did this basic security measure slip by The White House? The hackers seemed to have no problem leveraging this weakness.
According to an industry editorial in SC Magazine, six months after the State Department announced an attack on its unclassified email system, the likely attackers have been identified [2].
CozyDuke, as Kaspersky Lab refers to the Advanced Persistent Threat (APT) group, apparently targeted both the White House and the State Department in 2014, and they are most likely involved in the recent hack attack [3].
Hacktivism Against the State
As we wrote about recently, hacktivism is alive and well but transforming. However, one stalwart of the movement has shown its face again in an attack on the Census Bureau. The result of the breach includes the disclosure of names, emails, and password hashes. Is this any surprise that Veracode placed the government as one of the most vulnerable targets on their “State of Software Security” reports in 2013?
When compared to other industries such as finance or manufacturing, government agencies are lagging severely behind them when it comes to dealing with detected security technology problems. The government is responding to approximately one-third of the detected incidents while finance (81%) and manufacturing (65%) are doing much better jobs. This could be a cultural issue that is baked into the fabric of their personnel. While younger employees have become aware of the risks that lurk in cyberspace, the aging cohorts that make up many government agencies are not as thoroughly inoculated with the risks. Another issue affecting the timeliness of dealing with cyber security issues within the federal government is bureaucratic red tape. Too many hoops must be jumped through for IT security teams to respond.[4]
IT Optometry
So how can federal agencies improve their security posture? Will we see cyber security become a major talking point for the 2016 election cycle? It sure should be considering the never-ending disclosure of massive security incidents we have witnessed over the last two years.
References
[1] http://blogs.wsj.com/cio/2015/07/10/years-of-tech-mismanagement-led-to-o...
[2] https://www.scmagazine.com/brief/breach/state-dept-system-still-down-to-exorcise-attackers
[3] http://www.scmagazine.com/kaspersky-lab-details-cozyduke-group/article/4...
[4] http://www.nextgov.com/technology-news/tech-insider/2015/07/government-h...
