In a protest against the Transatlantic Trade and Investment Partnership (TTIP), a group of hacktivists have breached the Census Bureau and leaked employee details online, such as employee names, emails, phone numbers, positions and password hashes (emphasis added):
In March, three months before OPM announced its systems had been compromised, a federal government report found that cybersecurity incidents were up 15 percent in fiscal 2014 from the previous year. Indeed, 2014 saw attacks against the White House, the State Department, the U.S. Postal Service and OPM. The attack against OPM, which officials believe happened in March 2014, was thought to have been stopped. Regardless, OPM did very little to shore up its defenses afterward.
Also in 2014, an Office of the Inspector General report urged OPM to shut down systems that were operating without security authorization. Even though the breach had already occurred, OPM’s refusal to shut down the noncompliant systems speaks to a general sluggishness that pervades government cybersecurity protocols. It should surprise no one, not least the government itself, that Veracode’s 2015 “State of Software Security” report once more ranked government the worst in terms of vulnerability.
And the problem is not limited to the federal government.
State agencies, cities, universities, transit authorities and so many others all collect and use personal data of their constituents. As Steve Bridges, a cyber insurance broker from JLT Specialty in Chicago, notes, “it’s almost mandatory to share personal data when you are interacting with government – your name, social security number, credit card information, etc. These entities seem to always be under budgetary pressure and if the feds aren’t investing in the appropriate security, it’s likely that lower levels of government are spending even less.”
There are a number of factors that contribute to the government’s terrible cybersecurity record. But the Veracode report helps point to one very telling culprit.
The report findings should come as no surprise to those of us who have worked within the federal government and know how things work. One thing concerning me with the report is context: although there were some peculiar findings, without the right perspective it is hard to really comprehend why things are the way they are. I do not intend to make any excuse, but really to say that things are nowhere near as black and white as this report would have readers believe.
Cyber security in the federal government is a major problem these days, as it has been for many many years now. That its finally in the forefront is good news and will hopefully lead to the reforms many of us had been hoping would come years ago.