A $10 billion-a-year effort to protect sensitive government data, from military secrets to Social Security identification numbers, is struggling to keep pace with an increasing number of cyberattacks and is unwittingly being undermined by federal employees and contractors.
Workers scattered across more than a dozen agencies, from the defense and education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an Associated Press analysis of records.
They have clicked links in bogus phishing emails, opened malware-laden websites and been tricked by scammers into sharing information.
One was redirected to a hostile site after connecting to a video of tennis star Serena Williams. A few act intentionally, most famously former National Security Agency contractor Edward Snowden, who downloaded and leaked documents revealing the government’s collection of phone and email records.
Then there was the contract worker who lost equipment containing the confidential information of millions of Americans, including Robert Curtis of Colorado.
“I was angry, because we as citizens trust the government to act on our behalf,” he said. Curtis, according to court records, was besieged by identity thieves after someone stole data tapes that the contractor left in a car, exposing the health records of about 5 million current and former Pentagon employees and their families.
At a time when intelligence officials say cybersecurity trumps terrorism as the No. 1 threat to the U.S., the federal government isn’t required to publicize its own data losses.
Last month, a breach of unclassified White House computers by hackers thought to be working for Russia was reported not by officials but The Washington Post. Congressional Republicans complained even they weren’t alerted to the hack.
To determine the extent of federal cyberincidents, the Associated Press filed dozens of Freedom of Information Act requests, interviewed hackers, cybersecurity experts and government officials, and obtained documents describing digital cracks in the system.
That review shows that 40 years and more than $100 billion after the first federal data protection law was enacted, the government is struggling to close holes without the knowledge, staff or systems to outwit an ever-evolving foe.
Fears about breaches have been around since the late 1960s, when the federal government began shifting its operations onto computers. Officials responded with software designed to sniff out malicious programs and raise alarms about intruders. And yet, attackers have always found a way in, exposing tens of millions of sensitive and private records that include employee usernames and passwords and veterans’ medical files.
From 2009 to 2013, the number of reported breaches just on federal computer networks — the .gov and .mils — rose from 26,942 to 46,605, according to the U.S. Computer Emergency Readiness Team. Last year, U.S.-CERT responded to a total of 228,700 cyberincidents involving federal agencies, companies that run critical infrastructure and contract partners. That’s more than double the incidents in 2009.
And employees are to blame for at least half of the problems.
Last year, for example, about 21 percent of all federal breaches were traced to government workers who violated policies; 16 percent who lost devices or had them stolen; 12 percent who improperly handled sensitive information printed from computers; at least 8 percent who ran or installed malicious software; and 6 percent who were enticed to share private information, according to an annual White House review.
Reports from the Defense Department’s Defense Security Service, tasked with protecting classified information and technologies in the hands of federal contractors, show how easy it is for hackers to get into DOD networks. One military user received messages that his computer was infected when he visited a website about schools. Officials tracked the attacker to what appeared to be a Germany-based server.
“We’ll always be vulnerable to . . . human-factor attacks unless we educate the overall workforce,” said Assistant Secretary of Defense and cybersecurity adviser Eric Rosenbach.
Although the government is projected to spend $65 billion on cybersecurity contracts between 2015 and 2020, many experts believe the effort is not enough to counter a growing pool of hackers whose motives vary. Russia, Iran and China have been named as suspects in some attacks, while thieves seek out other valuable data. Only a small fraction of attackers are caught.
For every thief or hostile state, there are tens of thousands of victims like Curtis.
“It is very ironic,” said Curtis, himself a cybersecurity expert who worked to provide secure networks at the Pentagon. “I was the person who had paper shredders in my house. I was a consummate data protection guy.”
A look at some key federal cybersecurity breaches
A $10 billion-a-year federal effort to protect critical data is struggling against an onslaught of cyberattacks by thieves, hostile states and hackers.
An Associated Press report this week finds that federal cybersecurity officials also face another challenge: Too often, government employees and contractors are undermining cyberdefenses by clicking malicious links, losing devices and data, or sharing information and passwords.
Last year, security officials responded to 228,700 cyberincidents involving federal agencies and contract partners.
Here’s a look at some key breaches in recent years:
October 2014: White House press secretary Josh Earnest confirmed detection of “activity of concern” on the White House network after news reports that a cyberattack, possibly from Russia, had breached unclassified computers. Officials said there was no evidence that hackers breached classified files, and steps were taken to mitigate the suspicious activity.
October 2014: The FBI announced the arrest of National Weather Service employee Xiafen “Sherry” Chen. A federal indictment accuses Chen of illegally downloading restricted files from the National Inventory of Dams, which contains sensitive information about vulnerabilities in the nation’s 85,000 dams. The May 2012 breach was not made public for a year.
September 2014: Senate investigators said China’s military hacked into computer networks of civilian transportation companies hired by the Pentagon at least nine times, breaking into computers aboard a commercial ship, targeting logistics companies and uploading malicious software onto an airline’s computers. A yearlong investigation identified at least 20 break-ins or other unspecified cyberevents targeting companies, and investigators blamed China for all the most sophisticated intrusions. Investigators alleged China’s military was able to steal emails, documents, user accounts and computer codes. They also said China compromised systems aboard a commercial ship contracted for logistics routes, and hacked into an airline the U.S. military used.
July 2014: British hacker Lauri Love was indicted for breaking into computers at the U.S. Energy and Health and Human Services departments, the FBI’s Regional Computer Forensics Laboratory and others and stealing massive amounts of sensitive and confidential information. Love, who also faces other U.S. indictments, has not been extradited.
June 2014: USIS, the government’s leading security clearance contractor, reported to federal authorities a cyberattack that compromised the records of at least 25,000 Homeland Security employees. The attack, similar to other intrusions from China, penetrated computer networks for months before it was revealed, officials told the AP. The hack wasn’t made public until August; almost a quarter of a million federal employees were urged to monitor financial accounts.
June 2013: First revelations of sweeping government surveillance were published based on some 1.7 million documents taken from the National Security Agency by former NSA contractor Edward Snowden. Snowden, who fled to Hong Kong and then Moscow, has been charged with espionage and theft of government property. Using log-in credentials reportedly shared by colleagues, Snowden downloaded the documents from a confidential network and carried them out on a thumb drive.
September 2011: A thief broke into a car in Texas and stole data tapes that contained sensitive health information of 4.7 million Defense Department workers and their families. The car belonged to an employee of a federal contractor that was supposed to secure the records. Letters were sent to potential victims warning that information contained on the tapes may include names, Social Security numbers, addresses, dates of birth, phone numbers and some medical information. No thief has been caught.
November 2010: WikiLeaks began publishing diplomatic cables leaked by Chelsea Manning, formerly known as Bradley Manning. As an army intelligence analyst, Manning downloaded the documents from a classified network and saved them on a CD and a thumb drive. Manning was convicted of six Espionage Act violations and 14 other offenses for giving WikiLeaks more than 700,000 secret military and State Department documents, along with battlefield video, while working in Iraq in 2009 and 2010.
IN FIVE EASY PIECES WITH TAKE 5