A massive breach affecting millions of federal workers looks like the handiwork of a nation state, with China as the likely candidate, lawmakers and government officials indicated Thursday, drawing calls for swift retaliation. But a larger question looms. Are the federal government systems punched so full of security holes that they can't adequately protect sensitive information?
“I have to think that it must appear to threat actors all over the globe that the U.S. government's IT systems are full of holes, like Swiss cheese, and the response from the U.S. is to play whack-a-mole every time, in a valiant attempt to close each hole,” Andy Hayter, security evangelist for G DATA, said in a statement sent to SCMagazine.com about the breach at the Office of Personnel Management (OPM), which may have compromised the information of four million current and former federal employees. “With all of these attacks, it's likely that each one is arming cyber criminals with exactly what they need and want to execute another one, and the vicious cycle continues.”
Hayter noted that every breach of a federal agency “spells out our vulnerabilities loud and clear to our adversaries, letting them know there are many more opportunities for them to hack our systems and networks over and over again.”
It seems they're getting the message. In recent months, attackers have certainly seized those apparent opportunities. “Activity of concern,” detected at the State Department turned out to be a result of intruders in the agency's non-classified systems. It took months and months for the department to shake them out, with limited success.
The same attackers, who appear to be part of the CozyDuke Advanced Persistent Threat (APT) group, by then had moved on to hack into White House's unclassified systems. And Tuesday, IRS Commissioner John Koskinen defended his agency's security posture in testimony before two Senate committees, attributing a breach of its system through the exploitation of the now-disabled “Get Transcript” application, in part, to budget cuts.
The FBI is investigating the latest incursion into government systems, which OPM believes started in May and was detected by the Department of Homeland Security's intrusion detection system, known as EINSTEIN.
An “aggressive effort to update its cybersecurity posture” over the past year, apparently came too late for the agency, which said in a release that the breach occurred before the government fully deployed its new tools.
The attack is particularly troubling in its potential scope. Because OPM serves as the human resources department for the federal government, among other responsibilities, conducting more than 90 percent of federal background investigations, the breach could impact every federal agency.
“Beyond spear-phishing, knowing detailed personal information, past and present, creates possible cross-agency attacks given job history data which appears to be in the mix,” Mark Bower, global director of product management at HP Security Voltage, said in a statement emailed to SCMagazine.com. The attack, then, is likely less about money and “more about gaining deeper access to other systems and agencies which might even be defense or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft," he says.
Though NBC News reported that a spokesman for China's foreign ministry denounced what he called “groundless accusations” against the country, if China is behind the OPM breach, as many lawmakers have speculated, it represents a troubling pattern of state-sponsored cyber attacks against the U.S. and raises questions about the appropriate response.
Igor Baikalov, chief scientist, Securonix, told SCMagazine.com in an emailed statement that the only difference between the current attack on OPM and one that occurred a year ago is that, “now the Pentagon has a new cyber strategy that specifically calls out retaliation as a viable cyber option - not only in response to an attack, but also as a principal factor of deterrence.”
But, he asks, “Are we ready to explore it?”
The answer to that may be tipping toward, "yes."
Lisa Sotto, managing partner of the Hunton & Williams LLP's New York office and head of the firm's Global Privacy & Data Security Practice, expects that if the breach is the work of the Chinese government, “we will see some retaliation," she said in an interview with SCMagazine.com.
After North Korea was fingered as the culprit behind the Sony attack last fall, the government acted swiftly to impose sanctions.
Those and other options are seemingly on the table in the wake of the OPM incident. "We're still evaluating how serious the breach is, but if it does involve the compromising of the personal records of four million Americans, I certainly think that a strong response is warranted," NBC News reported Senate Intelligence Committee member Sen. Susan Collins, R-Maine, as saying.
While government must act decisively, it must also proceed with caution in the murkier waters swirling around the rules of cyber engagement.
Clearer, though, is the pressing need for the federal government to button up its systems, so these breaches don't happen so frequently and with such potentially devastating results.
Richard Blech, CEO, Secure Channels, says in a statement sent to SCMagazine.com, that “The new tools [used by OPM] cannot be very good if it takes four months to find out you have been breached."
Those tools “mean nothing,” he said, if data is stolen.
“The goal is to leave data useless to the hacker when stolen,” Blech continued, explaining that “higher valued data that is held by OPM should have all been deeply encrypted.”
G DATA's Hayter said it is time for the government “to move past checkbox compliance efforts and regularly conduct complete audits of each and every system, using experienced penetration testers who can help them continuously find and fix vulnerabilities.”
Andrea Little Limbago, Principal Social Scientist at Endgame, advocated for a “legitimate public-private partnership that extends beyond lip service.” In a statement sent to SCMagazine.com, she said, “It's time to move beyond our cultural divisions and unify against the common adversaries who are the true threats to privacy, security, democracy and human rights across the globe."
Hayter urged the government to act quickly to implement stronger security measures. Officials should, he said, “put immediate plans into action to close these holes before the bad guys have the opportunity to breach any more systems and steal sensitive information.”
And of even greater concern, he said, “While these latest breaches at the IRS and OPM only exposed personal information, what's to stop more sophisticated threat actors who want to jeopardize our homeland security?”