US Government Employee Hack & the Future of Warfare

Uploaded on 2015-06-16 in NEWS-Cybersecurity News, INTELLIGENCE--USA, GOVERNMENT-Defence, FREE TO VIEW

Hacking-of-America-NBC-News-620x433.png

A massive hack of the federal government may have compromised personal information belonging to 9 million to 14 million people, far more than was initially believed. Multiple sources on Capitol Hill, within the federal workforce and around Washington have estimated that the final tally of people affected by the hack could easily eclipse the 4 million reported by the Obama administration.

Already, the theft of data from the Office of Personnel Management (OPM) is the largest data breach ever at the federal government. With an increase in the scope of the attack, which officials, speaking privately, have traced back to China, the Obama administration's response will face further scrutiny and more questions about the state of the nation’s digital security.
 
The Office of Personnel Management has faced repeated hacking attempt, including an incident last year when Chinese hackers tried to steal tens of thousands of files about US workers who had applied for top-secret security clearance. But a breach of federal data that was announced last month appears to be significantly worse than the federal government originally let on.
Hackers may have stolen personnel files for as many as 14 million people. That number, much larger than the actual federal workforce, suggests that the hack may have exposed the information about additional categories of individuals, such as family members or government contractors.
It’s also more than three times as many people as original reports suggested, according to The Hill and other outlets, citing officials who claim the attack originated in China.
Officials are still working to figure out whether the theft of data from the Office of Personnel Management may also include sensitive information about contract workers and family members of employees who underwent background checks. And it’s not clear whether hackers could use the data they have to identify U.S. spies or other intelligence personnel.
But it is clear that large-scale data theft is a major problem facing the United States. It has happened before and it will happen again.

In 2012, Verizon said that “state-affiliated actors” made up nearly one-fifth of the successful breaches it recorded that year. In 2013, hackers stole data about more than 100,000 people from the Department of Energy’s network. Officials in the United State blame China for years-long hacking attempts against the Veteran Affairs Department that began as early as 2010 and compromised more than 20 million people’s personal information. And even though the Office of Personnel Management had been hacked before, it appears the agency continued to be astonishingly lax about its own security.

From The New York Times:
The agency did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside to use the kind of basic authentication techniques that most Americans use for online banking. It did not regularly scan for vulnerabilities in the system, and found that 11 of the 47 computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
Fighting back against hackers at the government level, many experts say, will require agencies to fight back in real-time. “Like banks and technology companies, government agencies must move to a model that assumes hackers will always get in,” Michael A. Riley wrote for Bloomberg last week. “They’ll need to buy cutting-edge technologies that can detect intruders inside networks and eject them quickly, before the data is gone.”
Officials have warned that in addition to ignoring technical vulnerabilities, the United States hasn’t been forceful enough about deterring hackers. Several experts say the U.S. needs to be more aggressive about publicly reporting the scope of hacking attempts as well as identifying and punishing those who steal government data. The authors of a 2013 report by the Commission on the Theft of American Intellectual Property argued that laws should be rewritten to give the Department of Homeland Security, the Department of Defense, and law enforcement agencies the authority to use “threat-based deterrence systems that operate at network speed” to fight back against unauthorized intrusions into national security and critical infrastructure networks.
“These conditions cannot be allowed to fester,” the authors of the report wrote. “China has taken aggressive private and public actions that are inflicting major damage to the American economy and national security. Robust and swift action must be taken by the U.S. government.”
Such deterrence systems could mean targeting hackers with some of their own weapons: government-sanctioned malware or ransomware, software that locks down a computer without a user’s consent—a tactic that the U.S. government has already explored. As The Intercept reported last year, top-secret files in the trove of documents leaked by whistleblower Edward Snowden revealed the National Security Agency was “dramatically expanding its ability to covertly hack into computers on a mass scale,” including infecting millions of computers across the globe with malware.

The concern is that the government will be able to justify its own covert hacking infrastructure by focusing on the threat of data theft from foreign governments—only to then use malware implants as mass surveillance tools against U.S. citizens.

The military, meanwhile, is beginning to explore what operational readiness and a “traditional war-fighting perspective” might look like when it’s adapted for a post-Cold War digital world. “There are more questions than answers,” wrote the authors of a 2013 Air Force Research Institute report about deterrence in the Internet age. “Organizing to fight through cyber attacks not only prepares the United States to operate under duress, but sends a strong deterrence message to potential adversaries.”
What remains to be seen is the extent to which old military models can even be useful in a new environment. The authors of the Air Force report argue that “human nature has not changed, making fear, honor, and interest no less drivers of human action today than they were in the time of Thucydides.” But the players in an emerging global power struggle that will largely take place online are all new, and they’re using tools that the U.S. government still doesn’t seem to understand. 

The Hill:  http://bit.ly/1I7qDWJ
DefenseOne:  http://bit.ly/1QZMdkC

« Enforcing Magna Carta in the Age of Cyberwarfare
Russian Hackers Posed as ISIS to Hack French TV Channel »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

RedTeam Security

RedTeam Security

RedTeam Security is a provider of Penetration Testing, Social Engineering, Red Teaming and Red Team Training services.

BPC Banking Technologies

BPC Banking Technologies

BPC’s advanced fraud prevention solution helps card issuers and acquirers combat the growing threat by monitoring 100% of transactions, online, in real-time across all channels.

Shift Technology

Shift Technology

Shift Technology provides insurance companies with an innovative SaaS solution to improve and scale fraud detection.

Blake, Cassels & Graydon (Blakes)

Blake, Cassels & Graydon (Blakes)

Blakes is one of Canada’s top business law firms serving national and international clients in specialist areas including cyber security.

Rigado

Rigado

Rigado's mission is to enable commercial IoT success by providing high-performance secure and scalable wireless edge connectivity and network infrastructure.

Simply Hired

Simply Hired

Simply Hired is a job search engine that collects job listings from all over the web, including company career pages, job boards and niche job websites.

Deepwatch

Deepwatch

The Deepwatch Platform helps organizations reduce risk through early and precise threat detection and remediation.

LOGbinder

LOGbinder

LOGbinder eliminates blind spots in security intelligence for endpoints and applications.

Active Countermeasures

Active Countermeasures

Active Countermeasures believe in giving back to the security community. We do this through free training, thought leadership, and both open source and affordable commercial tools.

Blumira

Blumira

Blumira provides comprehensive, hybrid cloud security monitoring and reporting for organizations of all sizes, enabling them to detect and respond to cloud security threats quickly and effectively.

US Digital Corps

US Digital Corps

The U.S. Digital Corps is a new two-year fellowship for early-career technologists where you will work every day to make a difference in critical impact areas including cybersecurity.

6clicks

6clicks

6clicks is an easy way to implement your risk and compliance program or achieve compliance with ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST, FedRAMP and many other standards.

Getronics

Getronics

Getronics guides customers through their own transformation journeys, leveraging an integrated and secure-by-design IT portfolio.

Focus on Security

Focus on Security

Focus on Security are Cyber Security recruitment specialists. We’re dedicated to connecting you with the top Cyber Security talent across the globe. We focus on partnerships and results.

DataTrails

DataTrails

DataTrails enables organizations to prove and verify the provenance and authenticity of any data they use in their business operations.

Gibbs Consulting

Gibbs Consulting

Gibbs Consulting provides innovative, flexible, on-demand IT Services and IT Consulting that delivers value and successful outcomes for our clients.