US Government Employee Hack & the Future of Warfare

Hacking-of-America-NBC-News-620x433.png

A massive hack of the federal government may have compromised personal information belonging to 9 million to 14 million people, far more than was initially believed. Multiple sources on Capitol Hill, within the federal workforce and around Washington have estimated that the final tally of people affected by the hack could easily eclipse the 4 million reported by the Obama administration.

Already, the theft of data from the Office of Personnel Management (OPM) is the largest data breach ever at the federal government. With an increase in the scope of the attack, which officials, speaking privately, have traced back to China, the Obama administration's response will face further scrutiny and more questions about the state of the nation’s digital security.
 
The Office of Personnel Management has faced repeated hacking attempt, including an incident last year when Chinese hackers tried to steal tens of thousands of files about US workers who had applied for top-secret security clearance. But a breach of federal data that was announced last month appears to be significantly worse than the federal government originally let on.
Hackers may have stolen personnel files for as many as 14 million people. That number, much larger than the actual federal workforce, suggests that the hack may have exposed the information about additional categories of individuals, such as family members or government contractors.
It’s also more than three times as many people as original reports suggested, according to The Hill and other outlets, citing officials who claim the attack originated in China.
Officials are still working to figure out whether the theft of data from the Office of Personnel Management may also include sensitive information about contract workers and family members of employees who underwent background checks. And it’s not clear whether hackers could use the data they have to identify U.S. spies or other intelligence personnel.
But it is clear that large-scale data theft is a major problem facing the United States. It has happened before and it will happen again.

In 2012, Verizon said that “state-affiliated actors” made up nearly one-fifth of the successful breaches it recorded that year. In 2013, hackers stole data about more than 100,000 people from the Department of Energy’s network. Officials in the United State blame China for years-long hacking attempts against the Veteran Affairs Department that began as early as 2010 and compromised more than 20 million people’s personal information. And even though the Office of Personnel Management had been hacked before, it appears the agency continued to be astonishingly lax about its own security.

From The New York Times:
The agency did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside to use the kind of basic authentication techniques that most Americans use for online banking. It did not regularly scan for vulnerabilities in the system, and found that 11 of the 47 computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
Fighting back against hackers at the government level, many experts say, will require agencies to fight back in real-time. “Like banks and technology companies, government agencies must move to a model that assumes hackers will always get in,” Michael A. Riley wrote for Bloomberg last week. “They’ll need to buy cutting-edge technologies that can detect intruders inside networks and eject them quickly, before the data is gone.”
Officials have warned that in addition to ignoring technical vulnerabilities, the United States hasn’t been forceful enough about deterring hackers. Several experts say the U.S. needs to be more aggressive about publicly reporting the scope of hacking attempts as well as identifying and punishing those who steal government data. The authors of a 2013 report by the Commission on the Theft of American Intellectual Property argued that laws should be rewritten to give the Department of Homeland Security, the Department of Defense, and law enforcement agencies the authority to use “threat-based deterrence systems that operate at network speed” to fight back against unauthorized intrusions into national security and critical infrastructure networks.
“These conditions cannot be allowed to fester,” the authors of the report wrote. “China has taken aggressive private and public actions that are inflicting major damage to the American economy and national security. Robust and swift action must be taken by the U.S. government.”
Such deterrence systems could mean targeting hackers with some of their own weapons: government-sanctioned malware or ransomware, software that locks down a computer without a user’s consent—a tactic that the U.S. government has already explored. As The Intercept reported last year, top-secret files in the trove of documents leaked by whistleblower Edward Snowden revealed the National Security Agency was “dramatically expanding its ability to covertly hack into computers on a mass scale,” including infecting millions of computers across the globe with malware.

The concern is that the government will be able to justify its own covert hacking infrastructure by focusing on the threat of data theft from foreign governments—only to then use malware implants as mass surveillance tools against U.S. citizens.

The military, meanwhile, is beginning to explore what operational readiness and a “traditional war-fighting perspective” might look like when it’s adapted for a post-Cold War digital world. “There are more questions than answers,” wrote the authors of a 2013 Air Force Research Institute report about deterrence in the Internet age. “Organizing to fight through cyber attacks not only prepares the United States to operate under duress, but sends a strong deterrence message to potential adversaries.”
What remains to be seen is the extent to which old military models can even be useful in a new environment. The authors of the Air Force report argue that “human nature has not changed, making fear, honor, and interest no less drivers of human action today than they were in the time of Thucydides.” But the players in an emerging global power struggle that will largely take place online are all new, and they’re using tools that the U.S. government still doesn’t seem to understand. 

The Hill:  http://bit.ly/1I7qDWJ
DefenseOne:  http://bit.ly/1QZMdkC

« Enforcing Magna Carta in the Age of Cyberwarfare
Russian Hackers Posed as ISIS to Hack French TV Channel »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

RoboForm

RoboForm

RoboForm's industry-leading encryption technology securely stores your passwords, with one Master Password serving as your encryption key.

Payload Security

Payload Security

Payload Security's VxStream Sandbox is a fully automated malware analysis system.

Ubisecure

Ubisecure

Ubisecure provide Identity & Access Management solutions.

Foresite

Foresite

Foresite is a global service provider, delivering a range of managed security and consulting solutions.

PrivateCore

PrivateCore

We protect data-in-use from hackers trying to steal data such as encryption keys, certificates, intellectual property.

TechGuard Security

TechGuard Security

TechGuard Security was founded to address national cyber defense initiatives and US critical infrastructure security.

Certis

Certis

Certis is a leading advanced integrated security organisation that develops and delivers multi-disciplinary security and integrated services.

Leadcomm

Leadcomm

Leadcomm is a Brazilian company focused on the distribution and integration of IT systems and security solutions for large companies.

Renesas Electronics

Renesas Electronics

Renesas Electronics delivers trusted embedded design innovation with solutions that enable billions of connected, intelligent devices to enhance the way people work and live - securely and safely.

Cyber Threat Alliance

Cyber Threat Alliance

CTA is working to improve cybersecurity of our digital ecosystem by enabling near real-time cyber threat information sharing among companies and organizations in the cybersecurity field.

GlobalPlatform

GlobalPlatform

GlobalPlatform’s specifications are highly regarded as the international standard for enabling digital services and devices to be trusted and securely managed throughout their lifecycle.

Nemko

Nemko

Nemko offers testing, inspection, and certification services worldwide, mainly concerning products and systems, but also for machinery, installations, and personnel.

Axxum Technologies

Axxum Technologies

Axxum Technologies is a premier provider of Network Communications and Information Technology Security Solutions.

UK Cyber Cluster Collaboration (UKC3)

UK Cyber Cluster Collaboration (UKC3)

UKC3 has been launched to support Cyber Clusters and encourage greater collaboration across regions and nations of the UK.

Hive

Hive

Hive is a leading provider of cloud-based AI solutions to understand, search, and generate content, and is trusted by hundreds of the world's largest and most innovative organizations.

Validia

Validia

Validia is a deepfake cybersecurity service that provides proactive and reactive defense to the deepfake threat enterprises increasingly face with the rapid growth of generative AI.