Cyber insecurity

Many US government agencies have failed to take the most fundamental security measures, such as patching software holes or using strong authentication technology, to help secure sensitive data.
Many US government agencies have failed to take the most fundamental security measures, such as patching software holes or using strong authentication technology, to help secure sensitive data.PHOTO: REUTERS

Even though the American technology sector leads the world, the US government's computers are woefully unprepared for today's cyber attackers. Agencies responsible for vital national interests lack even basic defences common in the private sector.

In July 2013, a hacker calling himself "Peace" uploaded a malicious string of code into computers at the United States Department of Energy (DoE) - the agency that oversees the American nuclear weapons programme, power production and other vital national interests.

Peace hit the jackpot, gaining access to a trove of confidential personal data - including the names of employees, their social security numbers and their bank account details. "YASSSS," he typed in an online chatroom. "I AM INVINCIBLE!!! Finally shelled mis.doe.gov after over 24h."

Prosecutors allege that Peace is Lauri Love, a 30-year-old resident of Suffolk, England. With relative ease, he and his unnamed co-conspirators gained "unlimited access" to the system and ran more than 600 queries on the DoE's computers. The alleged hackers accessed the personal information of more than 104,000 current and former DoE employees by breaking in through a known - but unpatched - vulnerability in an Adobe software program called ColdFusion.

Love allegedly used the same tactic to infiltrate the Federal Reserve, Nasa, the Environmental Protection Agency, the Army and the Missile Defence Agency, according to three separate criminal charges. The DoE breach was one of the biggest violations of government employee data at the time - and the department's watchdog says it could have been prevented.

"The vulnerability exploited by the attacker was specifically identified by (US software company Adobe) in January 2013," DoE inspector-general Gregory Friedman concluded after investigating the hack.

STUMBLING BLOCKS

It's an intelligence bonanza for the Chinese. Why there isn't more outrage tells me how far we are from fixing this problem... It would take a serious effort at each (agency) to get this right, to revamp the technology, and it takes money.

MR MIKE ROGERS, a former senator who, as chairman of the intelligence committee, was an advocate of improving cyber defences

While serious, the breach at the DoE could hardly be called rare. Even though the American technology sector leads the world, the US government's computer systems - including those of agencies that handle information crucial to national security - are woefully unprepared for the frequency or sophistication of today's cyber attackers.

Their vulnerabilities have been hiding in plain sight. Earlier this month, the Obama administration admitted that hackers stole the private information of 25 million individuals through two hacks at the Office of Personnel Management (OPM), the government's human resources arm. The second breach was the largest-ever cyber attack on a US government agency. OPM's chief resigned on July 10.

Lawmakers see the skyrocketing number of hacks as evidence of a new cold war - one that the US is losing. Whether the attacker is a nation - China is thought to have been behind the OPM hack - or a small group like Love and his associates, the enemy is often more sophisticated and more nimble than the US government. Love - who has been charged by prosecutors in New York, New Jersey and Virginia but who has not yet been sought for extradition - could not be reached for comment.

China and Russia have become more aggressive in their cyber attacks, prompting US defence and intelligence officials to admit grudging admiration. "You have to kind of salute the Chinese for what they did," said national intelligence director James Clapper, referring to the OPM breaches.

An analysis by the Financial Times (FT) of dozens of reports by agency inspectors-general, the Government Accountability Office and the Office of Management and Budget (OMB) reveals that, for years, over half of the 24 agencies required to report their cyber defences failed to take the most basic security steps. Such measures include patching software holes, using strong authentication technology and continuously monitoring systems, to help secure the data collected on employees, retired military officials and government schemes.

A review of thousands of documents and interviews with current and former government officials reveals the deep challenges facing government agencies. Most agency officials did not return repeated calls to discuss the reports' findings or declined to comment.

"One of the central problems here is that you have old stuff that just was not designed or built in an era when we had these kinds of threats," Mr Tony Scott, the government's new chief information officer (CIO), told Congress this year.

The number of successful hacks of government agencies targeting highly sensitive information has been skyrocketing.

This year, hackers accessed 100,000 tax accounts after breaking into systems at the Internal Revenue Service. A hack of the Postal Service last year exposed sensitive information belonging to 800,000 employees. The State Department and the White House said last year that their unclassified systems had been breached, officials believe, by the Russian government.

"We have to raise our level of cyber security, in both the private sector and the public sector," White House cyber security coordinator Michael Daniel said recently.

UNDER SIEGE

Since 2006, the number of "incidents" at federal agencies - including phishing attempts, malware attachments and unauthorised access by staff - has risen, up 1,100 per cent at 67,168 last year, said OMB. The rise, officials say, partly reflects the better job that agencies have done in detecting attacks.

"The entire nation is now making up for 20 years of under-investment in our nation's cyber security, in both the public and private sectors," assistant secretary Andy Ozment of the Department of Homeland Security told Congress.

The administration has been incrementally boosting IT spending for the federal government, from US$78.6 billion (S$107 billion) in 2013 to a suggested budget of US$86.3 billion for next year. For this year, the administration initially suggested cutting the budget by about 3 per cent before it was increased. Budget wrangling with Congress and a focus on cost-cutting add to the woes.

Although more money would help, officials also note problems such as bureaucratic hurdles in hiring, a challenging procurement process and bad budgeting - tens of millions of dollars have been wasted on software upgrades that went awry.

Democratic senator Tom Carper from Delaware told FT that two laws passed last year to give agency CIOs more authority over their IT budgets would help the agencies make "significant strides" in modernising cyber security.

"But Congress cannot rest on our laurels when it comes to cyber security - we have more work to do. Congress should promptly authorise and fund the latest generation in cyber defence technology to make future intrusions across our government less likely," he said.

Because of the outdated equipment often used by US agencies, modern cyber defence techniques do not work. These include taking a "zero trust" approach in which all users, applications and devices must be verified - now a common feature in software offered by firms such as VMware, Palo Alto Networks and Cisco.

Encryption is also not possible on older IT infrastructure, such as the legacy networks at OPM. Its cyber security was considered so poor that, in the week before the latest breach, its inspector-general recommended shutting down its networks and essentially rebooting. OPM declined.

'AN INTELLIGENCE BONANZA'

Strong authentication requires more than a username and password, often involving a two-factor test using a log-in and security code or personal identity verification card. This is now a basic procedure at many companies and is frequently adopted by free online services such as Gmail. Some agencies - including the State Department, Labour Department and OPM - did not implement a two-factor test, while 15 out of 24 agencies failed to have at least half of their users in compliance, OMB said in February.

"This statistic is significant as major cyber incidents can often be tied to a lack of strong authentication implementation," OMB wrote in its annual report to Congress.

The layers of old technologies, far-flung operations and the need for 24/7 connectivity present a host of security challenges, say current and former officials. "We're trying to put a Band-Aid on a carotid artery that's been severed," said an inspector-general auditor who identified flaws at the agency he audits.

Many federal agencies do not even have a handle on the basics of their IT - as was illustrated by the DoE breach, where an employee deleted a data file rather than investigate the traffic produced by the hack. Government reviews found that many departments did not have a grasp of how many IT systems they operated.

Even the Department of Homeland Security was found to have spotty cyber defences in some

areas, especially at the Federal Emergency Management Agency, according to a December 2014 report by its inspector-general. Among other responsibilities, Homeland Security has oversight of immigration and background checks on foreign visitors. It is also the federal agency that is supposed to help other agencies better manage their cyber risks.

US officials say China gained access to the background records of 21.5 million people, their contacts overseas, friends, financial information and work history during the second hack into OPM.

"It's an intelligence bonanza for the Chinese. Why there isn't more outrage tells me how far we are from fixing this problem," says Mr Mike Rogers, a former senator who, as chairman of the intelligence committee, was an advocate of improving cyber defences. "It would take a serious effort at each (agency) to get this right, to revamp the technology, and it takes money."

The US government, he says, has to be held accountable. "If you expose all of these people who have voluntarily filled out these forms and put their lives out there, you have some responsibility (to protect the data)," says Mr Rogers, who was among those whose information was exposed.

A DECADE BEHIND

Six months before Peace's alleged hack, a unit within the DoE identified weaknesses in the compromised software. But the agency delayed spending US$4,200 for the new version, said the inspector-general, who estimated the breach cost it at least US$3.7 million in credit monitoring and lost productivity.

Some agencies do not have clear lines as to who is responsible for IT, which often means no one takes charge. And if improving cyber security interferes with the main job of an agency, the fixes often get put on the back burner.

The risks, and frustration over the lack of response to repeated warnings about security flaws, led State Department inspector-general Steven Linick to ask Congress for a proprietary network. Apart from information on diplomatic relations, the department has reams of data on visas and passports. "I would like to be completely separate from the department to ensure the integrity of our system," Mr Linick said this year.

Mr Robert Brese, who was in charge of DoE's IT system at the time of the Peace hacks, bemoans the fact that the US government's technology lags behind that of the private sector.

"The government in many places is still several years to a decade behind the best and brightest in the private sector, in terms of legacy modernisation and the building of secure, resilient systems," says Mr Brese, who left the agency last year. "I don't mean the Googles and Amazons, but longstanding companies like Ford."

FINANCIAL TIMES

A version of this article appeared in the print edition of The Sunday Times on July 19, 2015, with the headline 'Cyber insecurity'. Print Edition | Subscribe