FT investigation: Cyber insecurity
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
In July 2013, a hacker calling himself “Peace” uploaded a malicious string of code into computers at the US Department of Energy, the agency that oversees the American nuclear weapons programme, its power production and other vital national interests.
Peace hit the jackpot, gaining access to a trove of confidential personal data — including the names of employees, their social security numbers and their bank account details.
“YASSSS,” he typed in an online chatroom. “I AM INVINCIBLE!!! Finally shelled mis.doe.gov after over 24h.”
Prosecutors allege “Peace” is Lauri Love, a 30-year old resident of Suffolk, England. With relative ease, he and his unnamed co-conspirators gained “unlimited access” to the system and ran more than 600 queries on the DoE’s computers. The alleged hackers accessed the personal information of over 104,000 current and former DoE employees by breaking in through a known — but unpatched — vulnerability in an Adobe software programme called ColdFusion.
Mr Love allegedly used the same tactic to infiltrate the Federal Reserve, Nasa, the Environmental Protection Agency, the US Army and the US Missile Defense Agency, according to three separate criminal charges. The DoE breach was one of the biggest violations of government employee data at the time — and the department’s watchdog says it could have been prevented.
“The vulnerability exploited by the attacker was specifically identified by [US software company Adobe] in January 2013,” Gregory Friedman, the DoE’s inspector-general, concluded after investigating the hack.
While serious, the breach at the DoE can hardly be called rare. Even as the US technology sector leads the world, the US government’s computer systems — including those of agencies that handle information crucial to national security — are woefully unprepared for the frequency and sophistication of today’s cyber attackers.
US agencies’ vulnerabilities have been hiding in plain sight. Last week the Obama administration admitted that hackers stole the private information of about 25m individuals through two hacks at the Office of Personnel Management, the government’s human resources arm. The second breach was the largest ever cyber attack on a US government agency. The OPM’s chief resigned last Friday.
Lawmakers see the rocketing number of hacks as evidence of a new cold war — one which the US is losing. Whether the attacker is a nation — China is thought to have been behind the OPM hack — or a small group like Mr Love and his associates, the enemy is often more sophisticated and more nimble than the US government.
Mr Love, who has been charged by prosecutors in New York, New Jersey and Virginia but who has not yet been sought for extradition, could not be reached for comment.
China and Russia have become more aggressive in their cyber attacks, prompting US defence and intelligence officials to express grudging admiration.
“You have to kind of salute the Chinese for what they did,” said James Clapper, director of national intelligence, referring to the OPM breaches.
An analysis by the Financial Times of dozens of reports by agency inspectors general, the Government Accountability Office and the Office of Management and Budget reveals that for years more than half of the 24 agencies required to report their cyber defences failed to take the most basic security steps. Such measures include patching software holes, using strong authentication technology and continuously monitoring systems, to help secure the troves of data collected on employees, retired military officials and government programmes.
A review of thousands of documents and interviews with current and former government officials reveals the deep challenges facing government agencies. Most agency officials did not return repeated calls to discuss the reports’ findings or declined to comment.
“One of the central problems here is you have old stuff that just was not designed or built in an era when we had these kinds of threats,” Tony Scott, the government’s new chief information officer, told Congress this year.
The number of successful hacks of government agencies into highly sensitive information has been rocketing. This year, hackers accessed 100,000 tax accounts after breaking into systems at the Internal Revenue Service. A hack of the US Postal Service last year exposed the sensitive information belonging to 800,000 employees. The state department and White House said last year that their unclassified systems were breached, officials believe, by the Russian government.
“We have to raise our level of cyber security in both the private sector and the public sector,” Michael Daniel, the White House cyber security co-ordinator, said last week.
Since 2006 the number of “incidents” at federal agencies, including phishing attempts, malware attachments and unauthorised access by employees, rose 1,100 per cent to 67,168 in 2014, according to OMB. Some of that increase, officials say, reflects the better job agencies have done in detecting attacks.
“The entire nation is now making up for 20 years of under-investment in our nation’s cyber security, in both the public and private sectors,” Andy Ozment, assistant secretary of the Department of Homeland Security, told Congress.
The Obama administration has incrementally increased IT spending for the federal government from $78.6bn in 2013 to a suggested budget of $86.3bn for 2016. For 2015, the administration initially suggested cutting the budget by about 3 per cent before it was increased. Budget wrangling with Congress and a focus on cost-cutting add to the woes.
Although more money would help, officials also note problems such as bureaucratic hurdles in hiring, a challenging procurement process and bad budgeting — tens of millions of dollars have been wasted on software upgrades that went awry.
Tom Carper, a Democratic senator from Delaware, told the FT that two laws passed last year to give agency chief information officers more authority over their IT budgets would help make “significant strides” toward modernising cyber security.
“But Congress cannot rest on our laurels when it comes to cyber security — we have more work to do. Congress should promptly authorise and fund the latest generation in cyber defence technology to make future intrusions across our government less likely,” he said.
The outdated equipment often used by US agencies means that modern cyber defence techniques such as having a “zero trust” approach in which all users, applications and devices must be verified — now a common feature in software offered by companies such as VMware, Palo Alto Networks and Cisco — do not work. Encryption is also not possible on older IT infrastructure, such as the legacy networks at OPM. Its cyber security was viewed as so poor that in the week before the latest breach, its inspector-general recommended shutting down its networks and essentially rebooting. OPM declined.
‘An intelligence bonanza’
Strong authentication is defined as requiring more than a username and password, such as a two-factor test using a login and security code or a personal identity verification card. This is now a basic procedure at many companies and is frequently used in free online services such as Gmail. Some agencies, including the state department, Labor Department and OPM, did not implement a two-factor test, while 15 out of 24 agencies failed to have at least half of their users in compliance, the OMB said in February.
“This statistic is significant due to the fact that major cyber incidents can often be tied to a lack of strong authentication implementation,” OMB wrote in its annual report to Congress.
The layers of old technologies, far flung operations and need for 24/7 connectivity present a host of security challenges, current and former officials say. “We’re trying to put a Band-aid on a carotid artery that’s been severed,” said an inspector-general auditor who identified flaws at the agency he audits.
Many federal agencies do not even have a handle on the basics of their IT — as was illustrated by the DoE breach, where an employee deleted a data file rather than investigate the traffic produced by Mr Love’s alleged hack. Government reviews found that many departments did not have a grasp of how many IT systems they operated.
Even the Department of Homeland Security was found to have spotty cyber defences in some areas, especially at the Federal Emergency Management Agency, according to a December 2014 report by its inspector-general. Among other responsibilities, DHS has oversight of immigration and background checks on foreign visitors; it is also the federal agency that is supposed to help other agencies better manage their cyber risks.
US officials say China gained access to the background records of 21.5m people, their contacts overseas, their friends, their financial information and their work history in the second hack into the OPM.
“It’s an intelligence bonanza for the Chinese. Why there isn’t more outrage tells me how far we are from fixing this problem,” says Mike Rogers, a former Michigan congressman who, as chairman of the intelligence committee, was an advocate for improving cyber defences. “It would take a serious effort in each [agency] to get this right, to revamp the technology, and it takes money.”
The US government, he says, has to be held accountable. “If you expose all of these people who have voluntarily filled out these forms and put their lives out there you have some responsibility [to protect the data],” says Mr Rogers, who was among those whose information was exposed.
A decade behind
Six months before Peace’s alleged hack, a unit within the DoE identified weaknesses in the compromised software. But the agency put off spending $4,200 to buy the new version, the inspector-general found. The IG calculated the breach cost at least $3.7m in credit monitoring and lost productivity.
Some agencies do not have clear lines on who is responsible for their IT, often meaning no one takes charge. And if improving cyber security interferes with the main job of an agency, those fixes often get put on the backburner.
The risks and frustration with the lack of response to repeated warnings about security flaws led Steven Linick, inspector-general for the state department, which in addition to diplomatic relations has reams of data on visas and passports, to ask Congress for a proprietary network. “I would like to be completely separate from the department to ensure the integrity of our system,” Mr Linick said this year.
The state department said in a statement on Tuesday that it “fully supports” the independence of the IG and its data and was putting in place additional access controls and encryption to reduced the threat of access by outsiders. “We note, however, that establishment of a separate network in and of itself, will not mitigate all of the same threats the US government must now contend with.”
Robert Brese, who was in charge of the DoE’s IT system at the time of the Peace hacks, bemoans the fact that the US government’s technology lags behind that of the private sector.
“The government in many places is still several years to a decade behind the best and brightest in the private sector on legacy modernisation and the building of secure, resilient systems,” says Mr Brese, who left the agency in 2014. “I don’t mean the Googles and Amazons, but longstanding companies like Ford.”
This article was amended on July 15 to reflect the fact that Mike Rogers is a former congressman, not a former senator