The North Korean hack of Sony Pictures that unleashed proprietary information, leaked embarrassing emails and brought the multi-billion dollar company’s operations to its knees was unprecedented. But cyber security and intelligence experts warn that this is only the beginning.
A CNN review of cyber attacks against federal agencies shows that the number of breaches into government systems is skyrocketing.
“Espionage is happening at a rate we have never seen before,” said Denise Zheng, a deputy director at the Center for Strategic and International Studies.
The numbers seem to bear that out. There were almost 61,000 cyber attacks and security breaches across the entire federal government last year according to a recent Obama administration report.
And the number of cyber incidents involving government agencies has jumped 35 percent between 2010 and 2013, from roughly 34,000 to about 46,000, according to another recent report by the Government Accountability Office.
“This is a global problem. We don’t have a malware problem. We have an adversary problem. There are people being paid to try to get inside our systems 24/7,” said Tony Cole, vice president of the cyber security firm FireEye.
Unclassified networks at the White House and State Department were recently hacked, leading the State Department to shut down its email system for days last month.
But it’s not just spies looking to crack government computers. Hackers are also after personal information accessible through government computer systems, not unlike their counterparts who have nabbed millions of credit and debit card numbers from Target and Home Depot.
Last July, hackers hit the Energy Department and took personally identifiable information from more than 100,000 people “that could be used to damage the financial and personal interests of many individuals,” according to a post-mortem report by the department’s inspector general.
The data included names; dates and places of birth; social security and bank account numbers; and information about their education and disabilities, according to the report. The hack cost the government almost $4 million in credit monitoring fees and lost productivity.
Greg Wilshusen was one of the 100,000 people whose data was compromised by the attack, and the director of information security issues at the Government Accounting Office. He said the federal government’s information technology is “not as secure as it should be. GAO has been identifying this area as high risk since 1997. It’s been a longstanding challenge for the federal government to adequately protect its systems.”
Sometimes the threat comes from simple incompetence. Last year, the IRS mistakenly posted tens of thousands of social security numbers on government websites, according to the nonprofit Public.Resource.org. Perhaps not surprisingly, the Treasury Department’s Inspector General for Tax Administration says protecting taxpayer and employee data is the IRS’ most pressing challenge.
Cole, the cyber security expert, points out that the IRS uses automated systems to process returns. If breached, billions of dollars in returns could be taken and the systems erased, forcing the IRS to use archives to try to reconstruct its system.
“One attack could cripple the (IRS) system,” he said.
Another troubling incident happened last January when hackers hit the Army Corps of Engineers and took sensitive information about the nation’s 85,000 dams. That data included their location, condition and potential for fatalities if the dams were to be breached, according to a report by Sen. Tom Coburn, the ranking Republican on the Senate Homeland Security Committee.
The uptick in security breaches is not because of a lack of spending, experts say. In fact, the Obama administration report showed that federal government agencies spent $10 billion on information security. The biggest culprits, experts say, are human error and a patchwork of different systems. Billions of dollars in security can’t stop an employee from clicking a malicious link.
“There is no patch for a stupid user,” said Zheng, who once oversaw a government cyber warfare program.
Indeed, this year’s Obama administration report found that so-called phishing attacks — where users are duped into clicking links that open systems to hackers — are the most widely reported cyber incident.
In an ominous bit of foreshadowing of the Sony hack, National Intelligence Director James Clapper told Congress earlier this year that “the likelihood of a destructive attack that deletes information or renders systems inoperable will increase.”
Now, some experts say, an answer to the Sony hack is crucial.
“We need to have a response whether it’s an industry or a government response so that folks understand there is a penalty here,” Zheng said. “If they go unpunished, the message that sends is detrimental.”