What Can We Learn From The Largest US Government Data Theft?

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

Follow on:

China has been blamed for a hack in which huge amounts of US Government officials’ data was stolen. China has denied it, but the whole world can learn from it

This week, hackers, allegedly from China, infiltrated US government computers and stole the personal records of as many as four million people in one of the most far-reaching breaches of government computers.

The FBI is probing the breach, the origins of which date back as far as April. The Office of Personnel Management that was targeted is basically the personnel department of the US government, and holds valuable information on government employees including background checks, pension information and other payroll data.

What sounds like an uninteresting target is, in fact, a high value one. Several government officials have already described the breach as among the largest known thefts of US government data in history.

So what can we learn from this hack? Here’s what workers in the tech industry had to say:

Nick Wilding, AXELOS head of cyber resilience

“This is another example of the new world all organisations now operate in. One where your most precious information and assets are being attacked and compromised on a regular basis. All organisations now need to accept that successful attacks will happen. They need to plan and test how they can become more resilient and be able to respond and recover quickly in the best interests of their customers, staff and citizens.”

threat detectionAdrian Davis, (ISC)² EMEA managing director

“IT is now embedded in almost every aspect of business as well as our personal lives. It’s becoming increasingly important to limit cyber threats by designing and building IT systems with security in mind. Worryingly, I suspect that we will continue to see worldwide stories like this for some time, as many organisations are still highly reliant on systems that haven’t been built with security considerations. Right now, we need to improve detection and reaction measures concerning breaches much more quickly. In the longer term, cybersecurity needs to be integrated into mainstream education before we will begin to see a real change. Society is getting there with this realisation, however criminals and malicious actors are still coming out ahead. Swift action must be taken in order to surpass their efforts.”

Tony Berning, senior manager at OPSWAT

“Unfortunately the federal government breach underlines the fact that current cyber security defences are not sophisticated enough to prevent infiltration. For high security and classified networks it is important to secure the data flow by deploying one-way security gateways and ensuring that no information can leave the network. In addition, to ensure the highest protection against known and unknown threats, multi-scanning with multiple anti-malware engines should be deployed, leveraging the power of the different detection algorithms and heuristics of each engine, and greatly increasing the detection rate of threats and outbreaks.”

Tom Court, cyber crime researcher, Alert Logic

“Attacks against high profile targets such as this require the adversary to possess the means, a motive and be given an opportunity to strike. In this case the attacker was a group of skilled hackers who had previously demonstrated they had the means by launching a similar attack against the same target in March last year. The motive is clear and should be a red flag to all organisations that hold large amounts of personal data. This information is fast becoming a currency that cyber criminals trade in and should be treated with the same degree of care as financial data. A large organisation with potential IT and security budget constraints presents an opportunity to would-be attackers. Nevertheless, once additional expertise was brought in, the breach was quickly discovered and remediated. This underlines the importance of continuous network monitoring to uncover anomalies before they become headlines.”

Speed - Olivier Le MoalDan Waddell, CISSP, CAP, (ISC)² managing director, National Capital Region

Today, cybersecurity is all about speed. In this case, it is reported that there was an initial breach of a high-value target in December 2014, with detection occurring in April 2015. That is way too much time in between. We should be talking about the time from breach to detection to mitigation in terms of hours or days vs. weeks or months. When these types of breaches occur, I encourage the agency or organisation to release information to the affected users as quickly as possible to help them get a better idea of the scope of the breach – what type of data was leaked, how much, etc. In the meantime, I would recommend all former and current employees and customers monitor their financial accounts and credit reports for any suspicious activity.

Grayson Milbourne, security intelligence director at Webroot

“Although details are still coming in, we do know very sensitive data is involved and the attack may have gone on for a prolonged period of time. Until we can understand what level of data access was achieved, we won’t know the full impact. But, based on the characteristics of the attack, it’s likely the perpetrator was a nation-state.

“Clearly, the government’s approach to cybersecurity needs to be reformed, prioritized and accelerated. That the breach might have been carried out by the Chinese does not absolve the OPM of blame. The issue here is the government’s technological failings and what it should be doing to prevent future attacks.”

Sergio Galindo, general manager of GFI Software

“It’s very easy to immediately point the finger at a foreign power like China or activity group when a hack of this magnitude takes place, but let’s not lose sight of the bigger issue, which is that there was a failing or vulnerability in the first place within the systems that were hacked, which was not identified by the IT staff responsible for monitoring those systems. It also raises questions about the effectiveness of the EINSTEIN intrusion detection system, a security platform that has been largely discredited as a result of its failure to spot or stop this incident. As is often the case, these hacks come about as a result of lax IT management and maintenance and a breakdown in security procedures. These are also the areas that are easier to fix than going after the perpetrators – given that hackers as usually as good at covering their tracks as they are in instigating the hack in the first place.

“Government IT systems, including many of the ones found in departments such as Justice, the DoD, Treasury, Homeland Security, Energy and so on can be quite old – a mixture of not wanting to junk perfectly functional systems that do their day-to-day job well, not wanting to write-off the cost of expensive and custom software written for older systems that took years to build, plus the impact of austerity cuts that are driving both public and private sector bodies to sweat their IT assets for far longer than normal in order to cut costs and work within lower budget limits. All of these potentially increase the likelihood that a hacker might exploit an older, insecure and unsupported system in order to gain access and execute a substantial data theft or other disruptive hacking activity.

“There’s not a lot we can do about the external threat, what we can do is identify the weakness internally and actually do something to shut that weakness down so it can’t be exploited again, and then work on hardening IT systems internally, as well as providing better training and skills development for IT staff so we can head-off new attacks in the future. It’s a cheaper, more realistic and more practical approach that will deliver far more results than focusing all the efforts on chasing down anonymous hackers who are already in the wind.”

data security breachPaul McEvatt, lead security specialist and cyber consultant UKI at Fujitsu

“This data breach highlights, once again, that we are now facing a very real cyber threat impacting the most secure of organisations. The intention to target personal data highlights the value this has to adversaries. Records of four million US government employees have reportedly been compromised and highlights that it is no longer just about prevention, but instead accepting a data breach could occur and the importance of ‘depth in defence’ in a strong security posture.

“According to research from Fujitsu, only 9% of UK consumers believe organisations are doing enough to protect their data with a third admitting that their trust has declined in the last 12 months.

“It’s vital organisations move to a proactive approach focusing on the integration of threat intelligence and other information sources to provide the context necessary to deal with today’s advanced cyber threats. Implementing a strong security education programme underpinned by a robust security framework would allow companies to get on the front foot in combating these types of threats.”

Chris McIntosh, CEO ViaSat UK

“This latest incident shows how cyber-attack is cementing itself as a form of unconventional warfare. Rather than guerrilla raids or sabotage, the greatest threat to governments and other organisations comes increasingly not from the physical world, but from the virtual. However, cyber-attack is unique in both its reach and its ease of use. Unlike other forms of warfare, unconventional or not, it requires relatively few resources and can be performed from anywhere, and almost by anyone. As a result, an attack of some sort will be almost inevitable. Mitigating the effects is, therefore, just as important as prevention.

“The best way for organisations to do this is to assume that their security has already been compromised. Security then becomes a matter of minimising, and where possible eliminating, damage caused by attacks. Encrypting sensitive data, so that even if stolen it is essentially useless to attackers, is one step that should by this point be compulsory. The ability to isolate potentially infected systems is another. However, organisations of any size should ensure they take an all-encompassing approach to security to prevent the risk of serious damage.”

Piers Wilson, product manager, Huntsman Security

“While the exact identity of the US’s latest attacker may never be 100% confirmed, an attack on this scale by a well funded and skilled adversary (such as a foreign power) should not come as a surprise at this point. From ongoing attacks within Europe, to Stuxnet, to the US’s own alleged attacks against North Korea, cyber-attack is firmly entrenched as a 21st century battlefield. However, organisations shouldn’t think that such attacks are only focused on governments and their networks and systems. Like any attacker, a government will attack any target that can benefit it; from opposing nations, to their critical infrastructure, to businesses that it can sabotage or steal valuable information from. What this attack has again shown is that high value, sensitive data (such as employee/HR records) can be at risk as well as valuable intellectual property and other business information.

“Enterprises must be able to detect and triage increasingly sophisticated and well-funded attacks. Since there is no way of predicting where the next attack will come from, and what form it will take, being able to detect evidence of a breach and react in order to contain the threat in the shortest time possible will be critical. Whether an attack comes from a newly discovered virus, a previously unknown vulnerability, or the actions of an employee, the enterprise has to be prepared to spot potentially dangerous behaviour.”

Gavin Millard, technical director of Tenable Network Security

“The UK Government has been aware of the risks associated with the huge amounts of data held on employees by themselves and external agencies for some time. They have been pushing an approach of reducing the risk of loss by focusing on foundational controls through their Cyber Essentials program, which is already having an impact with many external recruitment agencies gaining certification to enable them to place candidates.

“Cyber Essentials, although simple by design, should enable organisations to drive security improvement through businesses that haven’t historically taken data loss as seriously as they should. Good cyber hygiene – through ensuring vulnerable systems are identified and patched in a timely manner, systems are configured to be secure, user and network access controls are sound and finally malware defence is deployed and up to date, will reduce the risk of data loss.”

FBI analystJames Maude, security engineer at endpoint security software firm Avecto

“Although we don’t have all the details yet it is possible that 4]four million current and former employees’ records have been compromised. The FBI have launched an investigation with the focus appearing to be on China following a thwarted attempt to steal files relating to employees with top secret levels of clearance last year that was traced back to the region.

“These recent attacks show just how serious the consequences of cyber-attacks can be, it is not just an attack on an organisation but can impact individuals. Federal employees will be especially concerned as OPM will store highly detailed information that would be more than enough to identify someone, compromise their identity or monitor them.

“Sadly, this attack is not a unique event with organisations across the globe being hit by data breaches on an hourly basis. What is often clear in these attacks is that most current defences are not sufficient to deal with the attacks. Many still rely on signature based detection to identify the known bad, an idea that is fundamentally flawed and unable to keep up with the volume of attacks. Another big problem is over privileged users, in Government this is often referred to as ‘the Snowdon problem’ where users are given wide reaching powers and access with little or no oversight. When threats cannot be identified and users can access too much you create the perfect environment for a data breach.

“It is time for organisations to start to rethink security and become proactive. The focus needs to shift from blame and attribution to a more productive environment of evolving defences and becoming proactive in defence. Security is a journey, not a destination and pointing the finger of blame does nothing to move your own security further down this road.”

Mark Bower, global director, HP Security Voltage

“Theft of personal and demographic data allows one of the most effective secondary attacks to be mounted: direct spear-phishing to yield access to deeper system access, via credentials or malware thus accessing more sensitive data repositories as a consequence. These attacks, now common, bypass of classic perimeter defenses and data-at-rest security and can only realistically be neutralised with more contemporary data-centric security technologies adopted already by the leaders on the private sector. Detection is too late. Prevention is possible today through data de-identification technology. So why is this attack significant? Beyond spear-phishing, knowing detailed personal information past and present creates possible cross-agency attacks given job history data appears to be in the mix. Thus, its likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defence or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft.”

How much do you know about hacking? Take our quiz!