The State of the State: U.S. Government Data Breaches
Each month, several government data breaches are revealed with varying levels of harm and embarrassment. I, for one, am impressed and perturbed by their breadth and variety, from the solitary voyeuristic employee to the most significant government data breaches. Experts have been clamoring for the IT departments of government entities to pick up on the lessons that can be learned from each data breach. For now though, some recent banner incidents only highlight the multi-faceted vulnerabilities of government-held personal information.
Downstream Vulnerabilities are Discovered by Outsiders after Years
First off is the breaking news that the Department of Homeland Security itself is not so cyber-secure. Beginning May 20, 2013, DHS acknowledged that a host of sensitive personnel security information has been potentially accessible by unauthorized users since July 2009. The personally identifiable information (“PII”) (including name, Social Security numbers and dates of birth) was submitted by thousands of employees and contractors for background investigations and by persons who received DHS clearance. It was stored by an unidentified vendor, whose software was discovered to have a longstanding vulnerability. The vulnerability was discovered by a third party (a common occurrence, as discussed in my previous post, in this case, a law enforcement partner of DHS. Dark Reading Security points out that cybersecurity attacks have moved downstream in the software supply chain because entities have strengthened their defenses against direct attacks.
Earlier this month, the State of Washington admitted to two hackings of its court system, discovered in February and March of 2013. The attackers may have accessed up to 160,000 Social Security numbers and 1 million driver’s licensed numbers through a vulnerability in Adobe ColdFusion’s app server. The theft of 94 Social Security numbers (SSN) is confirmed and the public has been notified about the broader possibilities. The SSN data comes from people who were booked into a city or county jail between September 2011 and December 2012. The driver’s license data comes from a much larger pool of people who received DUI (driving under the influence) citations from 1989 to 2011 or were involved in certain traffic and criminal cases in district, municipal and superior court from 2011 to 2012. The Office of the Courts also learned of the breaches from a third party – a business on the East Coast that suffered a similar intrusion. Again, may I point out, this is a third party vulnerability discovered by a third party.
In fact, the current incident is not the first contractor cybersecurity problem to afflict DHS: in 2006, Unisys failed to properly install and monitor network-intrusion devices on unclassified DHS and TSA (Transportation Security Administration) systems, resulting in at least three months of Chinese cyber-intrusions and breached 150 DHS computers. This breach resulted in negative Congressional attention and an FBI investigation of a possible cover-up by Unisys about its lax oversight.
The Numbers Vary Greatly, but They are Always Big Ones
These recent incidents just happen to be the most recent dominoes to fall in a vast category of vulnerable systems. Government records will always be attractive as both a financial target for their vast store of PII and a political target for hacktivists. The actual numbers paint a broad picture because one incident can result in an extraordinary number of exposed records, as happened in October 2009, when 76 million U.S. veterans’ records were exposed (National Archives and Records Administration sent a defective hard drive to a vendor for repair without first erasing the PII and sensitive PII data). As summarized in a Rapid7 Research Report, in 2009, there were 53 government data breach incidents, exposing over 79 million personal records. In 2010, there were 102 reported breaches, exposing a mere 1.5 million personal records. Then, in 2011, there were 82 reported breaches, exposing over 4 million personal records. In 2012, 85 reported government data breaches exposed 17.2 million personal records, based on my similar calculations, from data of the Privacy Rights Clearinghouse: “Chronology of Data Breaches.”
Although the number of discrete incidents and records exposed fluctuates arbitrarily, the crux of the matter is that an extraordinary amount of personal data is vulnerable because of the wide array of local, state and federal agencies that store it. The U.S. federal government has promulgated a sophisticated, multi-prong strategy for the protection of federal cybersecurity, as detailed in the Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002. From fiscal year 2011 to fiscal year 2012, there was only a 5% increase in reported computer security incidents. However, there was a 42% increase for the regional and provincial sources. There is an argument here for some trickle down information security.
Apportionment of Government Data Breach Incidents by Size of Source (US-CERT is the U.S. Computer Emergency Readiness Team. The Chief Financial Officers (CFO) Act, created a chief financial officer for 24 federal departments/agencies.).
Broad trends aside, we can also focus on the most noteworthy data calamaties as targets for improvement. DarkReading has published a useful post suggesting a “Lesson Learned” for each such incident: Top 10 Government Data Breaches of 2012. Most notably, government databases need to focus on network protection and detection measures, including database activity monitoring and segmentation measures to keep sensitive databases especially protected from side-channel attacks; physical security measures; employee awareness and training and weaknesses related to Web applications. These specific, incident-based recommendations echo the larger theme of the Report to Congress, which concluded that continuous monitoring is a significant battleground for government IT systems. It is a broad and multi-faceted topic that I look forward to delving into in future posts. In fact, we will be traversing the globe to review the state of government data breaches in other regions, so stay tuned.
Annie C. Bai