This spring the U.S. Government Accountability Office (GAO) released a report on the rise of data breaches. Among several statistics, the report highlighted incidents involving personal identifiable information, which almost tripled from 2009 to 2013. Unfortunately, 2014 looks to continue this upward trend. Two high profile incidents occurred over the summer at the Office of Personnel Management (OPM) and Department of Homeland Security (DHS) – both of which reaffirm federal agencies’ need for robust security solutions. These breaches served to remind us of the sheer amount of sensitive data within federal networks and repositories, and that the cybersecurity posture of these networks and repositories needs to be improved.
It was reported in July that OPM experienced a breach of its computer networks in March. The hackers (believed to be on the payroll of the Chinese government) were able to breach OPM computer networks that contain personnel information on up to 5 million government employees and contractors. Fortunately a computer security team from DHS detected the breach through an automated monitoring system and prevented any information from being compromised. While those affected by the breach appear to have dodged a bullet, this incident has received a lot of attention because it highlighted the need for better prevention solutions from the ever-present external threats seeking sensitive data.
In early August, DHS experienced a breach of its own. USIS, a contractor performing background checks for DHS, was hacked by what they allege to be a state-sponsored attack – which may have compromised 20,000 personnel records. Though the data was encrypted by DHS prior to sending to USIS, whether the information remained encrypted after it was received by the contractor is uncertain. This leak is not just another reminder of the vulnerabilities and threats that exist, but that the area of concern extends beyond the agencies themselves and into third party firms handling sensitive data.
The OPM breach demonstrated what an effective government response should look like. It highlighted the need for better firewalls and intrusion prevention/endpoint protection measures in order to prevent another breach. But on the other hand, the DHS contractor breach demonstrates the need for ensuring consistent standardization both within the federal government and within industry partners. One way agencies can achieve this is through investing in prevention solutions (thus reducing remediation costs in the future). While these incidents are unfortunate, they are inevitable without appropriate controls and standardization – and they will be constant reminders of the importance to federal agencies of maintaining an effective cybersecurity posture.