CHINA TOPIX

12/27/2024 04:11:23 am

Make CT Your Homepage

Federal Employees, Contractors Responsible for Many Cyber Breaches by Accident

DOD Computers

(Photo : DoD Release) The Air Operations Center at Fort Bliss, Texas, comes alive as Air Force and civilian computer specialists prepare for Exercise Roving Sands 97 on April, 9, 1997. The exercise is among those activities the DOD monitors for possible cyberattacks, especially with other nations participating.

Wittingly or unwittingly, thousands of U.S. federal government employees and contractors are undermining a US$10 billion-per-year effort to shield government computers and data from cyberattacks or hacking, the Associated Press reports.

These employees work for more a dozen agencies, the Pentagon and the National Weather Service included, and are responsible for at least half of the federal cyberincidents reported each year since 2010.

Like Us on Facebook

Among the ways they could have opened themselves up - and their computers - for hackers are clicking links in bogus phishing emails and  opening malware-laden websites. In one recorded instance, one employee was redirected to a hostile site after connecting to a video of tennis star Serena Williams.

Some acts were intentional, as what former NSA contractor Edward Snowden did when he downloaded and leaked documents that contained the government's collection of phone and email records.

Other federal contractors lost equipment containing confidential information about millions of Americans. Robert Curtis of Monument, Colorado, lost data tapes left in his car, and exposed the health records of about 5 million current and former Pentagon employees and their families.

The government is not required to publicly announce its own problems or incidents pertaining to with data theft or loss. Last month, it was the Washington Post that reported a breach of White House computers by supposedly Russian-employed hackers.

It took some time before the White House was able to come out with a response.

"It would be unwise, I think for rather obvious reasons, for me to discuss from here what we have learned so far," White House press secretary Josh Earnest had later said about the report.

AP conducted a review of how the federal government has acted on these attacks during the last 40 years, and found that after the first federal data protection law was enacted, the government is still struggling to close gaps in the protection system, lacking the knowledge, personnel and sufficient systems to face these fast-evolving hackers.

The Departmenf of Homeland Security runs a 24/7 incident response center for the cyber security effort.

"It's a much bigger challenge than anyone could have imagined 20 years ago," said Phyllis Schneck, deputy undersecretary for cybersecurity at the DHS.

Privacy Clearinghouse, a non-profit group which tracks cyberincidents at all levels of the government, says there have been more than 87 million sensitive or private records exposed by breaches of federal networks since 2006.

The federal records attacked included employee usernames and passwords, veterans' medical records and even a database that detailed structural deficiencies on some of the dams in the U.S.

Last year, the U.S. Computer Emergency Readiness Team responded to a total of 228,700 cyberincidents involving federal agencies, companies that run critical infrastructure and contract partners. CERT says that's more than double the incidents in 2009.

How do federal employees factor in to these data?

An annual White House review says about 21 percent of all federal breaches in 2013 were traced to government workers who violated policies. Sixteen were traced to those who lost devices or had them stolen; 12 percent who mishandled sensitive printouts; at least 8 percent who ran or installed malicious software; and 6 percent who were enticed to share private data.

The AP mentions one incident around Christmas of 2011, when Education Department employees received an email purportedly from Amazon.com that asked them to click on a link. Officials quickly warned staff that it could be malicious. The department did not release information about any damage from this incident.

At the DOD, one military user received messages that his computer was infected when he visited a website about schools. Officials traced the attacker to what appeared to be a Germany-based server.

Assistant Secretary of Defense and cybersecurity adviser Eric Rosenbach acknowledges that the DOD will always be vulnerable to human-factor attacks, unless a constant education campaign is done among its employees.

The government is projected to spend $65 billion on cybersecurity contracts between 2015 and 2020, although experts believe the effort is not enough to counter a growing pool of hackers whose motives vary.

The suspects include Russian, Iranian and Chinese agents, while thieves seek out other valuable data.

Only a small fraction of the attackers are caught.

Real Time Analytics