Can the Government Protect Itself from Cyber Attacks?

Many countries have been victims of cyber attacks but may not realize it until long after the security breach occurred. In the recently revealed hack on the Office of Personnel Management (OPM), it took authorities four months to even realize that the hack occurred. While it may still be too early to understand the exact scale of this attack, all evidence suggests that it is likely one of the largest security breaches in United States history. With news of recent security breaches finally reaching the public, many people are wondering if the government can adequately protect itself from future attacks.

“The United States of America is under attack,” warned Rep. Elijah Cummings at a House Oversight and Government Affairs Committee hearing earlier this month. Katherine Archueta, the director of OPM, faced harsh criticism at the hearing for failing to upgrade databases despite known security issues. An OPM audit carried out last November–shortly before the breach–concluded that several databases still did not meet federal security standards, a problem that was initially identified back in 2007. Authorities had knowledge of a “significant deficiency” in OPM security governance prior to the hack, yet failed to fix security problems that have existed for nearly seven years.

According to the New York Times, federal databases have not been updated with the latest protocols and defense systems that create more barriers for hackers to break through. In the case of the OPM breach, hackers were not subject to multi-factor authentication–meaning they were not required to use an access code to verify their identification. The OPM Inspector General was also unsure if the hacked social security numbers were encrypted. When asked why hackers were not subject to multi-factor authentication, Donna Seymour of OPM told the Times the following:

Installing such gear in the government’s ‘antiquated environment’ was difficult and very time consuming, and that her agency had to perform ‘triage’ to determine how to close the worst vulnerabilities.

The U.S. has been a victim of hacking before, but the recent OPM hack was different because the hackers accessed the Federal Employee Database, which allowed them to retrieve federal employee information dating all the way back to 1985. Recently, officials believe that (SF) 86 questionnaires, which all individuals applying for national security positions must fill out, may have also been compromised in yet another hack. Access to such forms could provide hackers with extremely intimate information about individuals with security clearance, and in the wrong hands could lead to blackmail.

Cybersecurity Experts believe China wanted this information to build a network of current and former government employee information to conduct future attacks. This shows the U.S. government’s inability to protect 14 million people’s personal information and keep Americans safe from cyber attacks. The hackers involved are believed to be a Chinese group, the same one responsible for hacking Anthem Insurance earlier this year.

Not only is the United States ill-equipped to prevent these attacks, it often does a poor job of responding to them after the fact. In response to the recent hack, OPM has notified four million current and former federal employees who may have had their personal information stolen and offered 18 months of free credit monitoring and $1 million in identity theft protection. But is that enough if identities are already compromised? Many federal employees do not believe so and took to commenting on OPM’s Facebook page to express their anger. Federal employees are demanding higher security standards and better responses from the agency because so many people’s personal information is at stake.

This is not the first time that the government failed to learn from past attacks. Back in April, officials revealed a cyber attack that penetrated the White House computers, reportedly tracing its origins to Russia. According to the White House, attackers managed to penetrate the unclassified system of White House computers giving them important details about the president’s schedule. Investigators believe the Russians used a tactic called “spear phishing,” where hackers pretend to be a friend or coworker and ask for account information. Authorities believe the OPM hackers used similar methods.

While officials believe the hack was not on behalf of the Chinese government, the government seems to be doing little to crack down on hackers within its borders. The United States indicted five senior Chinese officials last year for stealing trade secrets from computers of American companies and passing them on to Chinese competitors. In retaliation for the indictments, China said it suspended a working group on cyber-related matters, further preventing collaboration between the two countries.

With cybercrimes becoming more prevalent, strengthening government security by updating U.S. systems with the latest defense technology must be done to prevent future attacks. Government officials have knowledge of significant security weaknesses, yet little has been done to secure important systems. It is likely these attacks will continue in the future, and unless the United States is able to bring security measures in line with established standards, the government’s ability to protect itself will continue to falter.

Jennie Burger

Jennie Burger is a member of the University of Oklahoma Class of 2016 and a Law Street Media Fellow for the Summer of 2015. Contact Jennie at staff@LawStreetMedia.com.