The “ransomware” attack that crippled computer systems around the globe last week shows once again just how vulnerable the world’s computer systems are to criminals and hackers.
The so-called “WannaCry” virus — which threatened to delete a victim’s files absent a $300 ransom — exploited a weakness in the Windows operating system that a simple software update could have blocked. Government computer systems were among the hardest hit, including Russia’s Interior Ministry and Britain’s National Health Service, which had to shut down 16 hospitals. Reports are already circulating of a second potential global cyberattack, Adylkuzz, which works by stealing processing power from victims’ computers.
So far, U.S. government systems seem to have been spared – but how ready are federal agencies to withstand a cyberattack?
The answer: Not as much as they should be.
After the 2015 discovery of a massive breach at the Office of Personnel Management (OPM), which compromised the personal information of 21.5 million people, President Barack Obama tasked a 12-member presidential commission with devising a national cybersecurity plan. The commission’s report, issued last December, included a long list of to-dos for the next Administration, citing an urgent need for “ambitious measures to put the federal government’s cybersecurity house in order.”
Testimony by Gregory Wilshusen of the U.S. Government Accountability Office (GAO) earlier this year was far more blunt: “[S]ystems used by federal agencies are often riddled with security vulnerabilities – both known and unknown,” said Wilshusen in a statement to the House Committee on Science, Space and Technology. Wilshusen went on to say that 19 of 23 federal agencies reported in 2016 that “information security control deficiencies were either a material weakness or significant deficiency.”
Even basic cyber-hygiene is majorly failing, said the GAO. Many agencies, for example, don’t update their software consistently, “sometimes doing so years after the patch becomes available.” The GAO also faulted agencies for relying on outdated software no longer supported by vendors and for failing to ensure that federal contractors protect the information to which they have access. (Edward Snowden, remember, was a contractor.)
There’s no question of the mayhem that a hacker can cause – government agencies hold vast amounts of sensitive information, such as citizens’ Social Security numbers and tax returns, not to mention nuclear launch codes. And here’s yet more reason to worry:
The biggest perpetrators of cybercrime are foreign countries and the Mob.
Forget teenage hackers out for glory or the “somebody sitting on their bed that weighs 400 pounds,” whom President Donald Trump famously blamed for the pre-election hack of the DNC. The vast majority of cyberattacks are organized and serious, which makes the vulnerability of government data all the more concerning.
According to Verizon’s 2017 Data Breach Investigations Report, organized crime accounted for 51 percent of incidents last year, while nearly 1 in 5 (18 percent) were masterminded by “state-affiliated” actors. The WannaCry virus, for example, is reportedly being linked to hackers in North Korea.
The Verizon report also notes that while no industry has been safe from hacking, the overwhelmingly favored target of cyberattackers is government. In 2017 alone, says Verizon, there were 21,239 incidents aimed at government computer systems, 90 percent of which were perpetrated by state-affiliated actors and 64 percent of which were motivated by “espionage.” Of the 239 confirmed data breaches, 41 percent involved the theft of personal data, while another 41 percent involved the compromise of “secrets.”
The government’s most vulnerable agencies are the Departments of State and Defense.
In 2002, Congress passed the Federal Information Security Modernization Act (FISMA), which requires agencies to develop and implement a cybersecurity plan according to the framework laid out in the statute. Reports are due to Congress every year and must include assessments of how far each agency has progressed toward the goals
According to the 2016 report, among the worst performing agencies are the ones privy to some of the nation’s most sensitive information: the Department of Defense and the Department of State. The Department of Defense, for example, reported 1,888 cyber-incidents last year and scored poorly on a five-point scale for cyber-readiness. Its ability to detect cyber-threats, for instance, was rated “ad hoc” – the lowest possible rating. “DoD’s information security program did not receive an effective rating,” said the report.
The State Department, meanwhile, fared worse, scoring “ad hoc” ratings on all dimensions of its cybersecurity capability. “Without developing and implementing an effective organization-wide information security program, State cannot achieve its core mission,” the report concluded.
The government doesn’t have enough qualified cybersecurity workers to help defend itself.
A big reason so many federal agencies are falling behind on cybersecurity, says the GAO, is the lack of qualified workers to help them get up to speed. The federal cybersecurity workforce, the GAO reports, is “inadequate, both in numbers and training.”
In 2016, President Barack Obama released a Federal Cybersecurity Workforce Strategy, aimed at recruiting, hiring and training needed talent. He also called for $62 million in additional funding for cybersecurity education and a “CyberCorps” national service program for recent graduates in cybersecurity.
Of course this was before the election of Donald Trump.
While on the one hand, Trump has recently issued an executive order directing agencies to prioritize cybersecurity, his 2018 proposed budget included $54 billion in budget cuts that would have forced already budget-strapped agencies to further skimp on IT security.
“You can’t fix that on the cheap,” said Department of Education Inspector General Kathleen Tighe at a congressional hearing in March. “Money has to be put in.”
Given the trajectory of Trump’s presidency so far, however, cybersecurity may be yet one more vital issue that won’t get the money or the attention it deserves – until too late.