Recent high-profile private-sector hacks have once again put a spotlight on the issue of cybersecurity. This is a serious problem that requires legislation to improve the United States’ cybersecurity posture, but the U.S. should not reflexively adopt government regulation of cyberspace as a solution. There are concerns that such a response would not be cost-effective and would have an adverse effect on innovation. It could also potentially create a mindset of compliance rather than of security. Additionally, the government’s own cybersecurity track record raises questions about the effectiveness of government cyber regulations.
The following is a list of federal government cybersecurity breaches and failures, most of which occurred during 2013 and 2014. This list is part of a continuing series published by Heritage that serves as a long-term compilation of open-source data about federal cybersecurity breaches dating back to 2004.
This list is in no way complete: Some hacks might not be reported or are classified, and others have yet to be realized. In September 2014, Robert Anderson, executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI told the Senate Homeland Security Committee that if a federal department believes it hasn’t been hacked, it is likely that they are simply unaware of the hack. When Senator Coburn asked for a list of all the government hacks the panelists were aware of, he acknowledged that they may have to be discussed in a closed Senate hearing. Furthermore, the list below does not include the large number of private-sector failures. Nevertheless, the seriousness and number of known U.S. government cybersecurity failures undercut the argument for a government-led regulatory approach to cybersecurity.
U.S. Nuclear Regulatory Commission (NRC)
Department of Defense (DOD)
The targets included:
U.S. Department of Energy (DOE)
Federal Election Commission (FEC)
Internal Revenue Service (IRS)
National Aeronautics and Space Administration (NASA)
U.S. Department of Health and Human Services (HHS)
U.S. Environmental Protection Agency (EPA)
U.S. Office of Personnel Management (OPM)
Central Intelligence Agency (CIA)
U.S. Department of Veterans Affairs (VA)
Department of Education (DOE)
U.S. Federal Courts
Unspecified Government Agencies
- NRC Systems, 2012–2014. Unknown hackers, including foreign hackers, used phishing, targeted e-mails, and malware in a portable document format (pdf) file in the attacks on the NRC computers. It is unknown if any data were stolen, but no classified documents appear to have been downloaded.
- Fannie Mae Website, August 2013–early 2014. A former Fannie Mae information technology contractor used his credentials to hack a government website operated by Fannie Mae and disable features on the website. The damages cost the company and customers $69,638.
- DOD Pharmacy Database, January 2011. Two or more hackers infiltrated PharmacoEconomic Center, the prescription drug database for the DOD’s pharmacy. The servers were down for a day, and the hackers offered to sell root access to the domain for $399 or batches of 1,000 records for $20.
- U.S. Army Corps of Engineers’ National Inventory of Dams Database, May 2012. An employee of the National Oceanic and Atmospheric Administration (NOAA), Xiafen “Sherry” Chen, has been indicted for allegedly having accessed “restricted areas of a protected U.S. Government computer database and downloaded sensitive files from the National Inventory of Dams.”
- U.S. Navy Marine Corps Intranet, September 2013. Iranian hackers breached the unclassified network used by the Department of the Navy to host websites and store non-sensitive information and communications. Many details of the attack remain classified, but hackers were able to enter the “bloodstream” of the Navy’s unclassified network and conduct surveillance on the system. There is no evidence that any data were stolen, but it took about four months to fully purge the hackers from the system. One senior U.S. official told The Wall Street Journal that the attack “was a real big deal…. It was a significant penetration that showed a weakness in the system.”
- DOD Systems, October 2012–January 2013. Lauri Love, a British man, and unnamed co-conspirators connected to the hacker group Anonymous infiltrated multiple Army systems by exploiting a flaw in Adobe’s ColdFusion software, which had not been updated with the latest security patches.
- The Army Network Enterprise Technology Command Center where hackers gained access to the personal information of over 1,000 individuals;
- The Army Materiel Command in which they accessed non-public data including competitive acquisition bids;
- The Army Corps of Engineers server from which the hackers stole non-public information on natural resource management and the personal information of thousands of individuals from the Corps in Vicksburg, Mississippi;
- The Plans and Analysis Integration Office in which the hackers accessed defense program budgeting data, among other materials;
- The Fort Monmouth Army Corps Engineer Research and Development Center where the hackers obtained classified Army Corps documents, including plans for the demolition and disposal of military facilities. The center was attacked again two months later by the same hackers who used the same vulnerabilities to access massive amounts of personal, command, control, and intelligence data;
- The Army War College’s Strategic Studies Institute in which the hackers accessed unspecified data multiple times over several months; and
- The Missile Defense Agency from which the hackers stole the personal information of over 4,000 individuals.
- DOD Payroll, March 2012–June 2013. Several men who participated in an international cybercrime ring have been charged with hacking the DOD’s payroll service and other private financial companies. While it is unclear how many individuals were affected, the government “has so far identified attempts to defraud the victim companies and their customers of more than $15 million.”
- DOE, October 2013. The DOE Office of the Inspector General (IG) report for fiscal year (FY) 2013 found that one DOE site had 11 server systems and devices that were configured with either weak password protection or no protection at all. These vulnerabilities left the devices open to attack and unauthorized access that could have allowed attackers to access and harm other internal DOE networks. Another DOE site had seven payroll servers configured with open access and no password protection that could have allowed remote or rogue systems to access sensitive personal and financial information. In total, across the DOE, the IG found 29 new weaknesses and 10 unresolved weaknesses that had been identified the previous year.
- DOE Server, July 2013. In December 2012, the hacker group Anonymous exploited Adobe’s ColdFusion software to plant “back doors” in DOE servers. The hackers were able to repeatedly access the server and by July 2013 had stolen the personal information of between 104,000 and 150,000 individuals associated with the DOE, along with information on nearly 2,000 bank accounts. A federal audit later revealed that the DOE had been warned of weaknesses in its cybersecurity but had failed to act.
- FEC Computer System, October 2013. Chinese hackers crashed the FEC’s computer system during the government shutdown while there were no staffers around to notice. The information the hackers accessed and the damage they caused remains undisclosed.
- IRS, April 2014. An April 2014 Government Accountability Office (GAO) report found that the IRS had “not always effectively implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information.” The GAO concluded that financial and taxpayer information remained vulnerable to unauthorized access or threat. The IRS failed to install and update security patches, monitor database controls, and restrict mainframe access.
- IRS Website, July 2013. The social security numbers of multiple individuals were exposed on the IRS website.
- NASA Server, July 2013. Lauri Love, a British man, and unnamed co-conspirators connected to the hacker group Anonymous exploited flaws in the NASA server’s Adobe’s ColdFusion software and accessed numerous personal files.
- Healthcare.gov, August 2014. An unknown hacker breached the HHS server and placed malicious software on it in July. The breach was discovered in August. There was no evidence that any consumer information was taken.
- Healthcare.gov, October 2013–January 2014. In addition to the much-maligned rollout of Healthcare.gov, multiple serious security flaws and vulnerabilities were found. One of these allowed hackers to reset users’ passwords and gain access to their accounts. It took over three weeks before the vulnerabilities were corrected. Multiple cyber experts warned Congress, and the Centers for Medicare and Medicaid Services’ chief cybersecurity official revealed that HHS had been warned of possible security flaws before the website was launched. Additional vulnerabilities were found in the “data-set” feature of Healthcare.gov in January 2014 that allowed spam or potentially malicious external websites to advertise on Healthcare.gov. 
- The FedCenter, January 2012. Lauri Love, a British man, and unnamed co-conspirators connected to the hacker group Anonymous exploited weaknesses in the FedCenter’s server through its Adobe ColdFusion software. The hackers stole hundreds of megabytes of employees’ personal information.
- OPM Computer Systems, March 2014. A Chinese hacker penetrated the computer systems of the OPM. It is unknown if any personal information was stolen, but the network contained information on all federal employees and applicants who applied for top-secret security clearances.
- CIA Official Website, February 2012. The group known as Anonymous claimed responsibility for shutting down the CIA’s homepage for a day.
- E-Verify, January 2014. A software glitch in the VA’s E-Verify system exposed users’ personal information to almost anyone with access to the system. The banking, medical, and military records of more than 5,300 users may have been affected.
- DOE Networks, 2013. The DOE Inspector General’s (IG) report for FY 2013 found the DOE was using unsecured networks. The IG reported that DOE was consistently not following IT security configuration procedures established by the National Institute of Standards and Technology, which meant that security patches often went without updates. The absence of proper security updates leaves the DOE networks unsecure and “increases the risks that unauthorized activities may occur and increases the potential that sensitive Department data may be released, used, or modified.” IG audit testers were able to successfully connect a rogue computer to the DOE headquarters network and access sensitive information unnoticed. This same issue was identified in the 2011 and 2012 IG reports but had not been corrected.
- Federal Court System, January 2014. A denial of service attack disabled PACER (the courts’ electronic filing system), uscourts.gov, and several other Federal Court websites. The European Electronic Army claimed responsibility for the attack.
- Microsoft XP, April 2014. Federal officials have known for over 6 years that Microsoft was going to end its support for Windows XP in April 2014. Despite that and a recent rush to upgrade government computers, about 10 percent of the 7 million computers used by the federal government still operated using Windows XP after public support ended. The use of XP is spread throughout government agencies, including classified military and diplomatic systems. Without the software support and security updates from Microsoft, hundreds of thousands of government computers are left vulnerable if they do not upgrade or purchase special support from Microsoft.
- Federal Agencies, April 2014. An April 2014 GAO report found that reported security incidents involving personally identifiable information from federal agencies more than doubled over the past several years to 25,566 in 2013. The report also found that “agencies have had mixed results in addressing the eight components of an information security program called for by law, and most agencies had weaknesses in implementing specific security controls.” Further, the GAO discovered that none of the agencies studied “consistently documented lessons learned from their breach responses.”
First: Do No Harm
These hacks, plus other classified, undisclosed, or unknown cyber breaches and failures, clearly demonstrate that the government has not mastered cybersecurity. Government cybersecurity rules and regulations have been in place for years, but breaches and failures continue. Imposing stringent regulation on the private sector would likely harm innovation, result in costly rules, and create a compliance mindset rather than a security mindset. Before considering such regulations, the U.S. should pursue a variety of policies that empower the private sector and encourage real collaboration among the public and private sectors.
Congress and the Administration should:
- Enhance the sharing of cyber threat and vulnerability information. The private sector has a great deal of information and experience to contribute to U.S. cybersecurity efforts. To enable the flow of information, the government should provide strong liability, regulatory use, and Freedom of Information Act protections to sharers. Additionally, it should form a public-private partnership organization to act as a hub for timely information sharing between the government and the private sector.
- Lead international efforts to respond to cyber aggression. The government should take a leading international role in punishing malicious cyber nations and bad cyber actors. The U.S. should name and shame cyber aggressors, cease military and cyber cooperation with them, take legal action against foreign companies trafficking in stolen information or property, pursue trade and visa-related consequences, and consider greater support for democratic movements and Internet freedom in countries that are the most aggressive bad actors.
Cybersecurity for All
These breaches of government security as well as the many high-profile private-sector failures demonstrate that no cybersecurity system is perfect: There is no silver bullet. However, the U.S. can take simple and low-cost steps such as information sharing to improve public and private cybersecurity efforts. Such steps, along with reforms in cybersecurity insurance, supply chain security, and cyber workforce development, can make the U.S. more secure in cyberspace.
—David Inserra is Research Associate for Homeland Security and Cybersecurity in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation. Paul Rosenzweig is a Visiting Fellow in the Allison Center.