Abstract: The number of cybersecurity attacks on, and breaches within, the United States government has been growing. The U.S. Senate is now gearing up to debate cybersecurity legislation—and will have to vote on whether the federal government should regulate cybersecurity measures of the private sector as well as those of government. The government’s track record on cybersecurity does not inspire confidence that it can devise effective cybersecurity regulations for the private sector. Cybersecurity for the nation should be a cooperative effort between the private sector and the government, with each contributing in its own way. Onerous regulations are not the solution to the ever-expanding reality of cyberthreats.
As the Senate prepares for its debate over cybersecurity legislation, one of the most important questions it will have to address is whether the federal government, acting through the Department of Homeland Security (DHS), should play a significant role in crafting cybersecurity regulations that will govern activities of the private sector as well as of government. Proponents of such a role, embodied in Title I of the Lieberman–Collins Cybersecurity Act of 2012, contend that the private sector has done an inadequate job of protecting itself and that market incentives have not developed appropriately to promote self-protection. Opponents of Title I argue that the government is ill equipped to develop effective cybersecurity regulations and that the regulatory process is too cumbersome for the development of rules and standards applicable to the dynamic cyberdomain.
One possible approach to resolving this dispute is to ask whether the federal government has done an effective job of protecting its own networks and cyberdata. To the extent that it has, it might be deemed an appropriate source of private-sector standards; to the extent it has not, a contrary opinion might be formed. It is, thus, worth considering the extent of cyber-attacks on, and breaches within, the federal government since 2004. To be sure, the significance of certain attacks and breaches lies in the eye of the beholder—the compilerof any list necessarily exercises judgment in making the determination. And, without a doubt, a comparable list of significant attacks on, and breaches within, the private sector would be far more extensive. Nevertheless, the substantial number of significant, successful attacks on federal systems should play a role in determining whether to entrust DHS with a regulatory role in the private-sector cyberdomain. The list is alphabetical by agency.
Central Intelligence Agency
1. CIA Official Website—June 2011. The CIA’shomepage was shut down by a cyber-attack by LulzSec, an anonymoushacker group believed to hack websites simply for fun.
2. Senate—June 2011. The Sergeant at Arms confirmed that the Senate website had been hacked after files from the website were posted online, indicating that Lulz Sec had broken into the Senate’s computer network.
3. Office of Senator Bill Nelson (D–FL)—March 2009. Senator Nelson confirmed that his personal office computers had been subject to three separate attacks byChina-based hackers.
4. Offices of Representative Frank Wolf (R–VA) and the House Foreign Affairs Committee—August 2006. Representative Wolf announced that the computers at his personal office, a number of unnamed Representatives’ offices, and the office of the House Foreign Affairs Committee had been hacked by China-based hackers.
U.S. Department of Agriculture
5. Washington, D.C., Headquarters—June 2006. The Department of Agriculture was subject to a cyber-attack by an unknown entity, during which the names, Social Security numbers, and photographs of 26,000 employees were stolen.
U.S. Department of Commerce
6. Economic Development Administration—February 2012. The Department of Commerce had to disconnect its computers from the Internet because unknown intruders injected a virus into the Economic Development Administration’s computer network.
7. Commerce Department Website—December 2009. The Commerce Department accidentally posted personally identifiable information and Social Security numbers on its website, and did not notify employees until seven weeks after the fact.
8. Secretary of Commerce—December 2007. Spying software was found on the electronic devices of the Commerce Secretary following a trip to China with the Joint Commission on Commerce and Trade.
9. Bureau of Industry and Security—October 2006. The Department of Commerce had to take the Bureau of Industry and Security’s networks offline for several months and replace hundreds of computers because its networks were hacked by unknown foreign intruders. The bureau reviews confidential information on high-tech exports.
U.S. Department of Defense (DOD)
10. F-35 Fighter-Plane Development—February 2012. The Commerce Department’s Bureau of Industry and Security announced that delays and high costs for the development of the F-35 stemmed from addressing cybersecurity after China-based hackers stole classified information discussing the technology.
11. Unmanned Aerial Vehicle, Afghanistan—December 2011. An RQ-170 stealth drone went missing and apparently crashed near the Iranian border. Iran claimed to have downed the drone through a cyber-attack.
12. Defense Department Contractor—July 2011. In a speech unveiling the Defense Department’s cyberstrategy, the Deputy Secretary of Defense mentioned that a defense contractor’s computer was hacked, and 24,000 files relating to sensitive systems being developed were stolen by unidentified hackers.
13. National Guard—December 2010. A computer containing the personal information on 650 soldiers was stolen from Santa Fe, New Mexico, headquarters by an unknown entity.
14. The Army—April 2010. The Army lost personal data of reservists through unknown means and has warned affected reservists to “check credit bureau reports and be aware of the possibilities of identity theft.”
15. Unmanned Aerial Vehicle (UAV) Feeds—December 2009. Downlinks from U.S. UAVs were hacked by Iraqi insurgents using inexpensive file-sharing software, allowing them to see what the UAVs had viewed.
16. U.S. Central Command—November 2008. Classified networks at the Defense Department and Central Command relating to U.S. involvement in Iraq and Afghanistan were subject to a cyber-attack thought to have originated in Russia.
17. Secretary of Defense’s E-Mail Account—June 2007. The Secretary of Defense’s unclassified e-mail account was hacked by unknown foreign intruders.
18. National Defense University—May 2007. Spyware on the university’s computer system left the university’s e-mail vulnerable to attacks; the university ultimately had to take its systems offline due to intrusions by unknown foreign hackers.
19. Naval War College—November 2006. The Naval War College in Rhode Island had to shut down its computer systems for two weeks following a cyber-attack. The Naval War College develops strategies for naval warfare, as well as for cybersecurity and cyberwarfare.
20. Non-Classified Internet Provider Router Network—August 2006. A senior Air Force officer announced that “China has downloaded 10 to 20 terabytes of data from the NIPRNet.”
U.S. Department of Education
21. Computer Theft—August 2006. Computers containing personal information of grant reviewers were stolen by unknown thieves.
U.S. Department of Energy (DOE)
22. National Nuclear Security Administration (NNSA)—October 2011. A report issued by the Energy Department disclosed that the NNSA had been hit by recent successful cyber-attacks perpetrated by unknown attackers.
23. Pacific Northwest National Laboratory (PNNL)—July 2011. PNNL shut down access to its networks after learning it was subject to a highly sophisticated cyber-attack by an unknown entity.
24. Thomas Jefferson National Accelerator Facility (TJNAF)—July 2011. Thomas Jefferson National Laboratory shut down access to its networks after learning it was subject to a highly sophisticated cyber-attack by an unknown entity.
25. Oak Ridge National Laboratory (ORNL)—April 2011. ORNL, home to powerful supercomputers, shut down access to the Internet after employees received e-mails with a link that allowed the unknown attackers to siphon off data. ORNL reported that a “few megabytes” of data were stolen.
26. Oak Ridge National Laboratory—October 2007. Over a thousand staffers at ORNL received an e-mail with an attachment that, when opened, provided unknown intruders with access to the lab’s databases.
U.S. Department of Homeland Security (DHS)
27. DHS Website—February 2012. The DHS website was taken down due to a cyber-attack, attributed to the hacker group Anonymous.
28. Homeland Security Information Network (HSIN)—May 2009. HSIN was hacked by unknown intruders, who gained access to state and federal information. The HSIN is intended to be a secure portal for information sharing among federal, state, and industry partners.
29. DHS Washington, D.C., Headquarters—September 2007. Dozens of DHS computers and servers were hacked—the cyber break-ins were traced to a Chinese-language website, through which an unknown amount of sensitive information was stolen. The contractor hired to protect DHS computers tried to hide the incident from DHS, citing the fact that DHS had stopped paying for security monitoring services.
30. DHS Washington, D.C., Headquarters—June 2007. DHS officials acknowledged that two internal DHS servers were infected with computer malware designed to steal passwords and other sensitive data.
31. DHS Washington, D.C., Headquarters—2005–2006. A 2007 report by the Government Accountability Office cited 884 cyber-attacks on DHS during 2005 and 2006.
U.S. Department of the Interior (DOI)
32. National Business Center, Denver, CO—May 2010. The center reported that it had lost a computer disk containing the personal information of 7,500 employees.
33. DOI Audit—November 2009. The DOI failed a cybersecurity audit conducted by the DOI Inspector General, which stated that the agency falls short of security requirements.
34. DOI Washington, D.C., Headquarters—February 2002. The DOI was forced, under court order, to disconnectall computers from the Internet until it could prove that it had fixed major security problems,which turned out to take two months.
U.S. Department of Justice (DOJ)
35. DOJ Websites—January 2012. The hacker group Anonymous claimed responsibility for taking down the DOJ websites usdoj.gov and justice.gov in a cyber-attack to protest the FBI shutting down Megaupload.com, one of the largest file-sharing websites in the world.
Federal Bureau of Investigation (FBI)
36. FBI–Scotland Yard Conference Call Discussing the Hacker Group Anonymous—February 2012. Members of Anonymous intercepted and posted a recording of the conference call online.
37. FBI Website—January 2012. Anonymous claimed credit for taking down the FBI website, FBI.gov, in a cyber-attack to protest the FBI shutting down Megaupload.com.
38. FBI Phone Network—June 2011. The FBI’s phone network was taken down due to a cyber-attack by LulzSec.
U.S. Department of State
39. Bureau of East Asian and Pacific Affairs—June 2006. The State Department confirmed that its networks at its headquarters and offices dealing with Asia were subject to an attack that began at U.S. embassies in the East Asia–Pacific region. Unknown foreign intruders downloaded sensitive information and passwords.
40. Washington, D.C., Headquarters—2005–2008. A State Department employee illegally accessed a State Department database that contained more than 60 passport application files.
U.S. Department of Transportation (DOT)
41. National Highway Traffic Safety Administration (NHTSA)—June 2010. Canadian bloggers discovered that the NHTSA was inadvertently posting sensitive personal information on its website.
42. DOT Website—July 2009. The DOT website was shut down by a cyber-attack perpetrated by unknown hackers that was part of a larger effort to shut down websites in the United States and South Korea.
Federal Aviation Administration (FAA)
43. FAA Computer Networks—May 2009. A report released by the Department of Transportation acknowledged that the FAA administrative networks that manage air-traffic flow and electric power were subject to cyber-attacks by unknown hackers whogained access to data used to manage the network.
U.S. Department of the Treasury
44. Treasury Department Website—July 2009. The Treasury website was shut down by the same cyber-attack that affected the DOT the same month, which was part of a larger effort to bring down websites in the United States and South Korea.
U.S. Department of Veterans Affairs (VA)
45. VA Employee Robbed—May 2009. Thieves stole electronic records, containing information on 26.5 million people, from the residence of a VA employee who had not been authorized to take the electronic equipment home.
Federal Trade Commission (FTC)
46. FTC Online-Security Website—January 2012. The website run by the FTC dedicated to cybersecurity education, OnGuardOnline.gov, was taken down and defaced by a cyber-attack perpetrated by a hacker group known as AntiSec.
47. FTC Main Website—July 2009. The FTC website was shut down by a cyber-attack that was part of a larger effort to bring down websites in the United States and South Korea.
National Aeronautics and Space Administration (NASA)
48. Various NASA Servers—2010–2011. NASA was subject to 5,400 security incidents in 2010 and 2011, during which unknown hackers gained “full functional control” of important systems 13 times.
49. NASA Satellite—November 2011. The U.S.–China Economic and Security Review Commission announced that suspected Chinese hackers, through malicious cyber-activity, took control of two NASA satellites for more than 11 minutes over the course of 2007 and 2008.
50. Jet Propulsion Laboratory—May 2011. The laboratory’s website was compromised due to a cyber-attack by unknown hackers.
51. Goddard Earth Observing System—May 2011. A Romanian hacker known as “Tinkode” gained access to information contained on servers for the satellite-based Earth-observation system.
52. International Space Station—March 2011. A laptop containing the codes to control the International Space Station was stolen; 48 other NASA mobile computing devices were stolen or lost between April 2009 and April 2011 that contained sensitive information, including Social Security numbers.
53. Jet Propulsion Laboratory—2009. The Office of the Inspector General reported that various hackers had compromised one of NASA’s key mission networks, making thousands of unauthorized connections to the network and stealing export-restricted data from NASA Jet Propulsion Laboratory systems.
54. NASA Washington, D.C., Headquarters—December 2006. NASA blocked all e-mails with attachments before shuttle launches for fear its network would be hacked by unknown foreign intruders.
55. Various NASA Servers—2004. Suspected Chinese hackers, code-named Titan Rain by the FBI, stole a significant amount of information from sensitive networks at NASA and military labs.
56. Ames Research Center—2004. A cyber-attack by an unknown hacker on the Ames Research Center forced the agency to disconnect its supercomputers from the Internet in order to limit the loss of secure data.
57. X-Ray Satellite and Goddard Space Flight Center—September 1998. NASA investigators reported that the failure of an x-ray satellite was due to a cyber-attack on the Goddard Space Flight Center.
National Archives and Records Administration (NARA)
58. NARA Washington, D.C., Headquarters—April 2009. A hard drive containing Social Security numbers of more than 100,000 people who had visited or worked in the White House during the Clinton Administration was lost.
U.S. Office of Personnel Management (OPM)
59. USAJOBS.gov—January 2009. The Office of Personnel Management website and database for USAJOBS.gov, the federal government’s employment website, allowed unknown perpetrators to gain access to private information on the site’s millions of users.
U.S. Copyright Office
60. Main Website—January 2012. Hacker group Anonymous claimed credit for taking down the Copyright Office website, copyright.gov, in a cyber-attack to protest the FBI shutting down Megaupload.com.
Unspecified Government Agencies
61. Six Federal Agencies—August 2011. A five-year hacker endeavor called Operation Shady RAT collected data from six unknown government agencies.
62. State Department Cable—April–October 2008. A State Department cable published by WikiLeaks reported that hackers stole “50 megabytes of e-mail messages and attached documents, as well as a complete list of usernames and passwords from an unspecified [U.S. government] agency.”
Government-Centric Approach Is Wrong
The list above is certainly grounds to be skeptical of a cybersecurity approach that gives government regulators a significant role in developing baseline security standards. The government and the private sector both have a great deal to contribute to the country’s cybersecurity, and a new, expansive regulatory burden would undermine, not enhance, public-private cooperation. Instead of adding regulations, Congress should:
- Promote Information Sharing. The government has a great deal of cybersecurity-threat information that could help the private sector prevent similar attacks and breaches. Many private-sector entities have cybersecurity information of their own that could help other private entities as well as the government. By implementing voluntary information sharing with adequate liability and privacy protections, cybersecurity can be improved.
- Reject Onerous Regulations. Though it is tempting to think that government officials can mandate cybersecurity improvements for the private sector, such efforts will likely impose massive costs on the private sector, while harming innovation as entities eschew potentially superior security for mere compliance with government regulations. Indeed, most standards that the government adopts will be rendered obsolete by constantly improving technology before they can even be implemented. Americans do not need a “Cyber SarbOx” approach to this multidimensional domain.
- Secure Government Data. Congress and the Administration should strengthen government’s cybersecurity systems. Migrating the computer networks of certain agencies to the cloud would help the government take advantage of private-sector security innovations, while also reducing costs. Other options, such as “air gapping,” unplugging critical networks from the Internet altogether, should be considered. Education efforts to stop phishing and other attacks directed at government personnel should also be expanded. Once again, improving information sharing could help improve cybersecurity across the government.
Enhancing U.S. Cybersecurity Through Cooperation
The federal government’s record on cybersecurity does not inspire confidence that it can provide a solution to the cybersecurity threats faced by the private sector. Cybersecurity should be a cooperative effort between the private sector and the government, with each contributing in its own way. The government is in a position to collect and share important cybersecurity threat and vulnerability information, while the private sector can innovate and share information as well.
—Paul Rosenzweig is a Visiting Fellow in the Center for Legal & Judicial Studies and the Douglas and Sarah Allison Center for Foreign Policy Studies, a division of the Kathryn and Shelby Cullom Davis Institute for International Studies, at The Heritage Foundation.