October 27, 2014 | Issue Brief on National Security and Defense
Recent high-profile private-sector hacks have once again put a spotlight on the issue of cybersecurity. This is a serious problem that requires legislation to improve the United States’ cybersecurity posture, but the U.S. should not reflexively adopt government regulation of cyberspace as a solution. There are concerns that such a response would not be cost-effective and would have an adverse effect on innovation. It could also potentially create a mindset of compliance rather than of security. Additionally, the government’s own cybersecurity track record raises questions about the effectiveness of government cyber regulations.
The following is a list of federal government cybersecurity breaches and failures, most of which occurred during 2013 and 2014. This list is part of a continuing series published by Heritage that serves as a long-term compilation of open-source data about federal cybersecurity breaches dating back to 2004.
This list is in no way complete: Some hacks might not be reported or are classified, and others have yet to be realized. In September 2014, Robert Anderson, executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI told the Senate Homeland Security Committee that if a federal department believes it hasn’t been hacked, it is likely that they are simply unaware of the hack. When Senator Coburn asked for a list of all the government hacks the panelists were aware of, he acknowledged that they may have to be discussed in a closed Senate hearing. Furthermore, the list below does not include the large number of private-sector failures. Nevertheless, the seriousness and number of known U.S. government cybersecurity failures undercut the argument for a government-led regulatory approach to cybersecurity.
The targets included:
These hacks, plus other classified, undisclosed, or unknown cyber breaches and failures, clearly demonstrate that the government has not mastered cybersecurity. Government cybersecurity rules and regulations have been in place for years, but breaches and failures continue. Imposing stringent regulation on the private sector would likely harm innovation, result in costly rules, and create a compliance mindset rather than a security mindset. Before considering such regulations, the U.S. should pursue a variety of policies that empower the private sector and encourage real collaboration among the public and private sectors.
These breaches of government security as well as the many high-profile private-sector failures demonstrate that no cybersecurity system is perfect: There is no silver bullet. However, the U.S. can take simple and low-cost steps such as information sharing to improve public and private cybersecurity efforts. Such steps, along with reforms in cybersecurity insurance, supply chain security, and cyber workforce development, can make the U.S. more secure in cyberspace.—David Inserra is Research Associate for Homeland Security and Cybersecurity in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation. Paul Rosenzweig is a Visiting Fellow in the Allison Center.
 For more information, see Riley Walters, “Cyber Attacks on U.S. Companies in 2014,” Heritage Foundation Issue Brief No. 4289, October 27, 2014, http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014.
 For earlier reports in this series, see Paul Rosenzweig and David Inserra, “Government Cyber Failures Reveal Weaknesses of Regulatory Approach to Cybersecurity,” Heritage Foundation Issue Brief No. 3968, June 13, 2013, http://www.heritage.org/research/reports/2013/06/weaknesses-of-a-regulatory-approach-to-cybersecurity; Paul Rosenzweig, “The Alarming Trend of Cybersecurity Breaches and Failures in the U.S. Government Continues,” Heritage Foundation Issue Brief No. 3772, November 13, 2012, http://www.heritage.org/research/reports/2012/11/cybersecurity-breaches-and-failures-in-the-us-government-continue; and Paul Rosenzweig, “The Alarming Trend of Cybersecurity Breaches and Failures in the U.S. Government,” Heritage Foundation Backgrounder No. 2695, May 24, 2012, http://www.heritage.org/research/reports/2012/05/the-alarming-trend-of-cybersecurity-breaches-and-failures-in-the-us-government.
 Hearing, “Cybersecurity, Terrorism, and Beyond: Addressing Evolving Threats to the Homeland,” Homeland Security and Governmental Affairs Committee, U.S. Senate, 113th Congress, 2nd Session, September 10, 2014, http://www.cq.com/doc/congressionaltranscripts-4544717?3 (accessed October 20, 2014).
 Seth Rosenblatt, “Nuclear Regulator Hacked 3 Times in 3 Years,” CNET, August 18, 2014, http://www.cnet.com/news/nuclear-commission-hacked-3-times-in-3-years/ (accessed October 10, 2014).
 Brian Honea, “Virginia Man Sentenced for Hacking Fannie Mae-Run Website,” DSNews, October 10, 2014, http://dsnews.com/news/10-10-2014/virginia-man-sentenced-hacking-fannie-mae-run-website (accessed October 15, 2014).
 Brian Brewin, “Hacker Attacks Defense Pharmacy Site,” Nextgov, January 24, 2011, http://www.nextgov.com/health/2011/01/hacker-attacks-defense-pharmacy-site/48356/ (accessed October 15, 2014).
 Press Release, “NOAA National Weather Service Employee Indicted for Allegedly Downloading Restricted Government Files,” U.S. Attorney’s Office for the Southern District of Ohio, October 20, 2014, http://www.fbi.gov/cincinnati/press-releases/2014/noaa-national-weather-service-employee-indicted-for-allegedly-downloading-restricted-government-files (accessed October 21, 2014).
 Siobhan Gorman, “Iranian Hacking to Test NSA Nominee Michael Rogers; Infiltration of Navy Computer Network More Extensive than Previously Thought,” Wall Street Journal (Online), February 18, 2014, http://online.wsj.com/news/articles/SB10001424052702304899704579389402826681452?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702304899704579389402826681452.html (accessed March 31, 2013).
 Jim Finkle and Joseph Menn, “FBI Warns of U.S. Government Breaches by Anonymous Hackers,” Reuters, November 15, 2013, http://www.reuters.com/article/2013/11/15/us-usa-security-anonymous-fbi-idUSBRE9AE17C20131115 (accessed October 20, 2014), and Darren Pauli, “Aussies Hacked Pentagon, US Army, and Others,” itnews, October 29, 2013, http://www.itnews.com.au/News/362202,aussies-hacked-pentagon-us-army-and-others.aspx (accessed October 20, 2014).
 Press Release, “Two Admit Roles in Multimillion-Dollar International Cybercrime Scheme,” U.S. Attorney’s Office, District of New Jersey, May 20, 2014, http://www.justice.gov/usao/nj/Press/files/Gundersen,%20Richard,%20and%20Taylor,%20Lamar%20Plea%20PR.html (accessed October 20, 2014).
 U.S. Department of Energy, Office of Inspector General, The Department of Energy’s Unclassified Cyber Security Program—201, DOE/IG-0897, October 2013, http://energy.gov/sites/prod/files/2013/11/f4/IG-0897.pdf (accessed April 14, 2014).
 “Report: Chinese Hackers Attacked Crucial Government Election Website,” CNN, December 17, 2013, http://politicalticker.blogs.cnn.com/2013/12/17/report-chinese-hackers-attacked-crucial-government-election-website/ (accessed March 25, 2014).
 Government Accountability Office, Information Security: IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk, GAO–14–405, April 2014, http://www.gao.gov/assets/670/662371.pdf (accessed April 14, 2014).
 Privacy Rights Clearinghouse, “Chronology of Data Breaches.”
 Finkle and Menn, “FBI Warns of U.S. Government Breaches,” and Pauli, “Aussies Hacked Pentagon, US Army, and Others.”
 Denver Nick, “Obamacare Website Was Hacked in July,” Time, September 4, 2014, http://time.com/3270936/obamacare-website-was-hacked-in-july/ (accessed October 6, 2014).
 Jose Pagliery, “Security Hole Found in Obamacare Website,” CNN, October 29, 2013, http://money.cnn.com/2013/10/29/technology/obamacare-security/index.html?section=money_technology (accessed April 9, 2014).
 Elizabeth Harrington, “Hearing: Security Flaws in Obamacare Website Endanger Americans,” Washington Free Beacon, November 19, 2013, http://freebeacon.com/issues/hearing-security-flaws-in-obamacare-website-endanger-americans/ (accessed April 9, 2014).
 Devin Dwyer, “Exclusive: Security Risks Seen at HealthCare.gov Ahead of Sign-Up Deadline,” ABC News, December 20, 2013, http://abcnews.go.com/blogs/politics/2013/12/exclusive-security-risks-seen-at-healthcare-gov-ahead-of-sign-up-deadline (accessed April 9, 2014).
 Jeryl Bier, “Opportunistic Marketers Exploit Opening at Healthcare.gov,” January 23, 2014, http://www.weeklystandard.com/blogs/opportunistic-marketers-exploit-opening-healthcaregov_775259.html (accessed April 10, 2014).
 Finkle and Menn, “FBI Warns of U.S. Government Breaches,” and Pauli, “Aussies Hacked Pentagon, US Army, and Others.”
 Michael S. Schmidt, David E. Sanger, and Nicole Perlroth, “Chinese Hackers Pursue Key Data on U.S. Workers,” The New York Times, July 9, 2014, http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?hp&action=click&pgtype=Homepage&version=LedeSum&module=first-column-region®ion=top-news&WT.nav=top-news&_r=1 (accessed October 3, 2014).
 “Anonymous Says Attack Put CIA Website Offline,” BBC News, February 11, 2012, http://www.bbc.co.uk/news/world-us-canada-16993488 (accessed October 10, 2014).
 Josh Hicks, “VA Software Glitch Exposed Veterans’ Personal Information,” The Washington Post, January 22, 2014, http://www.washingtonpost.com/blogs/federal-eye/wp/2014/01/22/va-software-glitch-exposed-veterans-personal-information (accessed March 24, 2014).
 U.S. Department of Education, Office of Inspector General, The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013, ED-OIG/A11N0001, November 2013, p. 10, http://www2.ed.gov/about/offices/list/oig/auditreports/fy2014/a11n0001.pdf (accessed April 10, 2014).
 Brian Fung, “Online Outage Cripples U.S. Court System,” The Washington Post, January 24, 2014, http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/24/online-attack-cripples-u-s-court-system (accessed March 25, 2014).
 Craig Timberg and Ellen Nakashima, “Government Computers Running Windows XP Will Be Vulnerable to Hackers after April 8,” March 16, 2014, http://www.washingtonpost.com/business/technology/government-computers-running-windows-xp-will-be-vulnerable-to-hackers-after-april-8/2014/03/16/9a9c8c7c-a553-11e3-a5fa-55f0c77bf39c_story.html (accessed April 10, 2014), and Ina Fried, “Some Businesses, Governments Still Getting XP Support From Microsoft, for a Hefty Price,” re/code, April 9, 2014, http://recode.net/2014/04/09/some-businesses-governments-still-getting-xp-support-from-microsoft-for-a-hefty-price/ (accessed October 23, 2014).
 U.S. Government Accountability Office, Information Security: Federal Agencies Need to Enhance Responses to Data Breaches, GAO–14–487T, April 2, 2014, http://gao.gov/assets/670/662227.pdf (accessed April 10, 2014).
 For a more detailed summary of our views on this, see Steven P. Bucci, Paul Rosenzweig, and David Inserra, “A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2785, April 1, 2013, http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace; David Inserra and Paul Rosenzweig, “Cybersecurity Information Sharing: One Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2899, April 1, 2013, http://www.heritage.org/research/reports/2014/04/cybersecurity-information-sharing-one-step-toward-us-security-prosperity-and-freedom-in-cyberspace; and David Inserra, “Senate Cyber Information-Sharing Bill on the Right Track but Improvements Needed,” Heritage Foundation Issue Brief No. 4269, September 2, 2014, http://www.heritage.org/research/reports/2014/09/senate-cyber-information-sharing-bill-on-the-right-track-but-improvements-needed.