November 19, 2015 | Issue Brief on Cyber Security
Since 2004, October has been National Cyber Security Awareness Month (NCSAM). During this time, federal, state, and local governments examine how their systems and the U.S. are affected by cybercrimes. 2015 saw one of the largest breaches of a federal network system, with the Office of Personnel Management losing over 21 million former and current employees’ personal information. Alongside a dozen other digital breaches, these hacks show that the government is far from perfect in securing its own system against persistent threats while signifying a greater risk to national security.
This paper provides a list of 13 federal breaches not covered since the 2014 Heritage paper “Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation,” which covered a number of federal breaches extending before 2014. This paper can also be used in conjunction with the “Cyber Attacks on U.S. Companies” paper series and Heritage reports on “Congressional Guidance for Cybersecurity” and “Encryption and Law Enforcement Special Access.”
The date listed for each breach reflects when that hack was first reported to the public and does not necessarily reflect the actual time of the breach(s)—which at times could span anywhere from a few days to over a year.
Office of Personnel Management (OPM), June 2015. Possibly the largest cyber breach to federal networks, this drawn-out theft of government workers’ information is traced as far back as early 2014, when it was revealed that U.S. Investigative Services—a security clearance company—was breached, affecting as many as 25,000 individuals. Additionally, KeyPoint Government Solutions, which conducts background checks of federal employees, was later hacked in December 2014, affecting as many as 49,000 individuals.
The first of two significant OPM breaches, in which the personal information of as many as 4 million current and former federal employees had been compromised, was revealed to the public in June. A second breach was detected later that month. OPM partnered with DHS as well as the FBI to determine the full extent of the breaches. Regrettably, the cyber attacks “predated the adoption of tougher security controls.”
After months of investigation, it was confirmed that the theft of federal employee information expanded to affect as many as 22,100,000 current and former employees. The breach accessed information like “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends”—all taken from the 127-page SF-86 forms. It was later confirmed that over 5 million of those affected also had their fingerprint information taken.
The personal information taken from these SF-86 forms is a worry for those in the political and intelligence community, as this information is stored and cataloged by foreign states and non-state threats tracking U.S. expats overseas. Meanwhile, biometrics are being sought as an alternative method of information security. Unlike passwords, however, biometrics like fingerprints cannot be changed easily. Fingerprint information essentially grants the holder a master key to whatever the fingerprint is securing.
It should be noted this list is incomplete. As Mike McConnell, former director of the National Security Agency, stated, the U.S. Congress, Department of Defense, State Department, and “every major corporation in the United States” has been the victim of a cyber hack. Moreover, hearings following the OPM breach highlighted a number of agencies that had yet to meet their Federal Information Security Modernization Act requirements. According to the Government Accountability Office, “federal agencies continued to have weaknesses in protecting their information and information systems,” even as those agencies reported a greater number of incidents to the US–CERT.
As government departments and agencies become more technologically dependant on the systems they use and the amount of information shared across the whole of government continues to increase, successful cyber attacks will pose an increasingly significant threat to national security. It will be challenging to coordinate but important to continue partnering with private business and those in the cybersecurity community to make sure that government systems and cyber skills are up-to-date with the most current cyber risks and threats. Meanwhile, if the U.S. plans to stay ahead of these cyber threats, it must avoid harmful regulations that prevent companies from developing new technologies for information security.
Policymakers should keep in mind that there is no silver bullet in matters of security. There is no single solution for countering cyber threats. Increasing information sharing and working more with international partners are just two initiatives in countering cybercrime, but these alone will not stop breaches. The U.S. should continue to pursue a multi-layered approach to securing its own networks. This can include relying on diplomatic methods to increase cyber cooperation or deter bad actors abroad, or enforcing a variety of sanctions to deal with uncooperative state and non-state actors.—Riley Walters is a Research Assistant in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.
 David Inserra and Paul Rosenzweig, “Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation,” Heritage Foundation Issue Brief No. 4288, October 27, 2014, http://www.heritage.org/research/reports/2014/10/continuing-federal-cyber-breaches-warn-against-cybersecurity-regulation#_ftn2.
 Riley Walters, “Cyber Attacks on U.S. Companies in 2014,” Heritage Foundation Issue Brief No. 4289, October 27, 2014, http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014, and Riley Walters, “Cyber Attacks on U.S. Companies Since November 2014,” Heritage Foundation Issue Brief No. 4487, November 18, 2015, http://www.heritage.org/research/reports/2015/11/cyber-attacks-on-us-companies-since-november-2014.
 Steven P. Bucci, Paul Rosenzweig, and David Inserra, “A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2785, April 1, 2015, http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace.
 David Inserra, Paul Rosenzweig, Charles “Cully” Stimson, David Shedd, and Steven P. Bucci, “Encryption and Law Enforcement Special Access: The U.S. Should Err on the Side of Stronger Encryption,” Heritage Foundation Issue Brief No. 4559, September 14, 2015, http://www.heritage.org/research/reports/2015/09/encryption-and-law-enforcement-special-access-the-us-should-err-on-the-side-of-stronger-encryption.
 Stephanie Condon, “Heathcare.gov Server Hacked,” CBS News, September 4, 2014, http://www.cbsnews.com/news/healthcare-gov-server-hacked/ (accessed October 1, 2015).
 Evan Perez and Shimon Prokupecz, “How the U.S. Thinks Russians Hacked the White House,” CNN, April 8, 2015, http://www.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/ (accessed November 3, 2015).
 Mary Pat Flaherty, Jason Samenow, and Lisa Rein, “Chinese Hack U.S. Weather Systems, Satellite Network,” The Washington Post, November 12, 2014, https://www.washingtonpost.com/local/chinese-hack-us-weather-systems-satellite-network/2014/11/12/bef1206a-68e9-11e4-b053-65cea7903f2e_story.html (accessed October 2, 2015)
 Elizabeth Weise, “U.S. Postal Service Hacked, Told Congress Oct. 22,” USA Today, November 10, 2014, http://www.usatoday.com/story/tech/2014/11/10/us-postal-service-post-office-hacked/18795289/ (accessed October 1, 2015)
 Evan Perez, “Sources: State Dept. Hack the ‘Worst Ever’,” CNN Politics, March 10, 2015, http://www.cnn.com/2015/03/10/politics/state-department-hack-worst-ever/index.html (accessed October 2, 2015), and Nicole Perlroth, “State Department Targeted by Hackers in 4th Agency Computer Breach,” The New York Times, November 16, 2014, http://www.nytimes.com/2014/11/17/us/politics/state-department-targeted-by-hackers-in-4th-agency-computer-breach.html?_r=0 (accessed November 3, 2015).
 “FAA Computer Systems Hit by Cyberattack Earlier This Year,” National Journal, April 7, 2015, http://www.nationaljournal.com/defense/2015/04/07/FAA-Computer-Systems-Hit-Cyberattack-Earlier-This-Year (accessed October 1, 2015)
 Elise Viebeck, “Russians Hacked DOD’s Unclassified Networks,” The Hill, April 23, 2015, http://thehill.com/policy/cybersecurity/239893-russians-hacked-dods-unclassified-networks (accessed October 2, 2015)
 “St. Louis Federal Reserve Suffers DNS Breach”, KrebsonSecurity, May 15, 2015, http://krebsonsecurity.com/2015/05/st-louis-federal-reserve-suffers-dns-breach/ (accessed November 3, 2015).
 Elizabeth Weise, “IRS Hacked, 100,000 Tax Accounts Breached,” USA Today, May 6, 2015, http://www.usatoday.com/story/tech/2015/05/26/irs-breach-100000-accounts-get-transcript/27980049/ (accessed October 2, 2015)
 Elizabeth Weise, “U.S. Army Website Hacked, Syrian Group Claims Credit,” USA Today, June 8, 2015, http://www.usatoday.com/story/tech/2015/06/08/us-army-website-wwwarmymil-syrian-electronic-army-hack/28703173/ (accessed November 3, 2015).
 Jim Finkle and Mark Hosenball, “US Undercover Investigators Among Those Exposed in Data Breach,” Reuters, August 23, 2014, http://www.reuters.com/article/2014/08/23/us-usa-security-contractor-cyberattack-idUSKBN0GM1TZ20140823 (accessed October 5, 2015).
 Christian Davenport, “KeyPoint Network Breach Could Affect Thousands of Federal Workers,” The Washington Post, December 18, 2014, https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html (accessed November 3, 2015).
 News release, “OPM to Notify Employees for Cyber Security Incident,” OPM.gov, June 4, 2015, http://www.opm.gov/news/releases/2015/06/opm-to-notify-employees-of-cybersecurity-incident/ (accessed October 2, 2015)
 Ellen Nakashima, “Chinese Hack of Federal Personnel Files Included Security-Clearance Database,” The Washington Post, June 12, 2015, http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html?wpisrc=al_alert-national (accessed October 1, 2015)
 Andrea Peterson, “OPM Says 5.6 Million Fingerprints Stolen in Cyberattack, Five Times as Many as Previously Thought,” The Washington Post, September 23, 2015, https://www.washingtonpost.com/news/the-switch/wp/2015/09/23/opm-now-says-more-than-five-million-fingerprints-compromised-in-breaches/ (accessed November 3, 2015).
 Aaron Boyd, “Anonymous Hacks Census Bureau, Exposing More Feds’ Data,” Federal Times, July 27, 2015, http://www.federaltimes.com/story/government/cybersecurity/2015/07/27/anonymous-census-bureau-hack/30730043/ (accessed October 2, 2015).
 Tom Vanden Brook and Michael Winter, “Hackers Penetrated Pentagon Email,” USA Today, August 7, 2015, http://www.usatoday.com/story/news/nation/2015/08/06/russia-reportedly-hacks-pentagon-email-system/31228625/ (accessed October 1, 2015).
 Jose Pagliery, “Ex-NSA Director: China Has Hacked ‘Every Major Corporation in U.S.,” CNN Money, March 16, 2015, http://money.cnn.com/2015/03/13/technology/security/chinese-hack-us/index.html (accessed October 1, 2015).
 Michael R. Esser, “OPM: Data Breach,” statement before the Committee on Oversight and Government Reform, U.S. House of Representatives, June 16, 2015, http://oversight.house.gov/wp-content/uploads/2015/06/Esser-OPM-OIG-Statement-6-16-Data-Breach.pdf (accessed November 3, 2015).