Straight talk: the federal government is doing a terrible job at cybersecurity. A recent report by security firm Veracode shows that 76% of federal web applications don’t meet cybersecurity standards — ranking behind every civilian industry studied. And that’s not even the worst of it.
Not only are government agencies eliminating software audits and risk analysis to anticipate new attacks, they’re leaving the glitches they find unresolved. Only 27% of known security holes get patched, and who knows how many others are being overlooked.
The results are unsurprising: there were more than 67,000 federal security breaches in 2014 — 12 times the 5,500 breaches in 2006. And with laxer rules for state and local government agencies, the situation at the local level is less encouraging. It may have surprised people when hackers made off with vast stores of personal information about federal employees, but it shouldn’t have.
If there’s any good news, it’s that the recent, devastating OPM (Office of Personnel Management) attack has served as a much needed wakeup call. More and more government agencies are now realizing that they need to come up with better systems to protect data security. Security officers need to create policies that go beyond merely complying with minimum standards to anticipate new threats. Organizations need to educate their employees and audit their systems to make sure they’re complying with data security best practices – and government files and communication need to be encrypted as a rule. Before planning a system-wide security audit, however, government officials should be aware of these 5 challenges:
1. Securing Personally Identifiable Information
Government organizations deal with tons of personally identifiable information (PII), and have done a terrible job protecting it. Department of Veterans Affairs data breaches have exposed birthdates, social security numbers, family information, disability ratings, and detailed medical information on servicemen and women. Hackers have also breached many other government organizations that store protected PII, including the Department of Health and Human Services, the National Institutes of Health, The Substance Abuse and Mental Health Services Administration, and Medicare and Medicaid service centers.
Even public servants have been compromised. The Office of Personnel Management (OPM) hack exposed data on “every single active non-military federal employee, former employee and every retiree who used to work for a federal agency.” According to American Federation of Federal Employees president, David Cox, the data includes, “every person’s Social Security Number, military records, veterans’ status information, address, birth date, job and pay history, health insurance, life insurance and pension information.”
2. HIPAA Data Security Compliance
Government organizations dealing with healthcare information have to go far beyond basic data security. Medicaid and Medicare providers, the VA, state universities, and any other government organization that stores health data is subject to stringent HIPAA compliance regulations, and that’s just the start. Anyone who deals with Protected Health Information (PHI) is a covered entity, meaning medical professionals who provide services to the hospital, clerical contractors, and IT and cloud storage providers are all required to follow HIPAA guidelines.
HIPAA compliant government organizations are also on the hook for these partners – they need to make sure everyone who has access to their PHI is following HIPAA protocol, and they must make sure their partners sign Business Associate Agreements (BAA). It can be tough to even figure out which partners require BAAs, not to mention, making sure everyone actually abides by the rules.
And HIPAA compliance rules aren’t easy to understand. They’re comprehensive, but often vaguely worded and require a dedicated security staff to implement them correctly. HIPAA administrative safeguards require each organization to create a written HIPAA policy governing the storage of PHI. Each needs to appoint a security officer responsible for compliance, conduct a risk analysis, monitor staff password best practices, and document evolving security practices religiously.
These organizations also need to put into place physical safeguards to guard against physical threats to PHI. This includes preventing break-ins, shredding old copies of printed PHI, making sure monitors aren’t facing publicly-accessible areas, erasing old data before the organization gets rid of computers, and more.
Perhaps most challenging are the requirements for technical safeguards. To be HIPAA compliant, government organizations need access control policies to make sure only the right people can access electronic PHI. They need to put in place audit controls and integrity controls as well. These systems have to monitor hardware and software to keep track of how ePHI is accessed and insure that it’s not compromised or destroyed in any way. Finally, they need transmission security measures to make sure no one can intercept ePHI when it’s sent over the Internet.
3. CJIS Data Security
While all government agencies have to worry about securing their data, law enforcement agencies face a unique set of challenges. If data about criminal investigations falls into the wrong hands, it can tip off criminals and criminal gangs; put witnesses, law enforcement agents, and victims at risk; and undermine the ability of law enforcement to successfully investigate, prevent, and prosecute crimes. Law enforcement agencies face multiple potential vectors of attack, from hackers stealing government data, to criminals stealing electronic devices, to Law Enforcement Officials (LEOs) accidentally leaving computers logged in to law enforcement databases.
Like HIPAA, CJIS compliance applies to a wide range of organizations. Local, state, and federal law enforcement organizations are responsible for CJIS data security, as are cloud storage and software vendors used by LEOs.
And like HIPAA, CJIS compliance isn’t easy. Organizations need to prevent unauthorized access by limiting unsuccessful login attempts, automatically logging out idle sessions, regularly auditing and reviewing access, and using data security best practices. CJIS also requires multi-factor authentication (using multiple pieces of data to log on instead of a single password), and advanced encryption.
Most crucially, government organizations have to make sure their personnel aren’t inadvertently compromising security. No matter how good an organization’s CJIS procedures are, one agent using “password” as its password can leave a massive hole in data security. When public safety — or even national security — is at stake, government organizations need to make CJIS compliance their highest priority.
Cyberterrorism concerns often take a backseat to protecting against more traditional forms of terrorism and cyber-espionage. After all, there are easier ways to spread fear and panic, and it’s far more profitable for bad guys to steal information from government systems than to simply break the systems. Nonetheless, cyberterrorism presents a real, and growing threat to government agencies and data security. A cyberterrorist can cripple electronic infrastructure from anywhere, with nothing more than a computer, an Internet connection, and a little know-how.
Cyberterror attacks are often launched by governments or dissidents in response to the actions of another country. In 2007, hackers launched a denial of service attack that crippled Estonian infrastructure for three weeks, following a spat with Russia. These attacks undermined Estonian banking, newspapers, universities, and other vital services, and were compounded by riots to cause even more chaos.
A similar attack was launched against Israel in 2009, bogging down government servers in response to the Gaza offensive. In Israel’s case, this is only one in a series of increasingly powerful attacks in response to conflicts with Palestine.
These cyberattacks undermine important services, but experts fear hackers will soon start to target critical infrastructure, causing far more devastation. According to global IT security expert Eugene Kaspersky, the power system is especially vulnerable, because everything else depends on it. If a cyberterrorist were able to disrupt power stations or the power grid, it would paralyze civilian infrastructure, along with nearly all government services.
Because most utilities are poorly guarded, a terrorist could easily compound a cyberattack by coordinating it with a physical attack, such as a bomb targeting a power plant. This could easily plunge an entire region of the country into darkness. And it’s not just foreign governments we need to be worried about; terrorist groups, and even criminal gangs could have the potential to disrupt the electrical grid.
5. Cyber-espionage and Data Security
Activists and petty criminals still commit cyber-espionage, but the lone hacker of the past is being increasingly replaced by sophisticated government-trained organizations and cyber-gangs. Although the US has not officially cast blame, the massive OPM breach was almost certainly carried out by China. Another recent cyber-espionage attack, carried out by Russia, managed to breach the (fortunately, unclassified) Pentagon email server. Still, it’s worth wondering: how close did they come to compromising the data security of top-secret pentagon communication?
The cyberespionage of Russian hacker group APT 29 is even more chilling. This group uses the HAMERTOSS malware to create a permanent presence on the computers of the group’s targets. These infections then search for rotating Twitter accounts, which the hackers use to command them. From the outside, the tweets look like uninteresting links to pictures, but they contain hidden messages that the hackers use to steal data.
The system is stunningly sophisticated in its abilities to cover its tracks, and the hacker group constantly refines the programs to stay one step ahead of security researchers. Although the federal government has not been targeted by them yet, there’s no reason to believe that APT 29, or a similar group, won’t turn their attention our way in the future. Moreover, the stealthiness of new techniques and the laxity of government security make it more likely that they already have.
Virtru Email Encryption Boosts Data Security
From the largest government databases to the smallest municipal website, we’ve fallen dangerously behind data security best practices. Encryption won’t fix everything, but it’s a crucial first step toward greater security. Virtru secure email gives government agencies an easy way to encrypt emails and secure attachments. Once it’s installed, Virtru protects emails with the click of a button, preventing hackers, spies, and cyberterrorists from reading your messages, even if they intercept them.
Whether you’re protecting HIPAA records, CJIS data, or government employee records, Virtru is an easy and essential way to keep your communications secure.