The U.S. government is still reeling from the massive cyber attack that targeted the Office of Personnel Management (OPM) in June. And with good reason – thus far, the breach is deemed the worst attack on government networks in U.S. history. Reports have emerged that the breach is possibly four times larger than officials originally presumed, placing estimated losses at upwards of 18 million records, according to FBI officials. And that number might grow, due to the fact that hackers infiltrated a database that contained highly private information on family members and associates of those whose records were hacked. While these numbers are startling, this breach likely represents the tip of the iceberg in a growing trend of advanced, state-funded and highly organized attacks. In any case, the OPM breach offers a few clear lessons that organizations should keep in mind when building out security defenses to protect themselves from future attacks.
First, the OPM breach underscores that attackers will continue to target unencrypted data first, since it represents low-hanging fruit that gives easy access to an organization’s crown jewels. In the OPM case, attackers honed in on highly sensitive information contained on background-check application forms, which include medical and travel histories, arrest and drug records, and contact information for colleagues, friends and relatives, among other things. Yet despite the strong potential for loss, theft and exploitation, this personal information was stored unencrypted in government databases, leaving it wide open to potential attack. By failing to apply even fundamental security measures to protect critical data, government officials essentially gave the perpetrators the keys to the kingdom.
The days of government overlooking basic security and blatantly neglecting cyber threats that target critical assets should be long over. Cyber security is now a matter of national security, and going forward, there should be strong penalties for those who put the security of U.S. citizens at risk.
Second, the OPM breach is indicative of the technological sophistication and increasingly targeted nature of cyber threats. In this case, the attackers managed to penetrate classified databases and gain access to the private information of current and former federal workers from almost every government agency in the country, as well as information about private-sector employees. Among the targeted A-list were top Obama administration officials, including former and current cabinet members. With the information of high-level government officials at their fingertips, the hackers planned to leverage their bounty in myriad phishing, spearphishing and other “insider” attacks, according to reports. In light of high-profile assaults against Sony Pictures, JP Morgan Chase and Premera Blue Cross, and now with OPM among the mix, it’s not a stretch to assume that similar attacks employing advanced techniques will be forthcoming in the not-too-distant future.
Third, the OPM attack is part of the number growing foreign-based cyber threats traced to Russia and China, among other places, and they will only accelerate in years to come. Officials believe that the OPM attack, like many other high-profile breaches, originated in China – and its possible source may be the same Chinese hackers that targeted Anthem, Inc., earlier this year. This is certainly not the first time that foreign nation-states have launched assaults against U.S. networks in order to gain access to classified data. And it’s becoming increasingly clear that hostile nation-states will continue to refine these attacks as part of larger cyber-espionage campaigns that further their political and financial objectives. These prolonged threats to national security will require the Obama administration to accelerate detection, expedite response efforts and make significant investments in next-generation cyber-security infrastructure designed to detect and eliminate these threats.
Finally, the OPM breach reaffirms the need for next-generation preventive and proactive security defenses. While initial reports claimed that the OPM breach was discovered in April, the attack likely dates back as early as a year before then, indicating that the perpetrators enjoyed unchallenged access to users’ highly sensitive personal data for at least a year or more. We are now living in a new age of cyberattacks, one in which foreign hackers and political hactivists will relentlessly pummel U.S. networks and attack critical information. A year-long window between the onset of an exploit and its discovery is unacceptable for any organization. Both private-sector and government entities will need to take initiatives to expand their security environment with cyber defenses that leverage machine-learning and data-analytics technologies. When combined, these technologies can proactively detect attacks in real-time and identify threats around the clock.
In light of the vulnerable state of U.S. networks and the growing sophistication of cyber threats, it’s a matter of when – not if – government systems are attacked again. Looking back, it’s increasingly clear that damage during the OPM breach could have been mitigated – or perhaps prevented altogether — if the U.S. government had taken basic precautions and implemented appropriate security measures. However, the breach also offers an opportunity for reform – to implement new security solutions, increase awareness and put into play relevant security strategies. While we can’t change the past, we can take steps to ensure that we effectively address these threats in the future, and do our best to prevent them from occurring again.
[su_box title=”About Dr. Muddu Sudhakar” style=”noise” box_color=”#336588″]Dr. Muddu Sudhakar is an entrepreneur and a three-time CEO in the Silicon Valley. Sudhakar combines decades of experience that spans Big Data, virtualization and security. He has held leadership and management roles within companies including Caspida, VMWare and Pivotal. Dr. Sudhakar holds a PhD and MS in Computer Science from University of California, Los Angeles and holds more than 20 patents including information security.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.