Security experts often say there are two types of organizations: those that know they’ve been hacked and those that don’t know it.
Their belief is supported by endless reports of big-name businesses falling victim to cyberhacks, with companies often remaining unaware of the hacks until months later. Federal agencies aren’t immune to these attacks. But can the agencies be categorized in the same manner as other organizations?
Sen. Tom Coburn, R-Okla., asked a similar question during a Sept. 10 Homeland Security and Governmental Affairs Committee meeting.
“Can you tell me which departments, major departments, of the federal government that haven't been hacked?” Coburn asked Robert Anderson Jr., the executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch.
Anderson couldn’t rattle off a list of names but expressed what many in the security field have come to believe. “I would say, and I think I agree with our current director, that if they haven't been hacked, I don't know if they haven't been hacked or we haven't realized,” Anderson said, before Coburn interjected.
“Yeah, they've all been hacked,” the senator replied. Even if agencies think they haven't been hacked, security experts recommend they change their thinking. “All organizations should assume they’ve been hacked, or at least agree that it’s not a question of if they will be targeted for an attack, but when,” according to Cisco's 2014 Annual Report.
Coburn requested visibility into FBI data that show which agencies have not been hacked, noting that the bureau could provide the information in a secured setting or in an open session. “I'd like to see what you all see on that,” he said.
Last year, federal agencies reported 60,753 computer-security incidents to the Department of Homeland Security’s US-CERT, an increase of 26 percent over 2012, according to a published report.
Coburn didn’t harp on the issue of agencies that haven’t been hacked, but one might wonder what actions Congress would take, if any, based on the information. Would the data move Congress to pass cybersecurity legislation or enhance authorities for DHS, defender of the dot-gov domain?
A Look into DHS’ Cyberoperations
“So far this year, DHS' 24-by-7 cyberoperation center, the National Cybersecurity and Communications Integration Center, or the NCCIC, has processed over 600,000 cyberincidents, issued more than 10,000 actionable alerts, detected more than 55,000 vulnerabilities and dispatched over 78 incident-response teams for onsite technical assistance,” Suzanne Spaulding, under secretary for the DHS’ National Protection and Programs Directorate, told lawmakers.
Spaulding shared a recent success story, in which the U.S. Secret Service provided information on malware to the DHS’s cybersecurity operations center for the purposes of analysis.
“The results of that analysis formed the basis for an actionable alert that was distributed widely to our critical infrastructure owners and operators and led U.S. businesses to check their systems for this malware and identify and stop ongoing cyberintrusions,” Spaulding explained.
She also stressed the need for Congress to pass cybersecurity legislation or at least address areas where there is consensus, such as “codifying the cybersecurity responsibilities of the Department of Homeland Security, making it easier for DHS and the private sector to work together to mitigate cyber-related vulnerabilities and enhancing the department's ability to recruit and retain that essential cybersecurity workforce.”