The onslaught of publicly disclosed cyberattacks is becoming so overwhelming that it now is almost like background noise. For a day or two the news was dominated by a story that a small group of cyber criminals based out of Russia were allegedly able to collect around 1.2 billion usernames and passwords. The company that identified the hack, Hold Security, estimated that more than 500 million people were impacted.
The story began to recede though when Hold Security – at least initially – said that for a fee it would provide website operators with information that would enable them to determine whether they were breached. That caused more than a little skepticism, and so the story is inexorably fading from the headlines.
Buried even deeper in the media stream, however, was the disclosure of another breach. USIS, one of the U.S. government’s main providers of employment and security clearance background checks, announced recently that it had been the victim of a significant cyberattack supposedly engineered by a foreign government.
Federal law enforcement agencies are actively investigating the attack, and the Department of Homeland Security (DHS) announced that it was no longer providing employee data to USIS for background checks until it can be satisfied that such data cannot be compromised.
(Regular readers of my columns will know that such a benchmark is essentially impossible to meet.)
DHS officials noted that the personal information of some of its employees may already have been compromised, and so it had issued an alert to its entire workforce to watch for “suspicious” financial activity.
While the USIS breach received a decent amount of media attention, it certainly caught the eye of Congress. The Chairman of the Senate Homeland Security and Governmental Affairs Committee, Tom Carper, issued a statement saying that he found the attack “deeply troubling and underscores the scary reality of how much of a target our sensitive information has become in cyberspace.”
It certainly is the case that any penetration of a government contractor by a foreign nation is troubling. However something else really troubles me about this breach – actually several things do. The disruption of fundamental government operations is very disconcerting, as is the real threat posed by the theft of personally identifiable information of government employees en masse.
Let’s start with the disruptive element here: DHS has temporarily halted sharing employee information with USIS, slowing down the clearance process for employees (and possibly contractors, depending on the scope of the USIS contract.)
Keep in mind that one of the biggest complaints over the last several years has been the deep flaws in the ways the U.S. government processes security clearances and employee background checks. Fraud, waste, abuse, and, in some especially unfortunate cases, physical harm have been tied to inadequate background investigations. Reforming this process has been an obsession in Washington, with common themes of improving efficiency and timeliness of investigations encircling the discussion.
Calling a complete halt to background checks, or at least hobbling one major provider of that work, was not on that list.
At a time when the government is struggling to hire good people to battle cyber threats and friends in the private sector are unable to see important threat information because of an inability to obtain security clearances, cutting off a screening contractor will not serve the country well.
To me then this attack is a true disruptor and not in a positive way.
Second, and far more worrisome, is that this breach is likely just the first step in an orchestrated espionage campaign.
Let’s start with a simple examination of possible motivations here. Assuming that a foreign government was behind this attack, one has to think that personal information about federal workers in order to commit financial fraud is not their goal (unless you are a financially strapped Stalinist dictatorship in the Korean peninsula … and even then that’s a Kim Jong Stretch).
Well what else could be behind this attack? Getting straight to the point … this is almost certainly an attempt to create a reservoir of information to conduct “social engineering” cyberattacks.
As FireEye recently detailed in a report, sophisticated attackers are increasingly using these kinds of attacks to try to steal valuable information from a variety of companies. Successful attacks use a combination of direct contact via social networks as well as contact via email to communicate with their intended targets and send malicious attachments.
Think about that and revisit the USIS attack. An outside contractor, responsible for background checks of federal employees, was raided by a foreign nation-state. The raid netted huge amount personal information, and the feds stopped sending the contractor personal information due to security worries.
I’m no rocket scientist (can’t do math, that’s why I’m a lawyer) but this smells to me like a giant espionage campaign intended to create multiple ways into federal I.T. systems. In fact it reminds me of an old spy-seduction move, immortalized by the great Warren Zevon song “Lawyers, Guns, and Money”:
I went home with a waitress the way I always do
How was I to know she was with the Russians, too?
The disruptive effect of this attack could be massive. Huge numbers of social engineering attacks are likely to occur from this event and are likely to net valuable information at some point.
This could be bad. Very bad.
So now what? A couple things – first, listen to Senator Carper. Modernize the federal government’s defenses to help protect against malicious attacks. Install sophisticated, continuous monitoring devices that can examine, in real-time, email and web traffic for aberrant or malicious behavior. Second, do more to limit the exfiltration of data from government systems. This can include limiting employee access so they can only access information appropriate to their position.
Additionally, on the contractor side, make sure to take all appropriate steps to mitigate risks. Have plans in place to quickly respond to breaches, and recognize that purchasing cybersecurity insurance is not the answer to your prayers. One of the voices I completely trust on insurance issues is Roberta Anderson, and she will be the first one to tell you that insurance coverage for losses arising out of certain types of cyberattacks – such as one like the USIS breach where business is lost – is not an easy thing to obtain.
Let’s be clear: not every cyberattack matters and not every theft of information will have devastating consequences. However, anything that smacks of a long-term espionage campaign is worrisome, and from the looks of it, one is about to start.
As Warren Zevon sang, “Dad get me out of this.”
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at firstname.lastname@example.org.