While hackers make the headlines for big breaches, or turns out federal employees and contractors are the ones most responsible for cyber-related security incidents since 2010.
Workers and contractors in more than a dozen agencies from the Defense and Education departments to the National Weather Service were responsible for more than half of cybersecurity breaches in the federal government, according to an Associated Press analysis of records. These incidents were caused by clicking on links in phishing emails, opening websites with malware, losing equipment with sensitive information and other common tactics used by attackers to gain access to computer systems.
The $10 Billion Problem
The findings are particularly troublesome since intelligence officials now say cybersecurity is the top threat to the U.S. The federal government spends approximately $10 billion each year to protect sensitive government data, yet still lacks the knowledge, staff or systems to protect critical computer infrastructures.
According to an annual White House review, last year about 21 percent of all federal breaches were due to government workers who violated policies; 16 percent were from employees who lost devices or had them stolen; 12 percent were those who improperly handled sensitive information printed from computers; more than eight percent ran or installed malicious software; and 6 percent shared private information.
Since 2006, there have been more than 87 million sensitive or private records exposed by breaches of federal networks says Privacy Rights Clearinghouse, which tracks cyberincidents at all levels of government through news, private sector and government reports.
The U.S. Postal Service is the latest example, with a breach in November that could have compromised confidential data of 800,000 people, including employees, top directors and regulators. Names, Social Security numbers and addresses may have been exposed. Last month a breach of unclassified White House computers was thought to be the work of hackers working for Russia. The incident wasn’t reported by officials, but rather the Washington Post.
The big phish
From 2009 to 2013, breaches on federal computer networks with the domain names .gov and .mils increased from 26,942 to 46,605 says the U.S. Computer Emergency Readiness Team (US-CERT). US-CERT responded to 228,700 cyberincidents involving federal agencies last year – double the number incidents in 2009.
The U.S. Postal data that was collected could be used to launch secondary phishing attacks or to help gain information about government cyber defenses, said Edward Ferrara, vice president at Forrester Research.
“No matter what we do with the technology … we’ll always be vulnerable to the phishing attack and … human-factor attacks unless we educate the overall workforce,” said Eric Rosenbach, Assistant Secretary of Defense for Homeland Defense and Global Security, in the AP story.