Data breaches aren’t uncommon today, and according to a recent report from Comparitech, the United States government suffered at least 87 such breaches last year, which affected more than 3.3 million people. Based on an average cost of $146 per affected record, the researchers at Comparitech estimated that the breaches cost government agencies and other entities almost $487 million just last year.
The good news is that there was a 25% year-on-year decrease in the number of breaches that specifically targeted government entities – down from 116 in 2019. However, the number of records impacted by such cyberattacks actually increased by more than 110%, up from 1.6 million in 2019. The research suggested that while there may have been fewer breaches in 2020 – and it is unclear at this point how the pandemic may have played a role, if at all – even with fewer breaches, these were far more disruptive and costly.
State of the States
According to the Comparitech data, Florida had the most breaches with seven in total last year, but those impacted 484,321 people; and while the State of Washington had only four breaches, it had the most records affected at more than 1.6 million, resulting in the largest loss at $234,928,746.
Additionally, Wyoming suffered only a single data breach, but it impacted 28% of residents in The Equity State. The breach of the Wyoming Department of Health resulted in 164,021 people’s COVID-19 test results being released. In this case, it wasn’t especially critical, but it reportedly occurred when a workforce member inappropriately handled health information and uploaded it to both private and public online storage locations.
Nearly one quarter of the government breaches last year impacted cities. In total, 19 cities suffered cyber breaches, which impacted 176,994 people. The worst was in the City of Independence, MO, which was hit by a ransomware attack that impacted the city’s systems and compromised more than 113,000 records.
Government Efforts Failing?
The question is why this is happening in arguably one of the most advanced countries on the planet?
“The United States is extremely capable from both a technology and skills perspective,” said Purandar Das, president and co-founder of data security platform Sotero. “They have led in many areas of technology and security innovation. They have also been successful in many cyber operations against hostile states and criminal gangs.”
However, the number of breaches suggests more can be done. Can anyone really trust the government to protect their data?
“The broader question is probably, can you trust anyone with your data,” Das told ClearanceJobs, adding bluntly, “The short answer is no. Before we get to why you shouldn’t or can’t trust the U.S. government with your data, here are two thoughts to consider. This country has never prioritized the protection of consumer data. The commercial economy is built on enabling access to troves of information that is used commercially. The laws have been slanted for many decades to facilitate this. Add onto this that the penalties for losing access to consumer or customer information have been nonexistent. Second, as the tech economy evolved, security and privacy were never really considerations.”
Technology and software have evolved at an exponentially faster pace than security and privacy practices, warned Das.
“The end result is that security is being retrofitted to very complex products, platforms and operations,” he noted. “There really isn’t much of a choice. Starting with understaffed teams, lack of skills and antiquated technology. Training and education are lacking as well. The government clearly hasn’t done enough as evidenced by the recent executive order and funding activity. The administration is now attempting to accelerate activity around cyber security and modernizing technology platforms.”
What Can the Government Do?
Efforts are being made to address the issue, but in addition to understaffed and underfunded government entities, there is also the issue of the antiquated equipment. The private sector struggles to keep pace with the latest hardware advances, and the government – as the nation’s largest employer – often plays catch up.
However, legacy hardware is just one part of the problem.
“There is also plenty of knowledge gained over time as to securing them and supporting secured data movement,” said Tom Garrubba, vice present and member-led expert in risk management best practices at security research firm Shared Assessments.
“Certainly if older networks pose vulnerabilities that cannot be addressed, then they must be replaced,” Garrubba told ClearanceJobs.
“Public/private partnerships are a two-way street and the government needs to understand the private sector possesses deep knowledge in addressing such threats and identify these organizations and seek out their expertise,” Garrubba added. “And if they aren’t already, the government should consider utilizing their own white hacking resources to periodically test these networks and their critical systems to ensure the security settings processes and procedures, are up to today’s standards. Additionally, with regards to funding such upgrades to government networks and technology, these should be categorized as ‘infrastructure’ and properly earmarked in future infrastructure bills.”
Just as Rome –or Washington, D.C. for that matter – wasn’t built in day, the government’s solution to these all-too-common breaches could take time to resolve.
“It will take a lot of money and a lot of work to catch up,” warned Das.
Yet, it could also present opportunities for those with the right skill sets including cybersecurity.
“Bringing the skills, technology and knowledge to bear would be invaluable,” Das added.
Finally, the greatest solution could be greater efforts from American law enforcement. Cyber should be seen as critical infrastructure and data as a component of it.
“Identifying and eliminating criminal gangs that are targeting U.S. entities is one area the government could help,” suggested Das. “Another would be to start applying financial and other sanctions on countries that harbor these criminal gangs. The administration has started to do this both behind the scenes and publicly.”
