Retail giants aren’t the only target of hackers who infiltrate computer systems to gain access to sensitive information.
The federal government also falls victim, such as recently when the Obama administration revealed that 21.5 million people were affected by a breach at the Office of Personnel Management.
Social Security numbers and other records were stolen, and likely anyone given a government background check in the last 15 years was affected.
That’s disturbing, both because it happened and because of the ease with which the hackers were able to circumvent government security measures, cyber security expert Michael J. Daugherty says.
“The government is quick to criticize security breaches and weaknesses in the private sector, but isn’t able to shore up its own weaknesses,” says Daugherty, author of the book “The Devil Inside the Beltway: The Shocking Expose of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine and Small Business” (www.michaeljdaugherty.com).
The U.S. Government Accountability Office conducted a review this year that concluded government computers, and those of contractors that work for the government, face “an evolving array of cyber-based threats.”
“These threats can be unintentional – for example, from equipment failure, careless or poorly trained employees – or intentional,” the GAO report said.
Those intentional threats include targeted or untargeted attacks from criminals, hackers, adversarial nations or terrorists, among others. Investigators believe the OPM hack originated from China, though it’s unclear who the perpetrator was.
Often, these cyber attacks don’t have to be that sophisticated, Daugherty says. A hacker can use the email address of an employee of a federal agency to send emails with a malicious link to other employees. Those employees, thinking the email comes from someone they know and trust, open the email and the link, allowing the breach to occur.
“You would think the federal government would have better safeguards, but ultimately they are only as strong as their weakest employee,” Daugherty says. “That boils down to knowledge and training.”
Daugherty says security risks are one reason there is so much concern about Hillary Clinton using a private server for her email when she was secretary of state.
“The potential for sensitive emails to be lost is the issue,” he says. “Whether they actually were or were not lost is not the issue, so Hillary's email headache isn't going away anytime soon.”
He suggests ways that both government agencies and private businesses can defend against hackers:
• Anyone can be a target. Individual employees may think hackers target the system and that they have nothing to worry about, but that’s not the case, Daugherty says. Hackers often gain entry to a system by targeting the individuals who use that system. Employees both in government and the private sector need to be aware of that they are an important line of defense and should be cautious about opening strange emails and attachments.
• Education is critical. Government agencies and private businesses should not rely on their employees to figure out cyber security concerns and safeguards on their own. Training employees can go a long way toward helping to reduce the chances of a breach.
• Reminders never hurt. Even employees educated about the threats can slip up because being on the lookout for potential cyber breaches is just one in a long list of their responsibilities. Routine reminders – whether through an email, at staff meetings or in a newsletter or memo – can help keep employees on their toes.
“Cyber security handled poorly costs jobs, safety and billions of dollars,” Daugherty says. “It pierces into all aspects of our lives. This will be the hot topic for the remainder of the decade.”
Most worrisome is Daugherty’s observation that would appear to be on target in today’s world: Government has cyber security responsibilities in the wrong hands.
“The problem is you have the wrong people trying to defend us. You don’t send a bunch of government lawyers to defend what is really a cyber-military issue here. They are sending lawyers and regulators, like the FTC and the FCC. That’s not who should play this game. This is really a national security issue and falls under the role of the military.”