The spectacular hacking assault on the federal government’s Office of Personnel Management is just part of a broader, systematic campaign against the most valuable U.S. cyber-assets, public and private, that is ongoing and likely includes operations inside classified U.S. government networks, according to a group of top-level experts on government cybersecurity consulted by Fox News.
Taken together, the hacking waves are giving U.S. adversaries the ability to be “engaged against the whole fabric of U.S. society,” one of the experts said. “Because our systems function fine in peacetime, we don’t know their capability to disrupt them. For all we know they are still there.”
The extent of the current penetration is well known in in intelligence circles, he added. “The intelligence community has seen the data going out the door.”
“Our whole logistical system, for example, is Internet-enabled,” he added.
All of the experts consulted—in some cases they requested anonymity– had deep knowledge about federal information systems and extensive experience in positions that had oversight that extended beyond single government departments.
“I’m really worried, we’re being outmaneuvered,” one of the top-level experts, who has worked in both the Obama and George W. Bush administrations, told Fox News. “The average American person has no understanding of this.”
The same expert called the situation “shameful” and warned that the extent of the possible penetration of government databases is so deep that “it’s going to take the next Administration one to two years to get up to speed on how serious this is.”
While disagreeing with the extent of that timeline—“If a bank told us that we would shut them down”—another expert emphasized that “we need to be on a high alert for many years to come.”
“For the last two years I have been very alarmed to see the blueprint unfold,” says Theresa Payton, who served as White House chief Information officer from 2006 to 2008, and now runs her own cyber-security consulting firm, Fortalice.
“When you look at the time-line of attacks, you see a systematic and thorough approach, involving criminal networks used against private as well as government intellectual property,” Payton added.
The intruders are deeply embedded, and “have shown that they can tip-toe around our sensors and detection systems for months at a time,” Payton said. “They are able to hide in corners of the network, in parts of images and files, then re-emerge.”
Hackers have become so secure under some circumstances that “we have even seen bad guys defend the network against other bad guys—turf wars.”
The vast array of personal data—ranging from the now-estimated 18 million personal files taken from the Office of Personnel Management to hundreds of millions of other personal files lifted in such high-profile cases the hacks of JPMorgan Chase, Anthem health care, and Target, among others–have created the possibility of deeply detailed information on individuals who have not even achieved sensitive positions yet—but will.
“They now know who they need to target for the next election,” one expert told Fox News.
They will also be able to craft “some of the best deeply personalized phishing messages you have ever seen in your life” in order to gain more information and access.
“The bad guys have a big-data warehouse,” as another expert put it. “They are sharing information. They have a recruitment list. They have tradecraft, on how to deceive or defeat our systems. It will probably be used in unexpected ways.”
Moreover, all of them agreed that the Obama Administration’s response so far, including a much-touted “30-day cybersecurity sprint” to shore up security weaknesses in government computer networks, is at best merely a small beginning, and according to several, a “joke” or woefully inadequate to dealing with the magnitude of the problem that the U.S. now faces.
The group unanimously faulted the administration for failing to hold any officials accountable for the ongoing cyber-security lapses; appointing unqualified personnel—one expert called them “hacks”–to some sensitive posts; failing to provide adequate training to government employees on cybersecurity issues; and failing to insist on tough “standards of implementation” to make sure longstanding security deficiencies are solved.
“They are claiming credit for a plan, but they don’t care if anything is getting done,” one of the experts declared.
“The enormity of the problem is hard for us to get our arms around,” one said in a more charitable view. “I am not sure all heads of departments have the skill sets to deal with it.”
“Rather than a 30-day sprint, we need a 90-day period in which agencies come up with real non-negotiable lists of the most important data to be protected, followed by a rolling-out plan in 30-day increments over a year,” one said.
The experts further suggested that the Administration’s response tactic of providing credit-counselling services to affected individuals sends the wrong signal, “that this is just crime,” in the words of one. “This is different.”
Part of that difference new cybersecurity legislation that would mandate tougher standards and vigilance at home, and new agreements that would put real teeth in international cooperation to stamp out criminal or rogue “hackers-for-hire” operations that are blamed for major hacking incidents.
“We haven’t had new legislation in 12 years,” one expert said. Another pointed out that in May Russia and China signed a new cybersecurity agreement that includes information-sharing. “We can’t dismiss the idea that they are sharing information from us.”
The experts proposed an additional laundry list of solutions to the longstanding vulnerability problems. Among the items:
- An immediate focus on the highest-priority data assets across government that are in urgent need of protection;
- much higher emphasis on the accountability of officials for system lapses, and for failing to make improvements on tightly-controlled schedules;
- hiring so-called “ethical hackers” to test the security of remaining high-value government data-bases to see if they too have been contaminated;
- Much greater government outreach to the private sector for experience with fast-reaction strategies;
- Greater use of “cloud”-type centralized computing resources rather than decentralized desk systems to protect data-bases;
- fencing off of parts of the Internet for security purposes;
- a demand from some experts for greater efforts by major Internet Service Providers, or ISPs, to help root out criminal hackers;
- mandatory outside testing of software sold by vendors to the government, most of which is downloaded from a General Services Administration website, and an insistence on “much higher quality products;
- more emphasis on the hiring of U.S. citizens as contractors and service suppliers—even though some of the most notorious hackers, like Edward Snowden, were Americans, “why add another threat point” one expert asked;
- perhaps most controversially, greater authorization for offensive cyber-operations abroad in order to create real deterrence against assailants from powers like China and Russia. “NATO stands for no action, talk only,” one of the experts with defense experience noted. “ Because we can’t prevent cyber attacks we have to deter them.”
Above all, the group agreed, the federal government needs to more openly admit the scale and seriousness of the problem—and the sluggishness of the current federal response.
“We’ve relied too long on a compliance mentality, whether we met some government standard,” said Chris Wysopal, co-founder and chief technology officer at Veracode, a Massachusetts-based cybersecurity firm. “We need to look harder at real risk and how we deal with it.”
In June, Veracode published a study based on more than 200,000 assessments that looked at the reactions of both government and the private sector in dealing with software software vulnerability.
Among other things, the study noted that government agencies rated dead last among their categories for fixing the problems Veracode had already discovered, with only 27 percent of the fixes actually done.
That, like the situation at the Office of Personnel Management, “shows the whole world that other U.S. agencies are vulnerable,” Wysopal said.
“They are not going to stop.”