Advertisement

Federal government struggles against cyberattacks, review finds

 
Published Nov. 10, 2014

A $10-billion-a-year effort to protect sensitive government data, from military secrets to Social Security numbers, is struggling to keep pace with an increasing number of cyberattacks and is unwittingly being undermined by federal employees and contractors.

Workers scattered across more than a dozen agencies, from the Defense and Education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an Associated Press analysis of records.

They have clicked links in bogus phishing emails, opened malware-laden websites and been tricked by scammers into sharing information.

One was redirected to a hostile site after connecting to a video of tennis star Serena Williams. A few act intentionally — most famously former National Security Agency contractor Edward Snowden, who downloaded and leaked documents revealing the government's collection of phone and email records.

But the federal government isn't required to publicize its own data losses. To determine the extent of federal cyberincidents, AP filed dozens of Freedom of Information Act requests, interviewed hackers, cybersecurity experts and government officials, and obtained documents describing digital cracks in the system.

That review shows that 40 years and more than $100 billion after the first federal data protection law was enacted, the government is struggling to close holes.

Fears about breaches have existed since the late 1960s, when the federal government began shifting its operations onto computers. Officials responded with software designed to sniff out malicious programs and raise alarms about intruders. Yet attackers have always found a way in, exposing tens of millions of sensitive and private records.

From 2009 to 2013, the number of reported breaches just on federal computer networks — those with .gov or .mil URLs — rose from 26,942 to 46,605, according to the U.S. Computer Emergency Readiness Team. In 2013, US-CERT responded to a total of 228,700 cyberincidents involving federal agencies, companies that run critical infrastructure and contract partners. That's more than double the incidents in 2009.

And employees are to blame for at least half of the problems.

In 2013, for example, about 21 percent of all federal breaches were traced to workers who violated policies; 16 percent who lost devices; 12 percent who improperly handled sensitive information printed from computers; at least 8 percent who ran or installed malicious software; and 6 percent who were enticed to share private information, according to an annual White House review.