01:07 GMT21 September 2020
Listen Live
    US
    Get short URL
    Year in Review: Highlights of 2015 (28)
    0 35
    Subscribe

    Cyber threats in the United States persisted in 2015 and yielded the largest cyber breach ever that affected 21.5 million Americans as the government’s measures to protect data and networks have been woefully insufficient.

    WASHINGTON (Sputnik) — In June, the US Office of Personnel Management (OPM) reported that the personal records of millions of federal government employees and retirees have been hacked, including those who have applied for security clearance. The authorities soon dismissed the OPM director, but never officially made attribution for the attack.

    The shock of the massive OPM breach led to numerous discussions on cyber protections, and in the final legislative week of the year, the US Congress is poised to pass legislation to incentivize private sector cyber threat information sharing.

    After Edward Snowden’s leaks of the National Security Agency’s (NSA) collaboration with US technology companies to carry out massive spying, privacy advocates and technology companies fought back against the push for information sharing mandates that would give US law enforcement new access to private users’ data.

    "The massive and prolonged hacking of employee records held by the Office of Personnel Management underscores the intensity of assaults on government IT systems," Central Intelligence Agency Director John Brennan said in November.

    Brennan stated that given the cyber threat environment, the US government and private sector "should be sharing a lot more information," warning that "programmatic, technical, and legal challenges, as well as concerns about privacy and the role of government have hampered progress."

    US FEDERAL GOVERNMENT HACK AT OPM

    On June 4, the OPM publicly acknowledged that its servers had been hacked, compromising the personal information of more than 21.5 million current and former federal employees. OPM described the data breach as "criminal acts committed by unknown adversaries for criminal purposes."

    Two months after the hack, OPM revealed that the fingerprints of as many as 5.6 million US federal personnel had been compromised in the hack. Detailed profiles of federal officials, including their financial histories, family and friend networks, and security clearance interviews, were also compromised.

    The breach of the government network raised new concerns about how well the US government was able to manage its own data and security. Top US industries, including finance, healthcare and technology firms spent billions of dollars in recent years to firm up their network security, the 2015 US budget cut IT spending by more than 2 percent.

    After the OPM hack, not a single high-ranking US federal law enforcement, intelligence, or administration official would state for the record who was responsible for the breach. At a June intelligence symposium, Director of National Intelligence James Clapper named China as "the leading suspect."

    In July, Homeland Security Secretary Jeh Johnson told press that in the wake of the OPM breach, he hoped the Congress would pass "cyber legislation which will give [the US government] additional authorities to do the job that we need to do."

    Before their summer recess, the Congress put the Cybersecurity Information Sharing Act (CISA) on the agenda, to boost Department of Homeland Security (DHS) cooperation with private tech companies who would be given incentives to share cyber threat data with federal law enforcement agencies.

    CYBER SECURITY INFORMATION-SHARING ACT

    As CISA was making its way through the Senate in July, privacy advocate and US Senator Ron Wyden warned the press, "If you have [cybersecurity] information sharing without vigorous privacy safeguards, millions of Americans are going to consider that to be a surveillance bill."

    In its original form, CISA drew widespread criticism. The DHS, which was to be the lead agency in charge of the information sharing, opposed CISA, arguing it "could sweep away important privacy protections."

    DHS further took aim at the bill for potentially compromising "personally identifiable information by spreading it further." By sharing information, the government would be spreading private users’ data across multiple federal agencies, ultimately exposing even more user data to the type of security failure that occurred at OPM.

    Privacy advocates, technology companies and concerned lawmakers rejected the initially broad information sharing provisions. Despite being pressed to take action following the massive OPM hack, lawmakers struck the bill from the agenda.

    By October, lawmakers narrowed down the bill and required US federal agencies to "scrub" all personal identifying user information from data before sharing it.

    The changes were satisfactory to congressional critics, private sector partners, some privacy advocates and the bill passed through the US Senate with a broad margin of support and the blessings of the Obama administration.

    The final cybersecurity legislation will be tucked into the $1.1 trillion must-pass government spending bill, which will almost certainly be signed into law at the end of this week.

    ENCRYPTION AS THE NEXT HURDLE IN CYBERSECURITY REFORMS

    Asked what the next step in cybersecurity will be for lawmakers, US House of Representatives Homeland Security subcommittee Chairman Peter King told Sputnik that "the private sector has to find a way to allow the government to break the encryption when there is a court order."

    Following the highly coordinated, but undetected terrorist attacks in Paris, France and San Bernardino, California, US homeland security hawks, members of the intelligence community and President Barack Obama himself, have all renewed their focus on private sector technology leaders providing them commercial encryption tools.

    Senate Intelligence Committee chairman Richard Burr told Sputnik that ideally, technology companies would give the US government keys to access encrypted data, but "short of that, we are going to have to figure out a way to do it either legislatively or on a cooperative level."

    Finding technology industry partners willing to provide backdoor security entrance into encrypted devices and applications may prove a difficult hurdle for the US government, despite rising public concerns over terrorism.

    In recent months, US technology leaders were hit with renewed pressure from lawmakers, intelligence and law enforcement officials, who called on them to provide encryption keys, so that secured data could be retrieved under court order or similar law.

    The Information Technology Industry Council (ITIC), a leading voice for top IT companies in the United States, warned that creating security backdoors for "the good guys would actually create vulnerabilities to be exploited by the bad guys."

    In a public statement released in November, ITIC argued against government anti-encryption efforts stating "weakening security with the aim of advancing security simply does not make sense."

    According to the most recent DHS data, US federal agencies were hit with more than 640,000 cyber-related incidents in 2014. The private sector loses billions of dollars annually from malicious cyberattacks.

    Though many of the attacks on US government targets have been characterized as traditional espionage, data theft and network penetration, officials have repeatedly raised concerns about the number of destructive cyberattacks.

    Topic:
    Year in Review: Highlights of 2015 (28)

    Related:

    EU Lawmakers Sign First Cybersecurity Deal With European Council
    CyberBerkut: Ukraine Selling Soviet-Made High Explosive Bombs to Qatar
    US, EU to Expand Cyber Security Cooperation at Summit in Washington
    Tags:
    IT, data, security, cyberattack, United States
    Community standardsDiscussion