The USGS's Office of Inspector General (OIG) released a report October 17 detailing the compromise. The employee was apparently visiting pornography sites on his government-issued laptop, which is how the malware was contracted and spread through the network.
The employee, whose name is redacted from the report, visited thousands of pornographic websites. "Many of the 9,000 web pages [redacted] visited routed through websites that originated in Russia and contained malware," the report says.
"Most of the larger porn sites are not actively trying to install malware on your device, because that would interrupt their business model of getting you to come back to the site, click and view ads, and subscribe to their premium content," web developer and technologist Chris Garaffa told Sputnik News Tuesday. "However, third-party ad networks that do not properly screen the ads they run can be exploited to serve malware along with the ad. This applies not just to porn sites but to any site with advertisements on it."
"I recommend people use a safer browser like Mozilla Firefox or Brave, along with an ad-blocker add-on like uBlock Origin to help mitigate the risks — regardless of what content they're viewing," Garaffa added.
According to the government's analysis, a number of pornographic images were saved on an unauthorized USB device and the employee's personal Android phone, which also got infected with the malware.
USGS is under the Department of Interior (DOI), which prohibits employees from viewing or distributing pornography on government computers. Employees are also banned from connecting their personal devices to government computers or networks, another rule that was violated by the employee.
The DOI conducts IT security training once a year, during which employees sign a statement saying they understand those rules. The employee attended those annual training events and the OIG "confirmed he agreed to the Rules of Behavior for several years prior."
The OIG recommended that USGS step up its monitoring of employee web usage, block pornographic websites and prevent unauthorized USB devices from being used on all employee computers. It gave USGS 90 days to indicate whether it plans on implementing those recommendations.
According to NextGov, a number of US government agencies have had similar scandals in recent history, including the Environmental Protection Agency, the Securities and Exchange Commission, the Internal Revenue Service and about a dozen others.
Representative Mark Meadows (R-NC) has on three occasions introduced legislation banning the viewing of pornography on federal government computers, NextGov notes. It isn't clear why the bills have failed to come to fruition.
"If your employer owns your phone, computer or even just the network you're connecting to, they have the legal right to monitor, log and save records of what you're typing, what websites you're visiting, the content of the emails you send — even on your personal accounts — and the right to look at your screen," Garaffa said.
"Employees should effectively keep in mind that they currently have no legal right to privacy when using a company-owned device or network," he added.