Government breaches at all-time high

Government breaches at all-time high

Summary: Government breaches as reported by a GAO analysis show substantial growth in incidents of concern.

SHARE:

You might think this was an April Fool's gag, except it was published on April 2nd, not April 1st.

According to testimony given by Gregory C. Wilshusen, Director of Information Security Issues for the Government Accountability Office to United States Senate Committee on Homeland Security and Governmental Affairs that, and I quote, "most major federal agencies had weaknesses in major categories of information security controls."

Update: It's been my experience that smugness will almost always reach out and whack you on the backside. This article was no different. I confidently insisted that I interpreted the following charts correctly and everyone else got it wrong. Then I got this letter from Gregory Wilshusen:

I read your article that quoted my April 2 testimony on federal agencies responses to data breaches. I'd like to clarify that the number of incidents reported by federal agencies are in the thousands, not the millions as cited in your article. You apparently applied the label for the y-axis (Number of reported incidents (in thousands)) to the exact number of incidents atop each bar. In fact, the label only applies to the two digit numbers that comprise the y-axis. In reviewing the graph anew with enlightened eyes, I can understand how one might misinterpret the data. I'll check with our graphics analysts to see if there are ways to clarify the presentation of data in our graphs going forward.

Sigh. So as you'll see throughout the rest of this article, I'm redacting elements where I, oh-so-smugly, said everyone else got it wrong. Good times. Good times.

In other words, some government agency data security functions more like a sieve than a lockbox.

Some of the data the GAO presented was deeply disturbing. For example, the number of successful breaches doubled since 2009. Doubled. There's also a story inside this story, which I'll discuss later in the article. Almost all of the press reporting on this testimony got the magnitude of the breach wrong. Most reported that government security incidents numbered in the thousands, when, in fact, they numbered in the millions.

As a way of illustrating the problem, Director Wilshusen called out a few examples of situations where personal identifying information fell into the wrong hands.

The thing is, by now the various government agencies should have known better. Back in 2006, a computer was stolen from the home of a VA employee. The computer contained the personal information for 26.5 million veterans. You'd think, wouldn't you, that such an event would be a wakeup call for our various agencies.

Uh, not so much.

Take the Department of Energy. Last July, a hacked DOA system gave up Social Security numbers, birth dates and locations, bank account numbers and security questions and answers for 104,000 individuals.

The Federal Retirement Thrift Investment Board operates the Thrift Savings Plan, which is a retirement program for federal employees and veterans. In May 2012, a breach managed to steal 123,000 names, addresses, and SSNs of plan participants.

Down here in Florida, a laptop belonging to a NASA employee was stolen. It contained 2,300 names, addresses, and other personal information for NASA employees.

Of course, the government isn't alone in suffering breaches. The rate of attack by cybercriminals has increased across the board. On Thursday, April 10, Dell's Kent Shuart will join me for a webcast discussing some of these issues and just how scary they're getting.

Here are a few broad statistics taken from various data breach reports. According to the 2013Q4 Threat Report from McAfee Lab the number of malicious signed binaries found in the wild quadrupled from 2012 to 2013. Mobile malware grew three-fold. Websense reported that nasty, drive-by Web links grew more than 600 percent from 2011 to 2012.

My discussion with Kent on Thursday, "As threats become more sophisticated, so too must next generation firewalls," will spotlight a bunch of these insane growth statistics, and then look at some of the reasons older firewall tech can't stand up to the latest generation of attacks and threats. It's free and you're welcome to attend.

But while cyberattacks and breaches are increasing the world over, those getting through into our government systems are particularly disturbing. The GAO's Wilshusen told the Senate that information security incidents reported by federal agencies grew from about 30 million thousand in 2009 to over 61 million thousand in 2013.

201404gao1

That's staggering.

Incidents involving personal identifying information grew from about 10.5 million thousand in 2009 to over 25 million thousand last year. By the way, some press reports on this misread the GAO's charts. Update: No, apparently, they did not. For example, the Washington Free Beacon wrote about this, claiming "25,566 incidents of lost taxpayer data, Social Security numbers, patient health information." What they missed was the little notation on the chart that says "in thousands," so when they reported 25,566 incidents, what that really reads as is 25,566 x 1000 incidents.

201404gao2

This is an example of how the Internet echo chamber can get information very, very wrong. The Chicago Tribune, via Reuters reported the same incorrect statistic. So did InformationWeek. So did FierceHealthIT. Business Insider picked up the Reuters report and happily repeated the same statistic —which was three orders of magnitude incorrect.Update: Nope, they weren't.

This is why I always try to go to the original source material and not just repeat the crap other writers are parroting apparently misread it myself. It's more work, but it means the difference between reporting 25 thousand government breaches and 25 million government breaches. 25 thousand is disturbing. 25 million is horrifying.

The GAO also looked at how major government agencies had implemented their information security controls. It looked at the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs, the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development.

The results were not good.

All 24 had security management, configuration management, and contingency planning weaknesses. 23 had access control weaknesses, which means that just one agency had strong access controls. And 18 agencies were found to poorly segregate duties to protect against broad systemic breaches.

You will, of course, note that included among the agencies listed above is the U.S. Department of Health and Human Services, which operates Healthcare.gov and DoD, which owns the NSA.

I'm not going to dive into the disaster that is Healthcare.gov or the challenges the NSA has keeping America safe. I will simply note that these two agencies, among others, are being entrusted with more and more of our personal information and yet their parent organizations are included in the broad list of agencies that had systemic failures and were unable to meet FISMA requirements for managing data.

Broad failures in government and the press my analysis

My report to you today is showing broad failures, not just in the government, but in my analysis as well the press entrusted to keep an eye on the government. Government agencies aren't able to meet the requirements set in place to protect American citizens and their own employees.

And the press, which we rely on to keep the government honest, is too lazy to look at the original source materials, so when one reporter is incapable of reading a chart correctly, everyone else just follows along, reporting the same erroneous data as if it were real. Or one smug analyst reads the chart one way, when it's intended to have a different meaning.

To my friends and colleagues in government agencies, I say this: you are screwing up and putting Americans at risk. Get your act together.

To my friends and colleagues in the press, I say this: "uh, oops." you are missing important details that completely change the magnitude of the stories you "cover." Stop repeating every other report you see and do some original research. Heck, don't even do research. Just read the sources you're citing. If it's the Fourth Estate's job to keep governments honest, you're blowing it. You're being careless and accuracy is suffering.

To my loyal readers out there, I say this: I am finding myself more and more tired of incompetence. Call your congresscritters. Write your favorite bloggers. Do your own reading and research. We need -- for our very survival -- to keep an eye on our leaders, agencies, and even reporters to make sure we get something at least in the ballpark of truth. And keep an eye on my numbers, too. Sadly, I can also be fallible.

Discovering the three order-of-magnitude inaccuracy in the press reports really disturbed me. We're all in competition for page views, eyeballs, and attention. And we're all trying to get our stories out first. But in the quest for one or two more impressions, we're sacrificing doing our homework. So now, because of Reuters and the others who echoed them, citizens and even government officials will think that government security incidents are bad (as in thousands-bad) when, in fact, the problem is incredibly bad (as in millions-bad).

That just pisses me off. This stuff is too important to tolerate laziness. C'mon people, step up, be professionals and get your act together. And I'll try to double-check my numbers even more.

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

This story was updated on April 10 by its very egg-on-face author. Sigh.

Topics: Security, Government, Government US

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • One problem is...

    NO ONE is held accountable... ever! The good ole boy clubs of the agencies stash and just move around screw ups.
    SpankyFrost
  • One problem is...

    NO ONE is held accountable... ever! The good ole boy clubs of the agencies stash and just move around screw ups.
    SpankyFrost
  • One problem is...

    NO ONE is held accountable... ever! The good ole boy clubs of the agencies stash and just move around screw ups.
    SpankyFrost
  • Thanks

    David,

    Thanks for reading the chart correctly. I have seen too much lazy press reporting in fields I have competency where a little research, knowledge, and work would lead to a much more accurate report. Getting the magnitude correct is first part of understanding the problem you called (correctly) horrifying.

    I calculated that there are 70,000 breaches per day.
    Linux_Lurker
  • My guess is funding (or lack, therof)

    There is likely insufficient funds being allocated to the various government agencies by Congress. Secondarily, the administrators responsible for allocating funds within their own agencies may not be allocating sufficient funds to their own IT staff.

    Another statistic with a security impact: the U.S. government is way behind in its upgrade of PCs from Windows XP:

    http://www.washingtonpost.com/business/technology/government-computers-running-windows-xp-will-be-vulnerable-to-hackers-after-april-8/2014/03/16/9a9c8c7c-a553-11e3-a5fa-55f0c77bf39c_story.html

    with hundreds of thousands of PCs still on Windows XP.

    In addition, there aren't enough qualified security analysts to go around, which means that they can command relatively high salaries, benefits, etc. The U.S. government is likely having trouble attracting and keeping qualified security analysts on staff as it's competing with the private sector for a relatively small pool of talent.

    With a current national debt of approximately $17 trillion U.S., I wouldn't be too hopeful.

    Now, what excuse can the private sector use for its own security breaches?
    Rabid Howler Monkey
  • We need the original data...

    Sorry David, as a heavy user of spreadsheet and graphing, I would say that your interpretation of this may be off. The y-axis scale is marked by two digit numbers, and the label says it is in thousands. That label is referring only to y-axis scale. The individual bar labels are the precise number (not in thousands) of occurrences. This is frequently done on charts; the bars give the overall impression of trends, but you could not find the exact number (is the bar at 60 or 61 or 61.5....?), thus you label the exact value for each x-axis category (year). Therefore, in the first graph, the value for 2013 of approximately 60 on the y-axis multiplied by 1,000 is obviously 60,000. Looking at the value above the bar shows the precise value of 61,214
    CTOSea
    • And that is why axis labeling should be done properly.

      In the scientific papers I have read, the axis labels are written along the axis it referrs to.

      The way this chart is written it is as a title to the chart.
      jessepollard
      • re: And that is why axis labeling should be done properly.

        I would basically agree that it would have been better (clearer) to have the label run parallel to the Y-axis. However, close examination would show this label is referring to the y-axis values; if it is only referring to the title, what would the y-axis label be?

        The point stands, I think, that indeed the 61,214,000 incidents in 2013 David calculates would OVERSTATE by several orders of magnitude.
        CTOSea
  • The main problem is . . .

    The Government is your Friend and you allow them to do what?!
    JTONLY