Government breaches at all-time high

Government breaches as reported by a GAO analysis show substantial growth in incidents of concern.
Written by David Gewirtz, Senior Contributing Editor

You might think this was an April Fool's gag, except it was published on April 2nd, not April 1st.

According to testimony given by Gregory C. Wilshusen, Director of Information Security Issues for the Government Accountability Office to United States Senate Committee on Homeland Security and Governmental Affairs that, and I quote, "most major federal agencies had weaknesses in major categories of information security controls."

Update: It's been my experience that smugness will almost always reach out and whack you on the backside. This article was no different. I confidently insisted that I interpreted the following charts correctly and everyone else got it wrong. Then I got this letter from Gregory Wilshusen:

I read your article that quoted my April 2 testimony on federal agencies responses to data breaches. I'd like to clarify that the number of incidents reported by federal agencies are in the thousands, not the millions as cited in your article. You apparently applied the label for the y-axis (Number of reported incidents (in thousands)) to the exact number of incidents atop each bar. In fact, the label only applies to the two digit numbers that comprise the y-axis. In reviewing the graph anew with enlightened eyes, I can understand how one might misinterpret the data. I'll check with our graphics analysts to see if there are ways to clarify the presentation of data in our graphs going forward.

Sigh. So as you'll see throughout the rest of this article, I'm redacting elements where I, oh-so-smugly, said everyone else got it wrong. Good times. Good times.

In other words, some government agency data security functions more like a sieve than a lockbox.

Some of the data the GAO presented was deeply disturbing. For example, the number of successful breaches doubled since 2009. Doubled. There's also a story inside this story, which I'll discuss later in the article. Almost all of the press reporting on this testimony got the magnitude of the breach wrong. Most reported that government security incidents numbered in the thousands, when, in fact, they numbered in the millions.

As a way of illustrating the problem, Director Wilshusen called out a few examples of situations where personal identifying information fell into the wrong hands.

The thing is, by now the various government agencies should have known better. Back in 2006, a computer was stolen from the home of a VA employee. The computer contained the personal information for 26.5 million veterans. You'd think, wouldn't you, that such an event would be a wakeup call for our various agencies.

Uh, not so much.

Take the Department of Energy. Last July, a hacked DOA system gave up Social Security numbers, birth dates and locations, bank account numbers and security questions and answers for 104,000 individuals.

The Federal Retirement Thrift Investment Board operates the Thrift Savings Plan, which is a retirement program for federal employees and veterans. In May 2012, a breach managed to steal 123,000 names, addresses, and SSNs of plan participants.

Down here in Florida, a laptop belonging to a NASA employee was stolen. It contained 2,300 names, addresses, and other personal information for NASA employees.

Of course, the government isn't alone in suffering breaches. The rate of attack by cybercriminals has increased across the board. On Thursday, April 10, Dell's Kent Shuart will join me for a webcast discussing some of these issues and just how scary they're getting.

Here are a few broad statistics taken from various data breach reports. According to the 2013Q4 Threat Report from McAfee Lab the number of malicious signed binaries found in the wild quadrupled from 2012 to 2013. Mobile malware grew three-fold. Websense reported that nasty, drive-by Web links grew more than 600 percent from 2011 to 2012.

My discussion with Kent on Thursday, "As threats become more sophisticated, so too must next generation firewalls," will spotlight a bunch of these insane growth statistics, and then look at some of the reasons older firewall tech can't stand up to the latest generation of attacks and threats. It's free and you're welcome to attend.

But while cyberattacks and breaches are increasing the world over, those getting through into our government systems are particularly disturbing. The GAO's Wilshusen told the Senate that information security incidents reported by federal agencies grew from about 30 million thousand in 2009 to over 61 million thousand in 2013.


That's staggering.

Incidents involving personal identifying information grew from about 10.5 million thousand in 2009 to over 25 million thousand last year. By the way, some press reports on this misread the GAO's charts. Update: No, apparently, they did not. For example, the Washington Free Beacon wrote about this, claiming "25,566 incidents of lost taxpayer data, Social Security numbers, patient health information." What they missed was the little notation on the chart that says "in thousands," so when they reported 25,566 incidents, what that really reads as is 25,566 x 1000 incidents.


This is an example of how the Internet echo chamber can get information very, very wrong. The Chicago Tribune, via Reuters reported the same incorrect statistic. So did InformationWeek. So did FierceHealthIT. Business Insider picked up the Reuters report and happily repeated the same statistic —which was three orders of magnitude incorrect.Update: Nope, they weren't.

This is why I always try to go to the original source material and not just repeat the crap other writers are parroting apparently misread it myself. It's more work, but it means the difference between reporting 25 thousand government breaches and 25 million government breaches. 25 thousand is disturbing. 25 million is horrifying.

The GAO also looked at how major government agencies had implemented their information security controls. It looked at the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs, the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development.

The results were not good.

All 24 had security management, configuration management, and contingency planning weaknesses. 23 had access control weaknesses, which means that just one agency had strong access controls. And 18 agencies were found to poorly segregate duties to protect against broad systemic breaches.

You will, of course, note that included among the agencies listed above is the U.S. Department of Health and Human Services, which operates Healthcare.gov and DoD, which owns the NSA.

I'm not going to dive into the disaster that is Healthcare.gov or the challenges the NSA has keeping America safe. I will simply note that these two agencies, among others, are being entrusted with more and more of our personal information and yet their parent organizations are included in the broad list of agencies that had systemic failures and were unable to meet FISMA requirements for managing data.

Broad failures in government and the press my analysis

My report to you today is showing broad failures, not just in the government, but in my analysis as well the press entrusted to keep an eye on the government. Government agencies aren't able to meet the requirements set in place to protect American citizens and their own employees.

And the press, which we rely on to keep the government honest, is too lazy to look at the original source materials, so when one reporter is incapable of reading a chart correctly, everyone else just follows along, reporting the same erroneous data as if it were real. Or one smug analyst reads the chart one way, when it's intended to have a different meaning.

To my friends and colleagues in government agencies, I say this: you are screwing up and putting Americans at risk. Get your act together.

To my friends and colleagues in the press, I say this: "uh, oops." you are missing important details that completely change the magnitude of the stories you "cover." Stop repeating every other report you see and do some original research. Heck, don't even do research. Just read the sources you're citing. If it's the Fourth Estate's job to keep governments honest, you're blowing it. You're being careless and accuracy is suffering.

To my loyal readers out there, I say this: I am finding myself more and more tired of incompetence. Call your congresscritters. Write your favorite bloggers. Do your own reading and research. We need -- for our very survival -- to keep an eye on our leaders, agencies, and even reporters to make sure we get something at least in the ballpark of truth. And keep an eye on my numbers, too. Sadly, I can also be fallible.

Discovering the three order-of-magnitude inaccuracy in the press reports really disturbed me. We're all in competition for page views, eyeballs, and attention. And we're all trying to get our stories out first. But in the quest for one or two more impressions, we're sacrificing doing our homework. So now, because of Reuters and the others who echoed them, citizens and even government officials will think that government security incidents are bad (as in thousands-bad) when, in fact, the problem is incredibly bad (as in millions-bad).

That just pisses me off. This stuff is too important to tolerate laziness. C'mon people, step up, be professionals and get your act together. And I'll try to double-check my numbers even more.

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

This story was updated on April 10 by its very egg-on-face author. Sigh.

Editorial standards