Efforts to prevent evolving cybersecurity threats of the type that resulted in a massive federal data breach in the largest cyber attack in U.S. history have been partly bogged down by congressional politics and a federal approach that the Government Accountability Office has called inconsistent.
Four million federal workers may have had their personal information compromised in the attack, which officials said could affect every agency of the U.S. government.
On Friday, the White House said the threat of cyber attacks is persistent and while the federal government has raced to outpace would-be hackers, legislation aimed at shoring up cybersecurity is desperately needed to do more. Those proposals included measures that would improve information sharing between the private sector and federal investigators, require companies to give 30 day notice of a security breach, increase punishments for cyber crimes and create uniform standards of data breach notification laws.
“Since the president submitted those pieces of legislation in January we’ve seen very little action,” White House press secretary Josh Earnest told reporters on Friday. “We need the United States Congress to come out of the Dark Ages and join us in the 21st century.”
The House passed a measure earlier this year, which the White House supports, pushing companies to share data records with federal investigators. The Senate Intelligence Committee had previously approved a similar measure, but the full Senate has not yet voted on the legislation.
Opponents to the measure cite privacy concerns and worries about government overreach.
But while the White House sought to place some of the blame on congressional inaction, the government’s independent investigative agency said the Obama administration could also do more to improve cyber security.
In April, the same month the data breach was discovered using new tools, the Government Accountability Office released a report finding, among other things, that inspectors general at 23 of the 24 federal agencies — including the Office of Personnel Management— “cited information security as a major management challenge for their agency” in fiscal year 2014.
And “19 of 24 major federal agencies reported that deficiencies in information security controls constituted either a material weakness or significant deficiency in internal controls over their financial reporting” during that same fiscal year.
Over the past several years, GAO and agency inspectors general have made hundreds of recommendations to agencies on improving information security controls—many of which the GAO says have yet to be implemented.
“… the cyber threats facing the nation are evolving and growing, with a wide array of threat actors having access to increasingly sophisticated techniques for exploiting system vulnerabilities,” according to the GAO report. “The danger posed by these threats is heightened by weaknesses in the federal government’s approach to protecting federal systems and information, including personally identifiable information entrusted to the government by members of the public.”
Beginning Monday, approximately four million current and former government employees will notified that their personal information — including names, Social Security numbers and birth dates — might have been hacked. The FBI is leading the investigation into the breach, which happened in December.
Rep. Adam Schiff, D-California, the top Democrat on the House Intelligence Committee, called the new attack "most shocking because Americans may expect that federal computer networks are maintained with state-of-the-art defenses.
While some U.S. officials and lawmakers identified the likely culprit as China, which has been suspected of involvement in previous government hacks, the White House did not do so on Friday.
China accused the United States of making "groundless accusations" and being "irresponsible" Friday.
China's foreign ministry spokesman Hong Lei told NBC News that it was very hard to prove who was responsible for cyber attacks and, while he stopped short of an outright denial he said China stands “firm” was against cyber attacks.
"Without the thorough investigation, you jump to a conclusion so quickly. We think it is not scientific and is irresponsible."
The compromised data was stored in a system shared by the Interior Department and the Office of Personnel Management, which screens and hires federal workers and approves security clearances for 90 percent of the federal government.
U.S. officials told NBC News that, so far, the breach doesn't appear to be the "worst-case scenario" — compromise and disclosure of the identities of the covert CIA agents.