Breaking News Emails
The major data breach announced Thursday at the agency that handles security clearances and federal workers' records is only the most recent intrusion into a government system -- and almost certainly will not be the last.
Experts say the problem is twofold: Government networks are sprawling, outdated and require bureaucratic cooperation to fix. Meanwhile, federal agencies are facing attacks from sophisticated adversaries who know how to sidestep detection.
The Office of Personnel Management will send as many as four million current and former government workers notices that their personal information might have been compromised. Officials told NBC News the breach could be the biggest cyberattack in the nation's history, potentially affecting every agency of the U.S. government. U.S. officials identified China as the culprit, a charge Chinese officials vehemently denied Friday.
The disclosure of the attack against OPM, which began months ago, came just one week after the Internal Revenue Service revealed hackers had potentially accessed personal information for more than 100,000 taxpayers.
"People don’t realize that when you're talking about a government network, you're just talking about a big network -- and often the commercial side of things might be more decently funded," Bas Alberts, the head of special projects for the Federal Services Branch of cybersecurity company Immunity Inc., told NBC News.
The public tends to have a sense that government networks must be different, or at least better protected, Alberts said. But even as the Obama administration launches new cybersecurity initiatives and policies, and agency heads testify before Congress about improving security, taking actual steps to protect federal data fortresses is difficult.
"It's not even the money as much as the process involved; everything gets caught in government glue," Richard Blech, the CEO of cybersecurity firm Secure Channels, which works with several federal agencies, told NBC News.
Last year, an estimated 10 percent of government computers were still running the outdated Windows XP when Microsoft dropped support -- as it had warned for years -- in April 2014, leaving those machines vulnerable even to simple attacks.
And in April 2015, around the same time OPM discovered the attack, watchdog agency the Government Accountability Office released a report saying 23 of the 24 federal agencies -- including OPM -- "cited information security as a major management challenge for their agency" last year.
"I've worked with these guys, and you have to go through layers and layers of groups and committees to get anything done," Blech said. "It practically takes an act of Congress to change the computer system."
By the time federal agencies get approval to make changes to their networks, install the new systems and set up administrators, hackers have already had ample time to lob attacks and figure out a new way in, Blech said.
"In the meantime, do the hackers care about the laws and regulations the government has to be careful of?" Blech said. "No, they'll do what they want. And that's the problem."
Sprawling, shapeless government networks
The problem runs deeper than simple bureaucratic quagmires. Government networks like OPM's tend to grow exponentially over time, becoming larger, more sprawling and increasingly complex, said Alberts, the Immunity Inc. federal services head.
Eventually, a team is deployed to add security measures retroactively -- which is tough to do when agencies don't have a good handle on the size and scope of their networks.
"The problem is that step one is knowing your network," Alberts said. "How can you protect something if you don't know the size of it? It's like trying to find a needle in a haystack, but you don't know what the needle looks like and you don't know the size of the haystack."
"It's like trying to find a needle in a haystack, but you don't know what the needle looks like and you don't know the size of the haystack."
That's a major issue, because even advanced cyberdefense technology depends on identifying odd behavior in a network. If there's suddenly an overall burst of activity, or a strange surge in a certain part of the network, detection software will flag it as a potential attack attempt.
"It's all dependent on setting a baseline of normal behavior for your network," Alberts said. "If you don't know what's normal, you can't determine what's anomalous."
That may be why the Department of Homeland Security's EINSTEIN intrusion-detection system -- which monitors Internet traffic at federal agencies -- didn't detect the OPM attack until April 2015, by which time the agency's system was already breached.
OPM made the discovery after it had already taken steps to beef up its security system, the agency said. But Alberts isn't surprised EINSTEIN and OPM didn't detect the attack immediately.
"A sophisticated adversary will spend millions getting into that network, developing advanced malware that doesn't make a lot of noise and won't trip the wires," Alberts said. "Network defense is hard, and it's even harder to do at scale."
'Protecting the real treasure'
But it isn't all gloom.
Blech, the Secure Channels CEO, said he is heartened by his federal customers' newfound "proactive approach,"
"There's a proactive approach now," Blech said. "I don't think we're at the point where the government says, 'Wow! We have to change the entire model to fix this!' But we're getting closer."
In the meantime, Blech said, he is "mystified" the data in these federal breaches are not encrypted -- that is, the stored information isn't scrambled so it's gibberish to anyone except those who have a key to decode it. (Blech's company sells encryption solutions.)
"Hackers go after low-hanging fruit," Blech said. "Every time, it's the same story: An insider steals data or someone gets in, and all this information stored in clear text is now out there. Everyone is focused on protecting the perimeter, but the data is the real target. Why aren't we protecting the real treasure?"
Alberts of Immunity Inc. agreed the focus on keeping hackers out is shifting: "The thought model needs to be, you are not going to keep people out of your network. That's the new hotness in security."
Lawmakers have been quick to release statements about the OPM attack, either to praise the EINSTEIN program or push for legislation to move through Congress -- but even they no longer sound shocked by such breaches.
"You can have politicians getting out and saying this is outrageous, and it is," Alberts said. "But the advantage here goes to the offense, and that's the tough thing. That's why we need to act."