Government entities continue to be the focus of cyber attacks, adding fuel to the general perception that government cannot afford the same quality of security as private industry. The most recent attack targeted personal information of Department of Justice and Department of Homeland Security staff.
Officials report that there is no indication that sensitive information had been stolen. Rather, the information accessed was likely gathered from internal government directories, including employee names, e-mail addresses, phone numbers, and job descriptions. Motherboard magazine reported that the hacker provided it with a copy of the information on February 7 and released the information within the next two days.
Rather than using an outside computer to attack the system, government officials believe that the intruder used social engineering to access the system. According to the New York Times, officials believe that the intruder impersonated a government employee to gain access to the system. This corresponds with the story the hacker told Motherboard – that the hacker first compromised the email account of a DOJ employee and then used the information to convince an FBI phone operator to provide him or her with access to the DOJ web portal.
This attack is the most recent in a long chain of attacks targeting the U.S. government. For instance, an intrusion last year that targeted the Office of Personnel Management exposed sensitive information for millions of Americans. In addition, last year, hackers compromised the e-mail accounts of CIA director John Brennan and DHS director Jeh Johnson.
These attacks continue to add fuel to the perception that the U.S. government has inadequate resources to prevent such attacks. In this case, some have argued that government staff should have been trained to spot social engineering attacks. This perception is troublesome as the DHS is the point of contact for all information shared by corporate entities in the recently enacted Cybersecurity Information Sharing Act and government-sponsored proposals on “backdoors” to encryption. Critics rightly argue that if the government cannot demonstrate adequate security measures, there is even less reason to trust that government can properly manage built-in backdoors and security keys.