60 percent of federal agencies lack contingency plans in the event of a cyber emergency.
A file-wiping attack such as the Sony Pictures Entertainment hack could bring major federal departments to their knees, because most have no data-loss contingency plans, according to the latest figures on compliance with government cybersecurity laws.
Further, unplugging systems to contain damage, as Sony did, would impair an agency’s ability to carry out constitutional duties, some former federal cyber leaders say.
While it is debatable whether North Korea, unaffiliated hacktivists seizing an opportunity or another entity is ransacking the entertainment behemoth’s networks, one thing is clear: Sony had shoddy disaster response procedures.
The attack reportedly used so-called wiper malicious code that destroys files. After the first signs of a breach in late November, Sony officials told employees to disconnect machines from the corporate network.
Unlike industry, the federal government is required to have backup procedures in case of a cyber emergency. That said, agencies don't always follow the rules.
More than 60 percent of the government's major agencies do not have full contingency plans should data become unavailable, according to an annual report to Congress on the Federal Information Security Management Act.
Some departments don't know how a cyber incident would impact their business operations, many do not conduct “regular ongoing testing nor exercising of business continuity” plans, and other agencies’ standby systems are as unreliable as their primary systems, according to the assessment, which was released in May.
"What differentiates Sony from the government is this: Sony loses the data, the shareholders are unhappy, the customers are unhappy, the employees are unhappy. If a federal government agency loses data and can’t function, they have constitutional responsibilities they may be unable to fulfill," said Sam Visner, a former National Security Agency signals intelligence chief, who now serves as an cyber and foreign affairs adjunct professor at Georgetown University.
That would mean "a real impairment in the welfare of citizens,” he added. "We ought to realize that the redundancy of data and the ability to store data -- in a way that this kind of wiping attack isn’t going to occur -- is vital."
The group taking responsibility for the Sony incursion, the Guardians of Peace, has proceeded to dump online sensitive, and sometimes embarrassing files. The incident began around a month before the scheduled release of the Seth Rogen-helmed farce, "The Interview," in which the CIA tasks journalists with assassinating North Korean tyrant Kim Jong-un.
Amid fears of continued "cyberterrorism" and potentially physical terrorism, Sony has canceled the theatrical release of the film. Still, hackers already have posted to the Internet employees' medical records, internal emails belittling Hollywood heavyweights and unreleased movies, including an "Annie" remake.
But Feds Pay More Attention to Cybersecurity...
If a Sony-like attack hit the U.S. Patent and Trademark Office, "it would make it impossible for us to be able to arbitrate and adjudicate the information rights of the people who patented things and trademarked things," Visner said. "It’s the same kind of intellectual property to which Sony has lost access."
Federal auditors have uncovered one bright spot in resiliency -- at the Internal Revenue Service. The tax agency has processes in place to recover data, including up-to-date contingency plans it has rehearsed, according to an April Government Accountability Office report.
In other good news, the federal government’s overall security posture is clearly stronger than Sony’s computer defenses.
Based on the leaks, Sony apparently did not encrypt important files on its network or employ much password protection, unless allegedly creating a folder clearly marked "Password" to store companywide passwords. By contrast, 98 percent of connections to agency networks are encrypted, according to the FISMA report. More than half of agencies encrypt their email as well.
Not only does the government pay more attention to information security, it spends a lot more money on it. The motion picture company accepted cyber risks as a cost of doing business and wouldn't invest $10 million to avoid a possible $1 million loss, the executive director of information security at Sony Pictures told CIO Magazine in 2007.
Compare that to the Commerce Department, home to the Patent and Trademark Office, which paid $163 million for cybersecurity in fiscal 2013.
... And Feds Pay More for It
Among other agencies trusted with intellectual property, cyber funding is similarly high, with Energy at $218 million; the Pentagon investing $7 billion; NASA at $86 million; and the tiny National Science Foundation shelling out $150 million.
“Sony’s ‘information security’ team is a complete joke,” one former employee told Fusion. With a total workforce of 7,000 employees, just 11 people comprise the team.
Investigators on the case, however, say no amount of planning could have protected Sony from this criminal operation.
"The scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither [Sony] nor other companies could have been fully prepared," Kevin Mandia, chief executive officer of cyber forensics firm Mandiant, told company executives in an internal memo. The studio has tapped Mandiant for incident response.
Visner, now a private cyber consultant at ICF International, said highly sophisticated hacker tools would be necessary to plumb a federal agency’s data, not merely phishing emails baiting employees to click on a malicious link.
"The federal government probably has recognized a little more quickly that cybersecurity of routine information of their enterprise clearly is at risk," he said.
Agencies handling personal information, such as the Social Security Administration and the IRS, pay heed to data security controls.
"It doesn’t mean that they are foolproof, but I think that attempts to use phishing and other techniques to compromise passwords and gain access to administrative privileges would be less likely, not completely unlikely, to be successful," Visner said.
U.S. government agencies have faced off with cyber intimidators in the past. Swindlers in 2009 reportedly broke into the Virginia Prescription Monitoring Program’s secure website and held ransom 8.2 million patient records and almost 36 million prescriptions. The system stores the prescription histories of patients receiving controlled substances, to prevent abuse. In that situation, the attacker purportedly froze the data using encryption.
A message on the hacked site read:
"For $10 million, I will gladly send along the password … If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid."
The Virginia Department of Health Professions sent a notification letter to all individuals whose records in the database likely contained a Social Security number. But none of the information was lost, and the system continued to operate.
Visner called the Virginia incident "analogous" to the Sony attack. "I think what’s interesting about that case is it was a warning shot for the rest of us to consider just how vulnerable these kinds of systems were,” he said.