recommended reading

Hack highlights debate over government versus business cybersecurity

Law-enforcement officials are probing a Christmas Eve cyberattack on the international security think-tank Stratfor that exposed the personal and financial data of thousands of the firm's clients.

Over the weekend, Stratfor--which provides intelligence analysis to individuals, a variety of corporations, government agencies, and other organizations around the world--told clients that their information may have been stolen.

Since then, a "private client list" has been posted online, and some customers have reported that their credit cards had been used to donate to charity, according to The Wall Street Journal.

The charitable donations may go to waste, however, as the money will be revoked once credit-card companies verify the fraud.

"This symbolizes how you have to have your house in order before offering advice to others," said Richard Forno, cybersecurity graduate program director for the University of Maryland (Baltimore County).

As long as there are vulnerabilities, hackers will seek to exploit them, he said.

An FBI spokesman confirmed to National Journal on Tuesday that the agency is aware of the breach.

The FBI has been actively investigating Anonymous, the group believed to be behind this latest attack, for months. In July, the FBI arrested 16 people suspected of hacking PayPal on behalf of Anonymous.

"The law-enforcement investigation is active and ongoing," Stratfor CEO George Friedman said in a statement on the company's Facebook page on Sunday.

The continuing debate over how to increase national cybersecurity has revolved around the division between government- and private-sector security. While businesses seek more protections, few favor active government regulation and protection of private networks and information.

The issue is especially complicated when it comes to companies such as Stratfor that may deal in sensitive information related to government operations. In May, the country's largest defense contractor, Lockheed Martin, fought off a major cyberattack.

"When you have a major firm specializing in cybersecurity getting hacked this way, it gives you an idea of how difficult this problem is and how much ground still needs to be covered to better secure our cyber networks," Rep. Jim Langevin, D-R.I., said in an e-mail statement to National Journal.

Langevin, a member of the House Intelligence Committee and a cofounder of the Congressional Cybersecurity Caucus, said that if a company with the security expertise of Stratfor can be hacked, the threat to businesses that may be less aware is even greater.

As a consequence of the amorphous nature of the group, statements purporting to be from Anonymous have sent mixed signals about its involvement in the Stratfor incident--they both disavow and claim responsibility for the hack. Forno said that Anonymous is a group "in the loosest sense of the term," and it is unclear who is involved at any one time.

Barrett Brown, a declared spokesman for Anonymous, took to the Web on Monday to say that the attack's main goal was to expose e-mails documenting a "state-corporate alliance" between government agencies and defense companies.

"Stratfor was not breached in order to obtain customer credit-card numbers, which the hackers in question could not have expected to be as easily obtainable as they were," Brown wrote in an online post. "Rather, the operation was pursued in order to obtain the 2.7 million e-mails that exist on the firm's servers. This wealth of data includes correspondence with untold thousands of contacts who have spoken to Stratfor's employees off the record over more than a decade."

As of Tuesday, Stratfor's main website featured a message saying it is "currently undergoing maintenance."

Friedman said that Stratfor has hired "a leading identity-theft protection and monitoring service" to help clients as well as "an experienced outside consultant" to help beef up security.

Besides donating to charities, Anonymous called for the release of Pfc. Bradley Manning, the Army soldier accused of giving classified documents to WikiLeaks. In addition to financial data, the attack also exposed reams of company e-mails.

In October, a report by the Internet security firm Symantec and the National Cyber Security Alliance said that companies with fewer than 500 employees are often ill-prepared to prevent cyberattacks, even though nearly half of attacks are aimed at small businesses.

Federal Communications Commission Chairman Julius Genachowski has called small businesses "low-hanging fruit" for hackers, and the agency has led an effort to educate small businesses about how to better protect against cyberthreats.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.