Most Federal Agencies Wouldn’t Be Able to Bounce Back from a Sony Hack

A movie poster for the movie "The Interview" is displayed outside the AMC Glendora 12 movie theater Wednesday, Dec. 17, 2014, in Glendora, Calif.

A movie poster for the movie "The Interview" is displayed outside the AMC Glendora 12 movie theater Wednesday, Dec. 17, 2014, in Glendora, Calif. Damian Dovarganes/AP

60 percent of federal agencies lack contingency plans in the event of a cyber emergency.

A file-wiping attack such as the Sony Pictures Entertainment hack could bring major federal departments to their knees, because most have no data-loss contingency plans, according to the latest figures on compliance with government cybersecurity laws. 

Further, unplugging systems to contain damage, as Sony did, would impair an agency’s ability to carry out constitutional duties, some former federal cyber leaders say.

While it is debatable whether North Korea, unaffiliated hacktivists seizing an opportunity or another entity is ransacking the entertainment behemoth’s networks, one thing is clear: Sony had shoddy disaster response procedures.

The attack reportedly used so-called wiper malicious code that destroys files. After the first signs of a breach in late November, Sony officials told employees to disconnect machines from the corporate network.

Unlike industry, the federal government is required to have backup procedures in case of a cyber emergency. That said, agencies don't always follow the rules. 

More than 60 percent of the government's major agencies do not have full contingency plans should data become unavailable, according to an annual report to Congress on the Federal Information Security Management Act.

Some departments don't know how a cyber incident would impact their business operations, many do not conduct “regular ongoing testing nor exercising of business continuity” plans, and other agencies’ standby systems are as unreliable as their primary systems, according to the assessment, which was released in May. 

"What differentiates Sony from the government is this: Sony loses the data, the shareholders are unhappy, the customers are unhappy, the employees are unhappy. If a federal government agency loses data and can’t function, they have constitutional responsibilities they may be unable to fulfill," said Sam Visner, a former National Security Agency signals intelligence chief, who now serves as an cyber and foreign affairs adjunct professor at Georgetown University.

That would mean "a real impairment in the welfare of citizens,” he added. "We ought to realize that the redundancy of data and the ability to store data -- in a way that this kind of wiping attack isn’t going to occur -- is vital."

The group taking responsibility for the Sony incursion, the Guardians of Peace, has proceeded to dump online sensitive, and sometimes embarrassing files. The incident began around a month before the scheduled release of the Seth Rogen-helmed farce, "The Interview," in which the CIA tasks journalists with assassinating North Korean tyrant Kim Jong-un.

Amid fears of continued "cyberterrorism" and potentially physical terrorism, Sony has canceled the theatrical release of the film. Still, hackers already have posted to the Internet employees' medical records, internal emails belittling Hollywood heavyweights and unreleased movies, including an "Annie" remake.

But Feds Pay More Attention to Cybersecurity...

If a Sony-like attack hit the U.S. Patent and Trademark Office, "it would make it impossible for us to be able to arbitrate and adjudicate the information rights of the people who patented things and trademarked things," Visner said. "It’s the same kind of intellectual property to which Sony has lost access." 

Federal auditors have uncovered one bright spot in resiliency -- at the Internal Revenue Service. The tax agency has processes in place to recover data, including up-to-date contingency plans it has rehearsed, according to an April Government Accountability Office report.

In other good news, the federal government’s overall security posture is clearly stronger than Sony’s computer defenses.

Based on the leaks, Sony apparently did not encrypt important files on its network or employ much password protection, unless allegedly creating a folder clearly marked "Password" to store companywide passwords. By contrast, 98 percent of connections to agency networks are encrypted, according to the FISMA report. More than half of agencies encrypt their email as well. 

Not only does the government pay more attention to information security, it spends a lot more money on it. The motion picture company accepted cyber risks as a cost of doing business and wouldn't invest $10 million to avoid a possible $1 million loss, the executive director of information security at Sony Pictures told CIO Magazine in 2007.

Compare that to the Commerce Department, home to the Patent and Trademark Office, which paid $163 million for cybersecurity in fiscal 2013. 

... And Feds Pay More for It

Among other agencies trusted with intellectual property, cyber funding is similarly high, with Energy at $218 million; the Pentagon investing $7 billion; NASA at $86 million; and the tiny National Science Foundation shelling out $150 million. 

“Sony’s ‘information security’ team is a complete joke,” one former employee told Fusion. With a total workforce of 7,000 employees, just 11 people comprise the team.

Investigators on the case, however, say no amount of planning could have protected Sony from this criminal operation. 

"The scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither [Sony] nor other companies could have been fully prepared," Kevin Mandia, chief executive officer of cyber forensics firm Mandiant, told company executives in an internal memo. The studio has tapped Mandiant for incident response. 

Visner, now a private cyber consultant at ICF International, said highly sophisticated hacker tools would be necessary to plumb a federal agency’s data, not merely phishing emails baiting employees to click on a malicious link. 

"The federal government probably has recognized a little more quickly that cybersecurity of routine information of their enterprise clearly is at risk," he said.

Agencies handling personal information, such as the Social Security Administration and the IRS, pay heed to data security controls. 

"It doesn’t mean that they are foolproof, but I think that attempts to use phishing and other techniques to compromise passwords and gain access to administrative privileges would be less likely, not completely unlikely, to be successful," Visner said. 

U.S. government agencies have faced off with cyber intimidators in the past. Swindlers in 2009 reportedly broke into the Virginia Prescription Monitoring Program’s secure website and held ransom 8.2 million patient records and almost 36 million prescriptions. The system stores the prescription histories of patients receiving controlled substances, to prevent abuse. In that situation, the attacker purportedly froze the data using encryption. 

 A message on the hacked site read:

"For $10 million, I will gladly send along the password … If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid."

The Virginia Department of Health Professions sent a notification letter to all individuals whose records in the database likely contained a Social Security number. But none of the information was lost, and the system continued to operate. 

Visner called the Virginia incident "analogous" to the Sony attack. "I think what’s interesting about that case is it was a warning shot for the rest of us to consider just how vulnerable these kinds of systems were,” he said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.