Pentagon data breach exposes nearly 30,000 personnel

The Pentagon has revealed that a security breach of US Department of Defense travel records may have compromised the personal information of nearly 30,000 military and civilian staffers. The department’s travel records were being maintained by an unnamed contractor.

Background

The US Department of Defense is a massive organization and the world’s largest employer with 3.2 million people on payroll including active servicemen, national guardsmen, reservists and civilians. It also has the world’s largest military budget.

The Department of Defense recently unveiled a new cyber strategy that heavily emphasized the concept of “defend forward.” The new strategy gave the US military authority to step up offensive cyber operations to deter foreign adversaries. “We must ensure the US military’s ability to fight and win wars in any domain, including cyberspace,” the strategy reads. “The Department will counter cyber campaigns threatening U.S. military advantage by defending forward to intercept and halt cyber threats and by strengthening the cybersecurity of systems and networks that support DoD missions.”

The White House also released a national cyber strategy in September that called for an enhanced focus on aggressive defence and offensive cyber operations as deterrence against increasingly sophisticated cyber attacks.

Government agencies and critical infrastructure that hold troves of sensitive information are prime targets for cyber attacks, making it vital to proactively protect their networks, systems and data against persistent and progressively sophisticated adversaries.

In 2015, the federal Office of Personnel Management suffered a massive cyber attack that compromised the personal information of more than 21 million current, former and prospective federal employees. The same year, the Pentagon’s Joint Chiefs of Staff email system was breached by Russian hackers. In 2014, suspected Russian hackers managed to infiltrate both the State Department and White House networks. More recently, Chinese hackers stole 614GB worth of highly sensitive data related to naval warfare from the computers of a Navy contractor in January and February 2018.

Analysis

The Pentagon said it is investigating a breach of US Defense Department travel records that compromised the personal information of US military and civilian personnel. An estimated 30,000 workers were potentially affected by the breach.

Lieutenant Colonel Joseph Buccino, a Pentagon spokesman, said the department is currently investigating the breach and gathering information about its size and impact. He said: “It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of personnel.

The Department has not named the vendor that was targeted due to security reasons. Buccino said the vendor is still under contract, but the department “has taken steps to have the vendor cease performance under its contracts.” “ The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” the department said. The military leadership was notified of the breach on October 2.

Disclosure of the breach comes just days after a federal report found that the Defense Department’s new computerized weapons systems were rife with security vulnerabilities. According to a Government Accountability Office (GAO) report, nearly all of the weapons systems tested had fundamental security vulnerabilities that allowed testers to take over systems and operate undetected. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report stated. It warned the Defense Department “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.”

US lawmakers have repeatedly called on the military to step up efforts to address security vulnerabilities and improve its cybersecurity standards. Pentagon spokesperson Major Audricia M. Harris said: “We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our Defense Industrial Base and Defense Critical Infrastructure partners to secure critical information.”

Assessment

Our assessment is that the breach could trigger a probe from US lawmakers and further scrutiny into the cybersecurity efforts made by the Defense Department toward securing its network and systems – or lack thereof. We believe the incident also underscores the data security challenges faced by large organizations and the inherent third-party risk that comes with outsourcing data management. In light of the increasing frequency and sophistication of cyberattacks, we believe governments must prioritize cybersecurity alongside development and innovation in the interest of national security.

Read more:

• New US weapons systems easy to hack