Go to Admin » Appearance » Widgets » and move Gabfire Widget: Social into that MastheadOverlay zone
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Chelsea Binns
December 15, 2015
Cyber crime is now the top threat facing America. Government personnel are key targets and are increasingly victimized. Actors are using stealth tactics to steal information without an employee’s knowledge. However, many cyber breaches targeting government workers are preventable. It is important for government employees to understand how their information is stolen in order to inform preventative efforts. Recent cases of employee data breaches will be discussed to illustrate the threat.
Government employees are especially vulnerable to cyber crimes. Government information security incidents have increased 1,121 percent in the last decade. Why? Many data thieves, including individual “hackers,” large organized crime groups and nation states are especially interested in obtaining government information.
Their ability to obtain this information surreptitiously is growing. Sensitive information is stolen routinely from government employees, without their knowledge. This act, cyber espionage or cyber spying, is believed to have affected more than 800 million people during 2013. Experts believe rapidly expanding technologies are to blame. According to James Clapper, the director of National Intelligence, “The world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.”
In several cases, breaches are traced back to irresponsible employee behavior. In these instances, employees were unaware they perpetuated cybercrimes. Per The Associated Press, in 2013,
“About 21 percent of all federal breaches were traced to government workers who violated policies; 16 percent who lost devices or had them stolen; 12 percent who improperly handled sensitive information printed from computers; at least 8 percent who ran or installed malicious software; and 6 percent who were enticed to share private information.”
One way government employees make themselves vulnerable to data breaches is by sending their government emails to a personal email account. Data thieves can easily obtain this information by hacking into the email account through a variety of methods, including social engineering. Ironically, employees who engage in this volatile practice risk breaching their own personal information.
This was seen in the case of CIA Director John Brennan, whose personal email account was hacked this year by a high school student. In this case, the perpetrator obtained classified agency information, which was maintained by Brennan in a personal email account. It was later learned that Brennan had “forwarded” classified documents to his private AOL email address, in violation of agency policy. One such document obtained was his 47- page application for top-secret security clearance. It has been reported the teen used social engineering methods to gain access into the email account.
Government employees also increase their vulnerability to data theft by clicking on unknown email links. Perpetrators design emails to appear legitimate, hoping employees will click on them. When they do, their data can be stolen without their knowledge. The email can release malware that steals the data. False links in emails can also bring employees to “fake” websites that steal their data. These are referred to as “phishing” emails.
A phishing email attack is believed to have caused a major United States Postal Service (USPS) data breach. In November 2014, The Wall Street Journal reported the records of more than 800,000 people, including “employees, top directors and regulators,” were exposed in a USPS hacking that was traced back to China. It was later determined that employee medical records were among the sensitive information exposed in the breach.
It was learned employees contributed to the hacking by clicking on phishing emails. Following the breach, the Inspector General (IG) for the USPS conducted a test to determine how employee behavior contributed to the hacking. The USPS IG sent emails containing false links to 3,125 Postal Service employees. Most employees, 93 percent, did not report the emails, per policy. In addition, 25 percent of employees clicked on the fraudulent email and most of those employees, 90 percent, did not report that fact to the IG.
These cases illustrate the opportunity for government employees to prevent agency data breaches. Employees are urged to exercise extreme caution when handling agency emails.
To this end, government employees should also take their agency’s training courses to learn how to best handle agency data. Employee training may have prevented the breaches at the USPS. Following their test, the USPS IG learned that most employees who “failed” had not completed the required information security training.
As illustrated, the cyber threat to government employees is serious and becoming increasingly problematic. Recent cases have demonstrated the ability of data thieves to steal government information from employees who are unaware of the risk and/or have not exercised caution when handling agency data. It is clear that employees can reduce the risk through taking simple precautions.
Author: Chelsea Binns is an assistant professor in the department of criminal justice, legal studies and homeland security at St. John’s University in New York. She can be reached at [email protected].