The Washington Post reports that a bureau of the Commerce Department has suffered a major cybersecurity breach that has put it into the “bureaucratic Dark Ages”:
The virus struck in an e-mail 81 days ago, flagged by a federal team that monitors cyberthreats. The target was a small job-development bureau in the Commerce Department. The infiltration was so vicious it put Commerce’s entire computer network at risk.
E-mail? Gone. Attachments, scans, Google searches? Until further notice, no such thing.
Employees became reacquainted with their neighborhood post office and the beep-squeak-hiss of the fax spitting out paper. The must-have office supply became toner for the machine.
Twelve weeks offline and the longest intrusion into a federal network in recent history is still wreaking havoc.
This is not the first indicator of cybersecurity problems at Commerce, or within federal government departments more broadly. According to the Post, “Cyber-experts have repeatedly pointed to a lack of system security at the Commerce Department. The agency’s IT systems ‘are constantly exposed to an increasing number of cyber attacks, which are becoming more sophisticated and more difficult to detect,’ Inspector General Todd J. Zinser wrote last year.”
Meanwhile, CIO recently noted that the Department of Defense’s networks had been “completely compromised,” and that the IRS has “failed to resolve known cybersecurity issues” for the sixth year in a row. Of course, the State Department’s challenges with regard to Wikileaks are well-known.
However, the news about the Commerce bureau hack will catch particular attention as Congress debates various bills aimed at enhancing cybersecurity in the private sector, with Commerce Secretary John Bryson taking a leading role in championing bipartisan legislation empowering the Department of Homeland Security to regulate private firms’ cybersecurity efforts.
Of Commerce’s own 12 week-old hack that continues to leave staff unable to use email, Bryson told the Post, “We don’t yet have any deeper understanding of what happened… But we have the best resources in the federal government looking into this.”
That statement has in turn provoked some questions about whether the federal government is properly equipped to regulate cybersecurity efforts by business, or whether under cybersecurity legislation, government’s role should instead be restricted purely to information-sharing– the apparent preference of Business Roundtable, the Chamber of Commerce, the National Association of Manufacturers, Tech America and U.S. Telecom.
Currently, the constituent parts of cybersecurity legislation are being heavily debated in both the House and the Senate, as legislators work to tackle an important, but potentially tricky, issue.
In a conference call with reporters on Tuesday morning, Rep. Mike Rogers (R-AL) (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.) emphasized the importance of tackling cybersecurity using an information-sharing approach. That is the same approach endorsed by Sen. John McCain (R-AZ) (R-Ariz.) and Reps. Mary Bono-Mack (R-Calif.) and Blackburn (R-Tenn.), but contrasts with the regulatory approach preferred by the Obama administration, Sens. Lieberman (ID-Conn.) and Collins (R-Maine) and Rep. James Langevin (D-R.I.).