In July 2013, a hacker calling himself “Peace” uploaded a malicious string of code into computers at the US Department of Energy, the agency that oversees the American nuclear weapons programme, its power production and other vital national interests.
2013年7月，一名自称“和平”(Peace)的黑客向美国能源部(US Department of Energy)的电脑上传了一串恶意代码。该部负责监督美国的核武器计划、电力生产以及其他至关重要的国家利益。
Peace hit the jackpot, gaining access to a trove of confidential personal data — including the names of employees, their social security numbers and their bank account details.
“YASSSS,” he typed in an online chatroom. “I AM INVINCIBLE!!! Finally shelled mis.doe.gov after over 24h.”
Prosecutors allege “Peace” is Lauri Love, a 30-year old resident of Suffolk, England. With relative ease, he and his unnamed co-conspirators gained “unlimited access” to the system and ran more than 600 queries on the DoE’s computers. The alleged hackers accessed personal information of over 104,000 current and former DoE employees by breaking in through a known — but unpatched — vulnerability in an Adobe software programme called ColdFusion.
Mr Love allegedly used the same tactic to infiltrate the Federal Reserve, Nasa, the Environmental Protection Agency, the US Army and the US Missile Defense Agency, according to three separate criminal charges. The DoE breach was one of the biggest violations of government employee data at the time — and the department’s watchdog says it could have been prevented.
三份独立的刑事诉状显示，洛夫还涉嫌使用同样的手段侵入了美联储(Federal Reserve)、美国国家航空航天局(NASA)、美国国家环境保护局(EPA)、美国陆军(US Army)和美国导弹防御局(MDA)。美国能源部遭黑客攻击是当时最严重的政府雇员信息泄露事故之一，而该部的监督机构表示，此次事故本来是可以避免的。
“The vulnerability exploited by the attacker was specifically identified by [US software company Adobe] in January 2013,” Gregory Friedman, the DoE’s inspector-general, concluded after investigating the hack.
While serious, the breach at the DoE can hardly be called rare. Even as the US technology sector leads the world, the US government’s computer systems — including those of agencies that handle information crucial to national security — are woefully unprepared for the frequency and sophistication of today’s cyber attackers.
US agencies’ vulnerabilities have been hiding in plain sight. Last week the Obama administration admitted that hackers stole the private information of about 25m individuals through two hacks at the Office of Personnel Management, the government’s human resources arm. The second breach was the largest ever cyber attack on a US government agency. The OPM’s chief resigned last Friday.
美国各政府机构的脆弱性一直不难发现。奥巴马政府最近承认，黑客通过对政府人力资源部门——美国人事管理局(Office of Personnel Management)的两次攻击，窃取了约2500万联邦雇员的私人信息。第二次侵入是美国政府机构历来遭遇的最大规模网络攻击。美国人事管理局局长已为此辞职。
Lawmakers see the skyrocketing number of hacks as evidence of a new cold war — one which the US is losing. Whether the attacker is a nation — China is thought to have been behind the OPM hack — or a small group like Mr Love and his associates, the enemy is often more sophisticated and more nimble than the US government. Mr Love, who has been charged by prosecutors in New York, New Jersey and Virginia but who has not yet been sought for extradition, could not be reached for comment.
China and Russia have become more aggressive in their cyber attacks, prompting US defence and intelligence officials to admit grudging admiration.
“You have to kind of salute the Chinese for what they did,” said James Clapper, director of national intelligence, referring to the OPM breaches.
An analysis by the Financial Times of dozens of reports by agency inspectors general, the Government Accountability Office and the Office of Management and Budget reveals that for years more than half of the 24 agencies required to report their cyber defences failed to take the most basic security steps. Such measures include patching software holes, using strong authentication technology and continuously monitoring systems, to help secure the data collected on employees, retired military officials and government programmes.
英国《金融时报》对政府机构监察长、美国政府问责局(Government Accountability Office)以及白宫行政管理和预算局(Office of Management and Budget)发表的几十份报告的分析表明，多年来，在24家被要求报告自身网络防御情况的联邦机构中，超过半数没有采取最基本的安全措施。这些措施包括安装软件补丁以堵住漏洞、使用强认证技术，以及不间断监测系统以保障其采集的雇员、退役军官及政府计划数据。
A review of thousands of documents and interviews with current and former government officials reveal the deep challenges facing government agencies. Most agency officials did not return repeated calls to discuss the reports’ findings or declined to comment.
“One of the central problems here is you have old stuff that just was not designed or built in an era when we had these kinds of threats,” Tony Scott, the government’s new chief information officer, told Congress this year.
The number of successful hacks of government agencies into highly sensitive information has been skyrocketing. This year, hackers accessed 100,000 tax accounts after breaking into systems at the Internal Revenue Service. A hack of the US Postal Service last year exposed the sensitive information belonging to 800,000 employees. The State Department and White House said last year that their unclassified systems were breached, officials believe, by the Russian government.
黑客成功侵入政府机构并窃取高度敏感信息的次数近年激增。今年，黑客闯入美国国税局(IRS)系统，窃取了10万个税务账户。去年，对美国邮政服务(US Postal Service)的网络攻击曝光了其80万雇员的敏感信息。美国国务院(State Department)和白宫去年曾表示，它们的非机密系统遭到入侵；官员们认为那是俄罗斯政府所为。
“We have to raise our level of cyber security in both the private sector and the public sector,” Michael Daniel, the White House cyber security co-ordinator, said last week.
Since 2006 the number of “incidents” at federal agencies, including phishing attempts, malware attachments and unauthorised access by employees, rose 1,100 per cent to 67,168 in 2014, according to OMB. Some of that increase, officials say, reflects the better job agencies have done in detecting attacks.
“The entire nation is now making up for 20 years of under-investment in our nation’s cyber security, in both the public and private sectors,” Andy Ozment, assistant secretary of the Department of Homeland Security, told Congress.
国土安全部(Department of Homeland Security)助理部长安迪?奥兹门特(Andy Ozment)对国会表示：“整个国家如今在弥补过去20年期间对公共和私营部门网络安全的投资不足。”
The Obama administration has incrementally increased IT spending for the federal government from $78.6bn in 2013 to a suggested budget of $86.3bn for 2016. For 2015, the administration initially suggested cutting the budget by about 3 per cent before it was increased. Budget wrangling with Congress and a focus on cost-cutting add to the woes.
Although more money would help, officials also note problems such as bureaucratic hurdles in hiring, a challenging procurement process and bad budgeting — tens of millions of dollars have been wasted on software upgrades that went awry.
Tom Carper, a Democratic senator from Delaware, told the FT that two laws passed last year to give agency chief information officers more authority over their IT budgets will help make “significant strides” toward modernising cyber security.
“But Congress cannot rest on our laurels when it comes to cyber security — we have more work to do. Congress should promptly authorise and fund the latest generation in cyber defence technology to make future intrusions across our government less likely,” he said.
The outdated equipment often used by US agencies means that modern cyber defence techniques such as having a “zero trust” approach in which all users, applications and devices must be verified — now a common feature in software offered by companies such as VMware, Palo Alto Networks and Cisco — do not work. Encryption is also not possible on older IT infrastructure, such as the legacy networks at OPM. Its cyber security was viewed as so poor that in the week before the latest breach, its inspector-general recommended shutting down its networks and essentially rebooting. OPM declined.
美国联邦机构往往使用的过时设备意味着，现代网络防御技术——例如实行让所有用户、应用程序和设备都必须得到验证的“零信任”方式（如今VMware、Palo Alto Networks以及思科(Cisco)等公司提供软件的常见功能特点）——无法发挥作用。对于老旧的信息技术基础设施（如美国人事管理局的古董级网络）而言，也不可能进行加密。该局的网络安全状况如此糟糕，以至于在最近一次被黑客侵入的前一周，其监察长就建议关闭网络然后从头开始。但该局拒绝这样做。
‘An intelligence bonanza’
Strong authentication is defined as requiring more than a username and password, such as a two-factor test using a login and security code or a personal identity verification card. This is now a basic procedure at many companies and is frequently used in free online services such as Gmail. Some agencies, including the State Department, Labor Department and OPM, did not implement a two-factor test, while 15 out of 24 agencies failed to have at least half of their users in compliance, the OMB said in February.
强身份认证意味着比用户名和密码更多的验证要求，比如双因素认证，要求使用登录+安全码或个人身份验证(PIV)卡。此类认证已经是许多企业的基本程序，而且经常用于Gmail等免费在线服务。白宫行政管理和预算局在2月表示，美国国务院、美国劳工部(Department of Labor)以及美国人事管理局等一些机构没有实施双因素测试，而在24个联邦机构中，有15个机构未能达到至少一半用户遵守程序。
“This statistic is significant due to the fact that major cyber incidents can often be tied to a lack of strong authentication implementation,” OMB wrote in its annual report to Congress.
The layers of old technologies, far flung operations and need for 24/7 connectivity present a host of security challenges, current and former officials say. “We’re trying to put a Band-aid on a carotid artery that’s been severed,” said an inspector-general auditor who identified flaws at the agency he audits.
Many federal agencies do not even have a handle on the basics of their IT — as was illustrated by the DoE breach, where an employee deleted a data file rather than investigate the traffic produced by Mr Love’s hack. Government reviews found that many departments did not have a grasp of how many IT systems they operated.
Even the Department of Homeland Security was found to have spotty cyber defences in some areas, especially at the Federal Emergency Management Agency, according to a December 2014 report by its inspector-general. Among other responsibilities, DHS has oversight of immigration and background checks on foreign visitors; it is also the federal agency that is supposed to help other agencies better manage their cyber risks.
US officials say China gained access to the background records of 21.5m people, their contacts overseas, their friends, their financial information and their work history in the second hack into the OPM.
“It’s an intelligence bonanza for the Chinese. Why there isn’t more outrage tells me how far we are from fixing this problem,” says Mike Rogers, a former senator who, as chairman of the intelligence committee, was an advocate for improving cyber defences. “It would take a serious effort in each [agency] to get this right, to revamp the technology, and it takes money.”
The US government, he says, has to be held accountable. “If you expose all of these people who have voluntarily filled out these forms and put their lives out there you have some responsibility [to protect the data],” says Mr Rogers, who was among those whose information was exposed.
A decade behind
Six months before Peace’s alleged hack, a unit within the DoE identified weaknesses in the compromised software. But the agency put off spending $4,200 to buy the new version, the inspector-general found. The IG calculated the breach cost at least $3.7m in credit monitoring and lost productivity.
Some agencies do not have clear lines on who is responsible for their IT, often meaning no one takes charge. And if improving cyber security interferes with the main job of an agency, those fixes often get put on the backburner.
The risks and frustration with the lack of response to repeated warnings about security flaws led Steven Linick, inspector-general for the State Department, which in addition to diplomatic relations has reams of data on visas and passports, to ask Congress for a proprietary network. “I would like to be completely separate from the department to ensure the integrity of our system,” Mr Linick said this year.
Robert Brese, who was in charge of DoE’s IT system at the time of the “Peace” hacks, bemoans the fact that the US government’s technology lags behind that of the private sector.
“The government in many places is still several years to a decade behind the best and brightest in the private sector on legacy modernisation and the building of secure, resilient systems,” says Mr Brese, who left the agency in 2014. “I don’t mean the Googles and Amazons, but longstanding companies like Ford.”