The Hill: Lawmakers unnerved by reports of new cyber breaches

Lawmakers in both parties say breaches reported this week at the Department of Justice and the Internal Revenue Service are the latest indication of the government’s weak defenses against cyber criminals.

While the administration has sought to downplay both incidents, some lawmakers are hitting the White House, arguing the intrusions offer further evidence that the government can’t be trusted to protect its highly sensitive networks.

“[President Obama] has neglected to take tangible steps to address these persistent cyberinfrastructure challenges,” Sen. Steve Daines (R-Mont.) said in a Wednesday statement that accused the administration of trying to sweep the IRS breach “under the rug.”

Opinion is hardly unanimous. Unlike last spring’s hack of the Office of Personnel Management, which provoked widespread criticism, some aren’t sure what to make of the latest incidents.

They say that the two breaches are unique cases that don’t necessarily point to a systemic failure on the part of the government.

“Not that these aren’t bad things that happened, I’m certainly concerned any time there’s information that’s compromised, but in these two situations, it doesn’t appear to fit in the rubric of what we generally think of as a cyberattack,” Rep. Jim Langevin (D-R.I.) told The Hill.  

Spokespersons from both the Department of Homeland Security and the DOJ provided almost identical statements to reporters that emphasized there was “no indication” of any “breach of sensitive or personally identifiable information.”

The incident stems from an anonymous hacker who claimed to have breached the Department of Justice by using a stolen email address to game an IT support employee into giving him login credentials.

Once inside the network, he purportedly stole and dumped databases of tens of thousands of FBI and Department of Homeland Security personnel. Spot-checks by various publications point to the information’s legitimacy, but neither list has been confirmed.

Then, on Tuesday, the IRS announced that identity thieves had used an automated bot in an attempt to generate phony login information, using almost half a million Social Security numbers stolen elsewhere to successfully create 101,000 PINs used to file for refunds.

Critics argue that even though these attacks weren’t sophisticated, they are worrisome.

“These weren’t incredibly sophisticated attacks. If you don’t have incredibly sophisticated attacks, then that means your defenses weren’t sophisticated,” Rep. Will Hurd (R-Texas) told The Hill.

“If the Department of Justice, under which the FBI is housed, can’t keep its secrets, then there is no reason we should have any confidence that the FBI could hold a secret encryption backdoor key because it would be stolen by hackers,” Rep. Ted Lieu (D-Calif.) said.

IRS Commissioner John Koskinen told the Senate Finance Committee on Wednesday that the attempt on the tax agency was “not a cyber breach in the sense that our database was accessed.”

“We were able to catch it quickly and shut it down equally quickly,” he said, echoing a Tuesday statement claiming that no personal taxpayer information was exposed during the attempted hack.

Not only were the social security numbers stolen from elsewhere, the IRS was able to detect and repel the intruders in a timely fashion — the goal of any security system.

“These are critical facts and I hope that the public understands them and any press that are here repeats them,” Rep. Elijah Cummings (D-Md.) said in defense of the agency at a House Oversight hearing on Thursday.

Langevin compared the attack to someone using a stolen credit card at a fast-food chain.

“It doesn’t sound like there’s anything IRS did wrong per se, and it wouldn’t be fair to blame IRS for the situation,” he told The Hill.

Koskinen seemed to suggest that such attempts are inevitable thanks to the lucrative bullseye on the agency’s back.

“We are attacked or pinged over a million times every day, which means that people continue to probe or push to try to get into our database,” he said Thursday.

Categorizing the DOJ intrusion is more difficult. Tricking an authorized person into providing unauthorized access — in the form of login credentials or a secret PIN, for example — is what security experts call “social engineering,” and it’s the most common form of hack, according to an industry study released this week.

Security experts say the human element is just as critical to any cybersecurity posture as a digital defense, and for some lawmakers, it’s immaterial that the hacker gained access to the DOJ through a phishing scam rather than writing a piece of a code. The net effect — unauthorized access — is the same.

“Social engineering is a well-known tactic of attackers. It shows that we’re ill-prepared for this kind of attack,” Hurd said.

Security experts widely agree. Many characterize the administration’s response as political, claiming that its emphasis on the fact that the two exposed databases don’t contain sensitive information is a red herring.

The databases do include names and contact information for individuals listed as everything from contractors and special agents to intelligence analysts and technicians.

“DOJ is directing media attention to the question they want to answer,” said Jack Danahy, co-founder of the cybersecurity firm Barkly. The statement, he says, “[ignores] the fact that there appears to have been a simple and serious unauthorized access onto DOJ systems.”