A $10 billion-a-year effort to protect sensitive government data, from military secrets to Social Security numbers, is struggling to keep pace with an increasing number of cyberattacks and is unwittingly being undermined by federal employees and contractors.
Workers scattered across more than a dozen agencies, from the Defense and Education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an Associated Press analysis of records.
They have clicked links in bogus phishing e-mails, opened malware-laden websites and been tricked by scammers into sharing information.
One was redirected to a hostile site after connecting to a video of tennis star Serena Williams. A few act intentionally, most famously former National Security Agency contractor Edward Snowden, who downloaded and leaked documents revealing the government’s collection of phone and e-mail records.
Then there was the contract worker who lost equipment containing the confidential information of millions of Americans, including Robert Curtis, of Monument.
“I was angry because we, as citizens, trust the government to act on our behalf,” he said.
Curtis, according to court records, was besieged by identity thieves after someone stole data tapes that the contractor left in a car, exposing the health records of about 5 million current and former Pentagon employees and their families.
At a time when intelligence officials say cyber security trumps terrorism as the No. 1 threat to the U.S. — and when breaches at businesses such as Home Depot and Target focus attention on data security — the federal government isn’t required to publicize its own data losses.
The AP review shows that 40 years and more than $100 billion after the first federal data protection law was enacted, the government is struggling to close holes without the knowledge, staff or systems to outwit an ever-evolving foe.
From 2009 to 2013, the number of reported breaches on federal computer networks — and — rose from 26,942 to 46,605, according to the U.S. Computer Emergency Readiness Team.
Last year, US-CERT responded to 228,700 cyberincidents involving federal agencies. And employees are to blame for at least half of the problems.
Last year, for example, about 21 percent of all federal breaches were traced to government workers who violated policies; 16 percent who lost devices or had them stolen; 12 percent who improperly handled sensitive information printed from computers, and at least 8 percent who ran or installed malicious software, according to an annual White House review.
“We’ll always be vulnerable to … human-factor attacks unless we educate the overall workforce,” said Assistant Secretary of Defense and cybersecurity adviser Eric Rosenbach.
Although the government is projected to spend $65 billion on cybersecurity through 2020, many experts think that’s not enough. Russia, Iran and China have been named as suspects in some attacks, while thieves seek valuable data. Only a fraction of attackers are caught.
