Last week, Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security (DHS), informed a conference of information security experts that the department was just two weeks away from beginning to enforce CISA. Now, just seven days later, it has been revealed that the DHS and the Department of Justice (DoJ) have suffered a worrying penetration at the hand of cyber criminals.
CISA, the highly opposed spy legislation signed into action last December, will mean that select firms must cooperate with the US government by giving up the private communications of US citizens under the guise of national security. A move that has been opposed time and time again by digital privacy advocates and large tech firms alike.
Now, as we approach the final hurdle before that terrible legislation is brought into effect, hackers have once more demonstrated that the US government is not able to keep safe the private data that it will soon begin to collect from private companies. Commenting on the version of CISA passed in December Senator Ron Wyden had the following to say,
‘This misguided cyber legislation does little to protect Americans’ security, and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers’ private data with only cursory review.
It contains substantially fewer oversight and reporting provisions than the Senate version did. That means that violations of Americans’ privacy will be more likely to go unnoticed. And the Intelligence Authorization bill strips authority from an important, independent watchdog on government surveillance, the Privacy and Civil Liberties Oversight Board. This will make it easier for intelligence agencies — particularly the CIA — to refuse to cooperate with the Board’s investigations.’
Unsurprisingly, US officials are attempting to downplay Sunday’s attack, in which hackers are claiming that the sensitive details of 20,000 Department of Justice employees (including FBI officers) and 9,000 Homeland Security employees have been stolen. Despite the apparent severity of the penetration, cyber security experts were quick to point out that those numbers were tiny in comparison to what was lost last year at the Office of Personnel Management (OPM) hack.
Department of Justice spokesman Peter Carr made the following statement,
‘The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information. This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information. The department takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation.’
The hacked data, including a DHS personnel directory, was published to an encrypted website 7 pm EDT on Sunday, with the password lol. Within the file’s contents, the phone numbers and emails of employees that had not worked at DHS in many years – demonstrative of servers that are not processed regularly and kept up to date for security purposes.
According to the hacker, the attack was orchestrated by first gaining control of a DOJ employees email account. After failing to access the DOJ web portal from that email, the hacker made a telephone call to DOJ. ‘I called up, told them I was new, and I didn’t understand how to get past [the portal]. They asked if I had a token code, I said no, they said that’s fine—just use our one.’ claimed the hacker in an email sent from the DOJ email address.
As part of Sunday’s data dump, the unknown hacker made promises to release further data on Monday and true to their word, even more, DOJ employee details were released yesterday – apparently including some current telephone numbers. Motherboard did try to call some of those numbers, but despite trying were not able to actually get through to anyone. One that was listed as an FBI agent, for instance, did go through to a voicemail box – but not for the listed FBI agent.
Interestingly, and perhaps telling of the motivations behind the hack, the data dump was accompanied by pro Palestinian slogans. These included the hashtag #FreePalestine and a lyric by British rapper Lowkey that says: ‘This is for Palestine, Ramallah, West Bank, Gaza, This is for the child that is searching for an answer.’
Despite trying to downplay the severity of the hack at a government meeting on Monday (in which an official attempted to pass off the material stolen as inconsequential due to its age), the truth remains that the hack is highly embarrassing. Especially in light of the department’s coming responsibilities, which thanks to CISA, will see the department officially handling more private US citizen’s data than ever before.