Information Security Challenges Facing the Federal Government
In 2010, Vivek Kundra, then federal chief information officer (CIO), said that the government’s computers are attacked millions of times each day.2 In 2018, federal agencies reported over 31,000 information security incidents involving federal information technology (IT) systems.3 That government IT systems are frequently attacked and suffer information security incidents is not surprising. Government computer systems hold data that is critical for government operations. They hold data on people living in the United States, including employment, tax, and citizenship data. They also hold data on businesses operating in the United States, as well as data that are used to protect the United States from threats.
NOTE
You can view analytics for U.S. government websites at https://analytics.usa.gov/. At 7:00 a.m. ET on May 16, 2020, there were over 140,000 people on government webpages. The most popular websites were for the U.S. Postal Service and Internal Revenue Service.
The government faces many of the same information security challenges that private entities face. Federal IT systems and the data in them are attractive targets for criminals:
- Hackers stole the background investigation records from the Office of Personnel Management (OPM). The sensitive personnel files on over 21.5 million current, former, and prospective federal employees and contractors were stolen, including almost 5.6 million records with fingerprints. The incident led to a congressional investigation and the resignation of some OPM leaders.
- Thieves stole a laptop from a researcher’s car that belonged to the National Institutes of Health (NIH). The laptop held the personal information of 2,500 people involved in an NIH study.
- Attackers illegally accessed the USAJOBS database and stole account and contact information. USAJOBS is the federal government’s employment website. The government said that the thieves did not access sensitive personal information.
- The U.S. State Department warned 400 people about a computer security breach. The attackers stole passport application information, including Social Security numbers (SSNs). The thieves used the data to open credit card accounts.
- Spies broke into the Pentagon’s computer systems. They stole data on the Department of Defense’s Joint Strike Fighter aircraft.
Since 1987, the U.S. government has worked to protect federal IT systems. The first law to address federal computer security was the Computer Security Act (CSA).4 Under the CSA, every federal agency had to inventory its IT systems. Agencies also had to create security plans for those systems and review their plans every year.
In 2002, Congress created the Federal Information Security Management Act (FISMA).5 It created FISMA, in part, because of the September 11, 2001, terrorist attacks in New York City and Washington, DC, which highlighted the need for better information security. FISMA recognizes that information security is crucial. It superseded most of the CSA.
Today, the Federal Information Security Modernization Act of 2014 (FISMA 2014) is the main law addressing federal government computer security protection.6 FISMA 2014 largely superseded the 2002 act. In this book, FISMA refers both to FISMA 2014 and to those provisions of FISMA 2002 that were either incorporated into FISMA 2014 or were not changed.
What Is Cyberwar?
On October 11, 2012, then U.S. Secretary of Defense Leon Panetta stated that attacks on the nation’s critical infrastructure could be “a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life.”7 Many people worry about “cyberwar” or “information warfare.” However, cyberwar does not take place on a physical battlefield, or on the sea or in the air. Instead, it is a conflict that takes place in or purposefully affects information systems.
The term cyberwar refers to conflicts between nations and their militaries. Cyberwar attacks are carried out at the direction of a particular nation. This is the main distinction between cyberwar and other types of information system attacks that are reported in the news media. Cyberwar could affect military information systems, nongovernment information systems, and private industry information systems. It includes not only threats to national security, but also threats to industry, commerce, and intellectual property. It could even include larger threats to how governments function generally. Consider these examples:
- It is believed that Russia used many different tactics, including spreading propaganda on social media, to interfere in the 2016 U.S. national elections.8
- The 2015 attacks on the Ukrainian power grid are largely thought to be acts of cyberwar committed by Russia.9
- The 2014 cyberattack against U.S.-based Sony Pictures Entertainment is believed to have been ordered by the North Korean government.10
Military, government, and private information systems are connected and difficult to protect. This makes defining true acts of cyberwar very difficult. The prospect of a cyberwar between nations is every bit as concerning as a conventional war. As of the writing of this book, there are no cyberwar treaties in place. Some have been introduced between various countries, and at the United Nations, but none have been adopted or ratified.
Secretary of Defense Leon E. Panetta, “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security, New York City” (New York, NY: Oct. 11, 2012). Available at: http://www.gao.gov/assets/660/652170.pdf (accessed February 4, 2014); BBC News, “Ukraine power cut was cyber attack.” January 11, 2017, https://www.bbc.com/news/technology-38573074 (accessed May 16, 2020); The New York Times, “The World Once Laughed at North Korean Cyberpower. No More.” October 15, 2017, https://www.nytimes.com/2017/10/15/world/asia/north-korea-hacking-cyber-sony.html (accessed May 16, 2020)
This chapter focuses on how the federal government protects its IT systems and discusses many of FISMA’s provisions. You should be aware that this area of law is complex and changes often.