Government agencies and congressional offices are vulnerable to the same kind of cyberattack that hit Sony Pictures, experts say.
Lawmakers on Capitol Hill are well aware of the growing threat online, and many tell staff to act as if everything they write in email could one day become public.
“I try to inspire my staff often that when they write an email, they write it as if it should be right on the front page of your newspaper,” said Rep. Brad Sherman (D-Calif.), whose district includes Hollywood, in an interview with The Hill.
The assault on Sony exposed humiliating internal conversations, unveiled secretive plans and caused the studio to temporarily press pause on a multi-million dollar motion picture.
During a recent congressional hearing, an FBI official estimated the tactics used in the Sony hack would have evaded 90 percent of the American government’s cyber defenses. Security researchers backed the assessment.
“The story at the federal level is horrific,” said Joe Kiniry, lead investigator for security firm Galois.
“The [government] ecosystem is massive, and therefore so are the opportunities to break into networks,” said Hitesh Sheth, CEO of the cyberattack monitoring firm Vectra. “This is absolutely a real issue.”
Security experts and current and former government officials agreed there is an aggressive effort underway to plug holes in the system.
In the last five-plus years, government agencies have taken significant steps to bolster cybersecurity, reducing entrance points for hackers, enhancing congressional email security and increasing oversight reports.
“But that’s a glacial process, and giving yourself an ‘F’ on a scorecard year after year doesn’t necessarily help you get the resources you need to address the problem,” Kiniry said.
“It’s a real challenge for government to have the budget and the skill set — the people — to keep up across the board,” said David Turetsky, a former top cybersecurity official at the Federal Communications Commission (FCC). “They try, but budgets force choices and government salaries are different than the private sector.”
It’s unlikely that email security will ever be a top priority for the government, given that large swaths of federal communication can be forced into the public domain under the Freedom of Information Act. The government’s main cybersecurity focus is, and will remain, defending the nation’s critical infrastructure, experts say.
“I don’t think what motivates the typical government employee to care about cybersecurity as they do is a personal worry that their non-classified emails, which are subject to FOIA, might get hacked,” said Turetsky, now a partner at Akin Gump Strauss Hauer & Feld. “It’s just not the reason that’s uppermost in their minds.”
But the Sony hack has shown email leaks can have serious ramifications.
Amy Pascal, head of Sony’s film division, is in hot water after emails revealed racially tinged jokes about President Obama. Other executives’ emails contained cutting insults of Hollywood stars.
“I'm not saying he's a whore, but he's a whore,” one Sony executive complained about comedian Kevin Hart, after the actor requested money to promote “Think Like a Man Too.”
The leaked emails have damaged Sony’s status with many in the industry, several film producers told The Hill.
“Does embarrassment sometimes lead to executives being fired? Absolutely yes,” said Gene Del Vecchio, a veteran entertainment marketing consultant who has worked with several major film studios.
And any sophisticated, motivated hacker could put a lawmaker or government official through the same ordeal, security experts agreed.
“It’d be fairly easy,” said Tom Kellermann, chief cybersecurity officer at security research firm Trend Micro.
Such exposure could be damaging for policymakers and regulators, whose ties with funders, lobbyists and outside companies are constantly under scrutiny.
“It doesn’t take North Korea for emails to leak and all members are well advised not to put it in writing if they don’t want it in writing,” Sherman said.
Congressional offices are regularly thwarting cyberattacks, said security experts who have spent time on the Hill. Stuart McClure, CEO of the security firm Cylance, recalled a recent visit to brief Sen. John McCainJohn Sidney McCainWhoopi Goldberg signs four-year deal with ABC to stay on 'The View' Collins to endorse LePage in Maine governor comeback bid Meghan McCain: Country has not 'healed' from Trump under Biden MORE (R-Ariz.) and his staff on cyber threats from Iran.
One McCain staffer told McClure, “I literally have the IT guys in my office every day.”
The “IT guys” on the House side in October introduced new email security measures. Anyone using House email will soon have to change their email passwords every 60 days, and more complex passwords will be required.
More broadly, the government has consolidated the number of Internet connections on its network, reducing entrance points for hackers. It has also spent years developing a real-time Internet monitoring service, dubbed “Einstein,” to detect cyber intrusions on federal networks. In recent months, the real-time component has started rolling out across select agencies.
The price tag has been steep — Einstein alone is expected to cost nearly $3 billion — and will never guarantee perfect security.
“Cybersecurity is not a destination,” said Stanley Lowe, deputy assistant secretary for the Office of Information Security at the Veterans Affairs Department. “It’s a continual process of improvement.”
There has been improvement across the board. By McClure’s measure, a “concentrated, well-funded, advanced team that was very single-minded on getting in,” could have hacked Sony’s email system in a weekend. The same team would need a month to infiltrate a Hill office’s email, he estimated.
McClure was on teams at security firm McAfee that reviewed Sony’s security systems several times over the last few years. He’s also spent considerable time on the Hill, talking security with lawmakers.
“The malaise of Sony is not present in the government,” McClure said.
But that hasn’t stopped hackers from going after federal employees. A November intrusion at the State Department briefly shut down the agency’s unclassified email system.
It’s only a matter of time, many believe, until someone makes off with those emails.
“It’s not uncommon” to see government email systems breached, said security investigator Kiniry, of Galois. “We just haven’t seen data dumps of [Sony’s] size.”