The State Department's Reluctance To Disclose Hacking Unsettles Lawmakers
Lawmakers on both sides of the aisle demand to know why the State Department waited at least a month before disclosing its unclassified email system had been hacked. By Aliya Sternstein
After a hack on State Department networks detected at least a month ago but only revealed yesterday, U.S. officials aren't sharing much information about the potential ramifications for the agency and its employees.
Lawmakers on both sides of the aisle are demanding answers. State’s silence is somewhat at odds with the Obama administration's insistence that critical sectors, which include banking, energy and government, share information about threats and timely disclose breaches of personal information.
"I’m troubled by the fact that when federal agencies are hacked, Congress and the public seem to be the last to know," Sen. Tom Coburn, R-Okla., ranking Republican on the Homeland Security and Governmental Affairs Committee told Nextgov.
He is pushing for bipartisan legislation that would enforce stronger disclosure rules for these types of cyber events and provide citizens more transparency, Coburn said, "because the American people are often the most impacted by these events."
Rep. Elijah Cummings, D-Md., ranking Democrat on the House oversight and government reform committee, sent State Secretary John Kerry a letter requesting more details on the attack.
Cummings asked for, among other things, information on how the troublesome activity was first discovered, the manner in which employees were notified of the breach, and the types of data compromised.
"The increased frequency and sophistication of cyberattacks upon both public and private entities highlights the need for greater collaboration to improve data security," Cummings said. He recently sent similar letters to hacked companies, including Home Depot, Target, Kmart, and Community Health Systems.
State Still Mum on Hack Details
After repeated inquiries during the past week, before the breach was made public, State declined to comment on when the incident began, how long it has been going on, and the number of federal employees potentially affected.
The incident is one of many breaches with possible effects on federal personnel the government has been slow to disclose. During the past year, the Energy Department, the Office of Personnel Management, the National Oceanic and Atmospheric Administration, the U.S. Postal Service, the Nuclear Regulatory Commission, White House and State waited at least a month, oftentimes longer, to disclose breaches publicly.
As reported earlier, State's unclassified email system was compromised in September or October, at the same time as a White House network.
State’s email has been down and access to public websites was disrupted, after the department on Friday disconnected networks to improve security, officials said.
Speculation on the attackers has centered on hackers backed by a nation state, such as Russia or China.
State May Have Had Good Reasons for Waiting to Disclose Hack
On Monday, it remained unclear why State officials waited until this weekend to take offline potentially infected systems .
It's possible State waited to talk publicly and take down systems until it better understood exactly what was impacted by the cyberstrike, some security analysts said.
"The priority is not necessarily, at the point of detection, to rush out and inform—you are taking the necessary remediating steps to abate the issue," said Steve Ward, a senior director at cyber firm iSight Partners.
The first need is to investigate the extent of the potential exposure, look at the origin of attack and explore the possible motives of the adversary. For example, "What are they trying to get access to? Are they trying to colonize here? Are they trying to smash and grab?” he said.
Also, there is an advantage to spying on the spies to figure out their strategies.
"Whenever you discover a breach, you don't rush to let the bad guys know you are on to them," Ward said. "There is an element of being able to monitor activity of an adversary on your network once you have got them contained—and so you don't necessarily rush to notify."