EXCLUSIVE: In 2014, a single U.S. government agency was hit with a blizzard of more than 1,370 external attacks on its most vital computer systems, with three out of every eight incidents resulting in a loss of data, according to a new report by the watchdog Government Accountability Office, suggesting hackers have been far more successful at getting at sensitive government information than previously disclosed.
The highly besieged agency was not named in the report, which was given to government officials in May and made public last week. GAO officials declined to provide the name of the agency in response to an additional query from Fox News.
The eye-opening number of data leaks that resulted from the attacks — 516 “incidents” in all — is barely mentioned in the 94-page GAO report.
It is mostly buried in the fine print of an information diagram on page 24 of the wordy and technical document.
The fact that the data losses all came from one agency is mentioned only in a footnote to the diagram, and the extraordinary success rate of the attacks has to be calculated from figures speckled on the previous page.
Fox News calculations of the success rate and number of attacks were subsequently affirmed by GAO officials.
The specific nature and importance of the torrent of data losses was not revealed.
A one-page executive summary of the GAO report that is the most likely portion to be read by policymakers or the general public makes no mention of data losses, or of the high success rate of attacks that caused them, or of the focus of the attacks on a single agency.
The high rate of attacks and successes in 2014 has particular significance for U.S. cybersecurity, however.
It was 2014 when the Obama administration revealed one of the worst losses of cyber-information in history had taken place, with the theft of 4.2 million personnel files of past and former U.S. federal civil servants from its Office of Personnel Management (OPM) by China-based intruders.
That loss was subsequently expanded in revelations a month later by 21.5 million sensitive background files on federal civil servants and contractors, after another hack that year, also believed to come from China, removed the huge quantities of sensitive personal information from a private background-checking firm.
On its website, OPM customarily refers to the losses as coming from only two “separate but related incidents” — a far cry from the triple-digit data loss numbers stashed away in the GAO report.
A Fox News query to the White House Office of Management and Budget, which oversees the effectiveness of cybersecurity across the federal system, yielded no additional information about the figures in the carefully-groomed GAO report.
The computer assault information, along with much of the other information in the GAO document, came from the self-reporting of a swarm of 24 U.S. federal agencies that responded to a survey asking, among other things, about their “high-impact” federal information systems and cyberattacks.
The GAO audit, which took place between February 2015 and May 2016, came at the request of a trio of U.S. senators: Ron Johnson, R-Wis., chairman of the Senate Homeland Security and Government Affairs Committee; Thomas Carper, D-Del., the committee ranking member; and Susan Collins, R-Maine.
According to the report, 18 federal agencies have such “high-impact” systems, defined dramatically but opaquely as those where “the loss of confidentiality, integrity, or availability can have a severe or catastrophic adverse effect on organizational operations, assets or individuals.”
During 2014, only 11 of the 18 reported 2,267 cyberattacks on their “high-impact” facilities; another three failed to provide any specific numbers of such assaults.
Virtually all of the agencies designated “nations” — meaning foreign ones — as the most serious and frequently-occurring source of the threat.
The GAO report may be highly circumspect about the success of high-impact attacks, but it is far more forthright in noting that cross-government authorities it included in the audit — including the Office of Personnel Management — had lots of guidance on how to protect themselves, but even now are still not doing enough to make sure the guidance was followed.
It noted, among other things, that OPM and other agencies had not done well in tracking whether special security training for employees in sensitive roles had been carried out, and none of them had fully completed remedial plans to correct “identified weaknesses” in their high-impact systems security.
For its part, OPM pushed back in a rebuttal that other means than directly tracking the completion of training were more effective and appropriate, especially for contractors, a conclusion that the GAO report did not accept.
OPM also argued that it had made further improvements to its security controls after the GAO audit was done that were not included in the report. GAO’s answer: The document “reflects the state of information security at the time of our review.”
The fact is that the entire Obama administration is still in the throes of carrying out a sweeping revamp of cybersecurity strategy that, according to some critics, is still far from a coherent answer to the active and still growing cyber-threat.
The senators who sparked the latest report may soon be focusing on some of those shortcomings. They are preparing to look further into the issues raised in the GAO document, which include the muffled and unsettling question of those hundreds of data losses.