Was the EPA data breach a failure of cybersecurity 101?
- By Amber Corrin
- Aug 03, 2012
More details are emerging from the Environmental Protection Agency’s security breach that affected nearly 8,000 users -- including the conclusion that it was caused by a virus in an e-mail attachment, possibly on a contractor’s computer.
The compromised servers contained data related to the Superfund program, the hazardous-waste cleanup effort mandated in 1980. The program is almost entirely managed by contractors, according to the Washington Business Journal, which originally reported the EPA breach on Aug. 4.
The breach occurred in March.
The data, including Social Security numbers, bank account information and home addresses, was exposed after an e-mail attachment with a virus was opened on a computer with access privileges to the breached servers, according to reports.
The EPA did not confirm that the computer belonged to a contractor, but reportedly did say that the agency heavily relies on contractors to provide IT services.
“Vigilantly keeping data secure from increasingly sophisticated cyber threats is a top priority at EPA and throughout the public and private sectors. The agency has already added new safeguards in response to this incident,” reads an EPA statement.
The breach leaves questions about the cybersecurity measures in place at the agency -- and agencies throughout government. Technology and policy are both critical to the success of a security effort, along with education and training, experts say.
“We cannot just have policy-based approaches to cybersecurity – it has to be technology-based too,” said Tony Busseri, CEO of Route1, an IT security firm. “If we rely upon the human condition – i.e., we expect someone to adhere to a policy – and that’s the only protection we have, we’re going to have failure. By nature people are prone to making errors.”
According to Busseri, if a contractor was remotely accessing the servers – which the EPA has not confirmed – they may have been exposed to malware and/or viruses on the contractor’s computer.
That concern isn’t limited to the EPA, or to this specific incident – it’s something that must be considered as the federal government increasingly looks to telework and bring-your-own-device policies, Busseri said.
“We’ve forgotten in today’s world some of the simple rules of dealing with data. As soon as we allow data to go beyond the network perimeter, all the firewalls and monitoring tools are rendered useless. It comes down to cybersecurity 101,” he said. “We should be using technology that is principled around minimizing vulnerabilities and risk. Then you educate the user on using that technology.”
Amber Corrin is a staff writer covering defense and national security. Connect with her on Twitter: @AmberInsideDOD.