Once again, hackers have reminded Uncle Sam that he is not impervious to cyberattacks. This time the targets were none other than the Department of Homeland Security, and the FBI. It's impossible not to detect a tinge of irony here: The very agencies that are responsible for investigating these types of events have become the victims of one. In fact, the FBI quite literally wrote the book on Criminal Justice Information Services (CJIS) compliance.
And yet, CNN reported that as of Feb. 8, hackers published the personal information of around 20,000 FBI employees that was stolen from a database, along with the information of almost 10,000 DHS employees. If ever there were a time for the feds to start thinking more strategically about digital authentication and better cybersecurity, it would be now.
A storm of cyber woes
Lest we forget, this is hardly the first breach in recent years, and it certainly isn't the biggest. In 2015, 21.5 million people had personal information pilfered in a breach of the Office of Personnel Management., which is believed to have been the work of Chinese hacker-spies.
The incident prompted contentious discussions about the current state of government cybersecurity. One report identified the "negligent insider" as the top concern when it comes to government cybersecurity. This is fitting given two cybersecurity blunders that were brought to light in November. The first entailed the release of a survey suggesting the majority of federal workers using mobile devices were not adhering to best practices, for example, by connecting to public Wi-Fi.
The second one hits way closer to home. According to the Register, DHS was called out for running "dozens of top-secret unpatched databases." Anyone who has even the slightest knowledge of how a computer works doesn't need to be told why that's a bad idea.
It's far too early to presume any link between the recent breach of the DHS database and the agency's previous failure to patch critical systems. Nevertheless, it does raise the question: Are some government agencies slacking on cybersecurity? More importantly, where should they go from here?
Well, what does CJIS compliance say?
The purpose of CJIS compliance is to promote best cybersecurity practices among law enforcement personnel at all levels of the government: federal, state, local. It tells us that cybersecurity is very important when it comes to protecting the criminal justice information system, and that there are right and wrong ways to do it.
For instance, wireless connectivity must only happen on secure VPNs – which, as mentioned above, hasn't always been the case for some federal employees. User sessions must automatically terminate if inactivity exceeds a certain time limit. After a predetermined number of failed login attempts, there should be some sort of computer lockout. Strong encryption methods should be used to secure stored sensitive data, and yes this includes email encryption.
"The goal of CJIS is to foil hackers, slackers and spies."
CJIS compliance also applies to any technology vendor that might be contracting with a law enforcement agency. Those who follow the world of government IT have surely heard about the feds' big push for cloud migration. It's been slow-going to say the least, and one of the reasons is wariness regarding cybersecurity. While the ease of access and sharing capabilities are enticing, they also worry certain agencies, including those in federal law enforcement and defense. This is why in 2012, the FBI decided that cloud vendors must comply with CJIS security measures. For providers that want to do business with law enforcement agencies, cloud security is the law.
Finally, there's multifactor authentication. Government and law enforcement agencies get breached too often. This is something that the use of dynamic authentication – which is also mandated by CJIS compliance – can help with. Two-factor authentication might make use of a time-sensitive, one-time password that becomes obsolete after a certain amount of time passes. This approach is an effective, intuitive safeguard for vital systems, and can also play an important role in mobile device management. More advanced methods for multifactor authentication leverage fingerprint and retina scanners, both of which are already in use in some agencies.
So to recap, the goal of CJIS is to foil hackers, slackers, spies and the diverse array of other physical and virtual security threats to law enforcement, and this entails leveraging pretty much all of the cybersecurity methods mentioned above. If you're asking yourself, "wouldn't it be nice if there were a company that did all of this?" say no more. Simply click on this link to learn more about Entrust's authentication, identity verification and cybersecurity solutions.