The White House Breach and Payments’ Wake Up Call

When the history of cybersecurity in the digital age is written, it may be possible that the extreme and detailed coverage of Hillary Clinton’s use of personal email to transact State Department business will go down as one of the great examples of burying the lead.

This is not because the PYMNTS editorial staff has any opinion on the matter of conducting State Department work through a personal email account; that is for political junkies to hash out. As payments junkies, however, we do find it interesting that Googling “Hillary Clinton, email” pulls up about 60 million results, the first two pages of which are articles from mainstream sources about the “Email-gate” issue.

Googling “Russian hackers, State Department,” on the other hand pulls up 1.4 million articles – the first half of the first page of which are from mainstream news outlets. This observation is interesting only because reading the articles in the latter search would indicate that the State Department has a much bigger problem with its email systems than Hillary Clinton not using it. If early 2015 is a good indication, the State Department’s biggest problem is who is using their email accounts – since an at least partially correct answer to that question would be “Russian hackers looking to worm their way into the government system.”

And, if recent reports are accurate, these alleged Russian hackers are getting better than pretty good at this – and in fact were last week able to leverage the permeable nature of State Department cybersecurity into a White House breach. On the upside, no confidential data went out the door, aside from President Barack Obama’s schedule – which for those of us “24” fans – sounds pretty important to keep secret. On the downside, it’s most disturbing to see how rapidly criminals and their hacks are evolving and how slowly systems of all stripes are catching on to how to detect them before they wreak havoc.

Trouble At The State Department

Pop Quiz

A ring of foreign criminals sends wave upon wave of phishing emails to a group of employees at an organization until someone takes the bait, opens an infected email, at which point malware enters the systems and crawls its way through said network until they gain access to the data set they are looking for.

Are we describing:

A. The Sony Breach
B. The Anthem Hack
C. The “Billion Dollar Cyber Heist”
D. The State Department Breach
E. All Of The Above

Regular readers will know the answer is E – as spear-phishing (the email spoofing fraud that targets a specific organization to gain unauthorized access to confidential data) has been 2015’s answer to 2014’s love affair with point-of-sale scraping.

While many of the details of these various hacks are similar, the State Department’s has a unique and troubling detail – the Department is and has been aware of the issues with the breaches – they just have not been able to find a way to inoculate their system against hackers.

In November 2001, the State Department shut down its email system over a weekend to try to improve security and block the intruders. During the shutdown, the department circulated a message noting that “activity of concern” by possible hackers had been noted in an unclassified email system.

Remember that phrase – it is apparently meant to be reassuring.

CNN reports that despite that reassurance, several sources with the State Department have affirmed that since information of value to foreign intelligence agencies is routinely shared in non-classified emails, the breach would pose a major risk to U.S. security nonetheless.

Russian hackers in the direct employ of the Russian government are currently the leading suspects in the State Department breach.

James Clapper, Director of National Intelligence, told a Senate hearing last month the “Russian cyberthreat is more severe than we have previously assessed.”

A different government official described the situation for CNN in more dire terms, albeit anonymously.
“Russian hackers have owned the State Department system for months and it is not clear the hackers have been fully eradicated from the system.”

And, reports this week indicate they are looking to expand their ownings.

White House Hacked

White House officials have confirmed for CNN their belief the same group of Russian hackers behind the State Department hack(s) had successfully leveraged their access into the White House’s systems.

White House officials confirmed that the intrusion had only affected those good old unclassified systems. What was up for grabs in those systems? A non-public version of the president’s schedule updated in real-time was among pieces of valuable data thieves got access to.

The White House has confirmed that it first noticed suspicious activity in an unclassified network that serves the Executive Office of the President. Federal law enforcement, intelligence and Secret Services sources all confirm that the attacks are among the most sophisticated ever launched against government systems.

National Security Council spokesman Mark Stroh did not confirm that hack’s allegedly Russian origin, but did note that “any such activity is something we take very seriously.”

“In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity,” he said. “As has been our position, we are not going to comment on [this] article’s attribution to specific actors.”

Ben Rhodes, President Barack Obama’s Deputy National Security Adviser, said despite the breach, the public should not not be overly concerned about the safety of information – noting that classified and unclassified information systems were treated somewhat differently. He also strongly highlighted that no classified system had been breached.

“We’re constantly updating our security measures on our unclassified system, but we’re frankly told to act as if we need not put information that’s sensitive on that system,” he said. “In other words, if you’re going to do something classified, you have to do it on one email system, one phone system. Frankly, you have to act as if information could be compromised if it’s not on the classified system.”

How did the hack happen exactly? More spear-phishing it seems- using hijacked emails from the State Department.

“So many times, the Chinese and others get access to our systems just by pretending to be someone else and then asking for access, and someone gives it to them,” Director of National Intelligence Clapper noted.

What’s Next

The problem with hackers is how adaptable they are turning out to be.

2015 appears to be the year of the spear-phishing attack. Physical POS hacks now seem so uninteresting to hackers thanks to the efforts of payments and retail players to shift, en masse to tokens, P2PE and bio-authentication. Now none of this is impossible for hackers to get through – but it’s always easier for the bad guys to outthink people than it is to outsmart technology.

More worrisome, perhaps, is the clear evidence that data thieves are doing less smashing and grabbing these days in favor of waiting, watching and harvesting over time. We know that it often takes more than 150 days for an intrusion to be discovered – that’s half a year! And, now, we have learned that while the intruders can be found, it takes a while, and they seem to be proficient at sneaking right back in.

So what is the solution? As with most things security-related, there isn’t just one. But, as PYMNTS has reported before, the criminals are becoming smarter, faster, more adaptable and more professional.

“Now [the cybercriminals] are becoming more institutionalized or organized, but not in the ‘Godfather’ sense of the phrase, but in the online ecosystem sense,” Forter CEO and Founder Michael Reitblat told MPD CEO Karen Webster in a recent podcast interview.

“There are people who are only building cybercrime tools and selling them and that is literally all they do. There is now cybercrime as a service. You can have a botnet built for $2 an hour. This is why collectively, the cybercriminals have become so much better.”

If the White House isn’t safe and the State Department can’t free itself of hackers – it’s certainly time for the good guys to up their security game.



Five days of intimate interviews and streaming TV shows ‘starring’ the smartest people in payments.
The economy is slowly reopening on a changed world where “business unusual” is now just “business.” Tune in as PYMNTS CEO Karen Webster and special guests from across the payments universe ditch “digital optional” and bring on the digital-first engagements buyers and sellers really want. Join experts in a series of live conversations rethinking business models, customer experiences, payments choice, verticals…everything.

Click to comment