WASHINGTON/NEW YORK (Reuters) - A major computer hack at America’s top stock market regulator is the latest sign that data stored in the highest reaches of the U.S. government remains vulnerable to cyber attacks, despite efforts across multiple presidencies to limit high-profile breaches that are so frequent many consider them routine.
In recent years, nation-state and criminal hackers, as well as rogue employees, have stolen data from the Internal Revenue Service, the State Department and intelligence agencies, including millions of government employee files allegedly exfiltrated by the Chinese military, U.S. officials say.
The Securities and Exchange Commission (SEC), America’s chief stock market regulator, said on Wednesday that cyber criminals may have used data stolen last year to make money in the stock market, making it the latest federal agency to grab headlines for losing control of its data.
At the same time, being only the latest major breach is not special, said Dan Guido, chief executive of Trail of Bits, which does cyber security consulting for the U.S. government.
“It simply reflects the status quo of our digital security,” said Guido, who is a former member of the cyber security team at the Federal Reserve, America’s central bank.
Central bank officials have detected dozens of cases of cyber breaches, including several in 2012 that were described internally as “espionage.”
The U.S. federal government has sharply increased funding dedicated to protecting its own digital systems over the last several years, attempting to counter what is widely viewed as a worsening national security liability.
But as one of the world’s largest collectors of sensitive information, America’s federal government is a major target for hackers from both the private sector and foreign governments.
“When you have one central repository for all this information - man, that’s a target,” said Republican Representative Bill Huizenga, chairman of the House subcommittee on Capital Markets, Securities, and Investment, which oversees the SEC.
Last year, U.S. federal, state and local government agencies ranked in last place in cyber security when compared against 17 major private industries, including transportation, retail and healthcare, according to benchmarking firm SecurityScorecard.
An update of the rankings in August showed the U.S. government had improved to third worst, ahead of only telecommunications and education.
“We also must recognize - in both the public and private sectors, including the SEC - that there will be intrusions, and that a key component of cyber risk management is resilience and recovery,” said SEC Chairman Jay Clayton.
The federal government audits cyber security measures every year at top agencies, producing reports that routinely expose shortfalls and sometimes major breaches. The Federal Bureau of Investigation also looks for hacking attempts and helped spot an alleged intrusion by Chinese military-backed hackers into a major banking regulator between 2010 and 2013.
Weekly scans of government systems by the Department of Homeland Security showed in January that the SEC had critical cyber security weaknesses but that vulnerabilities were worse at three agencies, including the Environmental Protection Agency, the Department of Health and Human Services and the General Services Administration.
Some agencies said they had improved their cyber security posture since that report.
A GSA spokeswoman said the agency has not had any critical vulnerabilities in the past six months, and that the ones identified in January were patched in under 10 days.
A Department of Labor spokesman said all identified vulnerabilities had been fixed and that its systems were not compromised by the identified flaws.
But, he added, “addressing vulnerabilities associated with legacy systems can be challenging.”
Reporting by Dustin Volz in Washington and Jason Lange in New York; additional reporting by Jonathan Spicer in New York and Sarah N. Lynch in Washington; editing by Andrea Ricci and Cynthia Osterman