The revelation that the US has suffered what may be the largest theft of government data in history will have implications for the UK’s digital economy, security experts and IT leads warn.
US officials yesterday accused Chinese hackers of carrying out a “massive breach” of almost four million US federal workers’ personal data.
The hack was uncovered as the US Department of Homeland Security hardened federal government defences following heightened cyberwarfare rhetoric and embarrassing breaches at Sony and Target.
Paul Simmonds, former CISO at AstraZeneca and CEO at The Global Identity Foundation warned: "This is more proof that we desperately need a new Identity ecosystem, so even if your attributes are stolen, the hackers are unable to then use them on-line."
Richard Copley, CIO Rotherham Council added: "The future of everything is digital and this includes war."
Wider effect on the UK
Security has become an increasing priority for IT professionals, though budgets have not risen to match growing concerns.
More than half of UK CIO’s in ComputerworldUK’s sister title CIO.co.uk’s CIO 100 – which spans digital leaders in, retail, financial services, local government, charities the NHS and utilities - said their firm had detected a cyber-intrusion in the past year. Some 95 of the 100 said that security had increased in priority, but analysis revealed that budgets do not appear to be reflecting this shift.
Reflecting on the scale of the problem, Matt White, KPMG’s information protection and business resilience lead warned it was likely that the UK had already become a target for similar attacks, in part because of the “forthright opinion on surveillance” of Prime Minister David Cameron.
White added that it was possible that the UK had already fallen victim to the sort of attack the US government admitted to yesterday, but that our government had either not disclosed this, or was simply not monitoring for interferences – a symptom widely recognised by the security industry.
White said that while UK businesses tend to react to breaches of this nature with shock and then a general apathy, identity theft theft could come back to bite firms, and citizens, long into the future.
“If I was a hacker and I knew a company had identity fraud insurance for 18 months, I would probably wait until after that period to do something with the information,” said White.
Passwords can be changed, but personal information such as national insurance details are lifelong unique identifiers and can be stored until insurance and security protocols expire before being used for disruption.
“Anything to do with identity fraud will have a ripple effect in the future”, he added.
Who did it?
US officials are blaming Chinese hackers for the breach, but White warned they were chosing an “easy target”. Speculation about the perpetrators will continue until the investigation is complete, but White said it is unlikely the US will divulge the means in which its data was breached to avoid copy-cat attacks.
Security experts, contacted by ComputerworldUK said the rapid disclosure of the breach by US officials was significant . One Whitehall digital insider said that the speed with which the breach was made public by the US meant the it was less likely to have been caused by an insider in a similar vein to Edward Snowden, than by outside actors
Whoever the perpetrators, experts believe the scale of the data grab and the detail contained in the records will pose a long term threat to governments, business and to individuals for a long time to come.