The Department of Defense agency responsible for securing the communications of President Trump has suffered a data breach. Here’s what is known so far.
I am used to reporting U.S. government warnings about critical cybersecurity risks. Less so about government agencies which have themselves been the victim of a cybersecurity incident, let alone agencies with responsibility for cybersecurity itself. The U.S. Defense Information Systems Agency (DISA) describes itself as a combat support agency of the Department of Defense (DoD) and is tasked with the responsibility for supporting secure White House communications, including those of President Trump. As well as overseeing Trump’s secure calls technology, DISA also establishes and supports communications networks in combat zones and takes care of military cyber-security issues. It has also confirmed a data breach of its network, which exposed data affecting as many as 200,000 users.
Details of the DISA breach remain sketchy
First picked up by Reuters, disclosure letters dated February 11 have been sent out to those whose personal data may have been compromised. Although it is not clear which specific servers have been breached, nor the nature of the users to whom the letters have been sent, that an agency with a vision to “connect and protect the war-fighter in cyberspace” should suffer such an incident is concerning, to say the least.
While many of the details surrounding this breach are likely to remain, understandably, confidential, given the nature of the DISA work, the letter itself has already been published on Twitter by one recipient. Signed by Roger S. Greenwell, the chief information officer at DISA, the letter revealed the breach took place between May and July last year, and information including social security numbers may have been compromised as a result. It also stated that there is no evidence that any personally identifiable information (PII) has been misused as a result. The letter does, however, confirm that DISA will be offering free credit monitoring services to those who want it.
Is the DISA disclosure just the tip of an incident iceberg?
Ilia Kolochenko, CEO at security specialist ImmuniWeb, said that an investigation needs to be conducted, as a matter of urgency, to ascertain if any other systems were impacted. “Frequently, nation-state attackers commence their attacks by breaching the weakest link accessible from the Internet and then silently propagate to all other interconnected systems in a series of chained attacks,” Kolochenko said, adding “access to personal data of the agency staff greatly facilitates a wide spectrum of sophisticated spear-phishing and identity theft attacks capable of bypassing virtually any modern layers of defense.” That the disclosure letters confirm this breach occurred between May and July 2019, I would hope that such a forensic investigation has long-since been instigated. The delay in these letters being sent out may also “be an indicator of attack sophistication,” Kolochenko concluded, “and what has been reported so far may just be the tip of the iceberg.”
Department of Defense statement
Chuck Prichard, Department of Defense spokesperson, sent me the following statement in an email:
“The Defense Information Systems Agency (DISA) has begun issuing letters to people whose Personally Identifiable Information (PII) may have been compromised in a data breach on a system hosted by the agency. While there is no evidence to suggest that any of the potentially compromised PII was misused, DISA policy requires the agency to notify individuals whose personal data may have been compromised. Individuals possibly affected by this incident will receive letters containing initial notification of the situation. They will subsequently receive additional correspondence with information about actions that can be taken to mitigate possible negative impacts. Those actions will include access to free credit monitoring services for all affected by this breach. DISA has conducted a thorough investigation of this incident and taken appropriate measures to secure the network.”
Updated February 22
A statement from the Department of Defense was added