US CENTCOM hacking highlights need for better military cybersecurity practices
It's hardly a controversial claim to suggest the federal government needs to improve its cybersecurity practices. In the past few years, there have been numerous incidents highlighting shortcomings in this area. Recent examples include data breaches at both the White House and State Department, but these are hardly the only incidents demonstrating the nature of this problem. And while none of these breaches have proven catastrophic, the risk of devastating data loss or theft continues to grow.
Recently, yet another security breach further drove home the need for better cybersecurity practices among federal organizations. Earlier this month, hackers seized control of several of the U.S. Central Command's social media accounts. This was a particularly public display of U.S. cybersecurity vulnerabilities, and should serve as a powerful driver of more intense focus in this area.
A serious vulnerability
The cyberattack, executed by ISIS sympathizers, compromised both CENTCOM's Twitter account and YouTube page. In the former case, the hackers issued tweets such as, "AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS." In the latter, the YouTube channel featured pro-ISIS propaganda videos focusing on militant fighters.
The CENTCOM Twitter account was disabled approximately 40 minutes after the hijacking.
Additionally, the hackers posted images of spreadsheets that featured personal information for retired U.S. Army generals, along with a variety of military maps and other information. CENTCOM officials claimed this data originated from the Massachusetts Institute of Technology, not the Army itself or any government database.
CENTCOM further emphasized that this attack did not result in the exposure of any serious military resources.
"CENTCOM's operational military networks were not compromised and there was no operational impact to U.S. Central Command," CENTCOM said in a statement. "CENTCOM will restore service to its Twitter and YouTube accounts as quickly as possible. We are viewing this purely as a case of cybervandalism."
Despite these assertions, the cyberattack raises worrisome issues, according to Michael McCaul, R-Texas and House Homeland Security Committee Chairman.
"The fact that individuals claiming to be affiliated with ISIS took control of the U.S. military's Central Command's social media accounts today is severely disturbing," McCaul said in a statement. "Assaults from cyber-jihadists will become more common unless the administration develops a strategy for appropriately responding to these cyberattacks."
CNN reported that the FBI is also investigating these intrusions.
Following these cyberattacks, officials announced a number of corrective measures aimed at limiting the risk of similar events in the future. In many cases, these efforts included fairly basic, common sense policy corrections.
Among these responses was the announcement that the Department of Defense is updating its passwords for many of its social media accounts. Col. Steve Warren, a Pentagon spokesman, noted that the DOD's Office of Secretary of Defense operates 50 accounts on social media, all of which have now changed and improved the strength of their passwords.
However, as Fox News noted, the DOD operates thousands of social media accounts in total. It is not clear what, if any, steps have been taken in regard to these.
Speaking to the news source, cybersecurity expert Roger Kay asserted that this incident may serve as a wake-up call for the military's use of social media. He pointed out that it's very possible that the cyberattack could have been thwarted entirely if the DOD had stronger password policies in place to begin with.
This speaks to the true significance of this attack: It demonstrated how lax standards and behavior can create openings for opportunistic hackers. To ward off these threats, government leaders should consider working with third-party cybersecurity consulting firms that can offer training and guidance for eliminating these weaknesses throughout every agency, including military organizations.