The United States government got hacked again.
The Army’s website was disabled Monday by the Syrian Electronic Army, according to media reports.
The site was reportedly not secured with HTTPS, a basic encryption method, and hackers were able to take control, displaying taunting messages that read, “You’ve been hacked” and “Your commanders admit they are training the people they have sent you to die fighting,” on the site’s main page.
The Army confirmed the breach and warned the public through social media to not visit the site, CNN reported. Officials said the breach posed little threat of data exposure because Army.mil primarily functions as an informational tool.
Monday’s hack is the third foreign cyberattack in as many weeks against a government agency. Last week, Chinese hackers cracked into U.S. Office of Personnel Management servers, exposing at least 4 million government personnel files chock full of sensitive data such as Social Security Numbers. The week before, more than 100,000 tax records were leaked after the Internal Revenue Service was reportedly hacked by Russia.
The Federal Bureau of Investigations has linked the OPM hackers to another massive breach of insurance provider Anthem, which didn’t encrypt data and consequently exposed nearly 80 million health records earlier this year.
OPM, like many other government agencies, didn’t properly maintain its networks with complete and regular software updates, and didn’t encrypt its data. The breach, which is likely the largest government has ever faced, was only noticed after an employee began implementing new tools from the Department of Homeland Security’s new security program. The program was originally expected to roll out to all agencies by 2018 but has since been fast-tracked, possibly because of the uptick in breaches and government-specific cyberattacks. Also, all government websites will have HTTPS encryption by the end of 2016, according to 18F, a digital group for the government’s General Services Administration.
Cyberattacks are a real and present threat with the government set up as a prime and, sadly, easy target. The White House and Homeland Security have been breached. Hackers claiming association with the Islamic State released photos, names, addresses, and branch of service of U.S. servicemen and women, information that was purportedly hacked from military data servers in March. And on a lesser scale, social media accounts for the U.S. military have been hacked too.
Moreover, federal and local government agencies as a whole use severely outdated hardware and software, which compounds that inherent risk by failing or being unable to implement tighter security protocols.
Breaches are unique and no two are exactly the same in terms of the circumstances that led up to them. But an important common denominator in the government’s latest breaches is an insufficient or complete lack of encryption. Ironically, those are the same conditions the Justice Department and National Security Agency are pushing private sector entities such as Apple, Facebook and Google to adopt so law enforcement agencies could have clear access to consumer data despite vocal opposition and clear public risk.
The government has struggled to protect itself from cyber threats. The U.S. only recently embraced a new strategy on cyber warfare, and has tried to head threats off at the pass by increasing the Pentagon’s cyber defense budget to $4.7 billion.
But until the U.S. incorporates the same security measures it discourages tech companies from employing, attacks on all government agencies similar to the ones in recent weeks will likely persist and escalate.