On Wednesday, 48 hours after releasing a policy paper on cybersecurity, the top trade association for intelligence contractors got a first-hand lesson on the subject: they discovered that their website was hacked.
Cryptome, a site affiliated with the hacker collective Anonymous, published the membership emails and phone numbers and in some cases home addresses for the members of the Intelligence and National Security Alliance (INSA). By clicking on a link titled, “INSA Nest of Official and Corporate Spies,” anyone can find contact information for senior officials at the NSA, FBI, and CIA, as well as top national security contracting firms like Booz Allen Hamilton.
"When this happens to an organization which is an association made up of your brightest and most competent intelligence and national security professionals and no one is surprised, it tells you we have a cybercrime epidemic," INSA President Ellen McCarthy told The Daily Beast Friday. "It’s not just a few isolated incidents, it’s happening all the time."
INSA boasts members from the top of both the contracting world and the U.S. intelligence community. President Obama’s top adviser on counterterrorism, John Brennan, is a former chairman of INSA’s board of directors, as is Mike McConnell, a former director of national intelligence.
The irony in this case is that the files were published a day after INSA released a paper urging government contractors and the intelligence community to establish common protocols to ward off cyberintruders. The second sentence of the paper notes, “Cyberspace is a haven for a broad range of disruptive operations, including reconnaissance, theft, sabotage, and espionage.”
INSA is only the latest example of how the intelligence community and its affiliated contractors have been hacked by increasingly brazen hackers. On July 11, Anonymous published some 90,000 emails and login credentials for U.S. military officers after breaking into the servers of Booz Allen Hamilton. The group published the data on a website called Pirate Bay and announced on Twitter that July 11 was “Military Meltdown Monday.” The month before, another group of hackers called “LulzSec” (who claim to have since disbanded) published internal files from the FBI and claimed to briefly disable the CIA’s public website.
To get a sense of how bad the problem is, earlier this year, the company that provides the secure login protection or digital keys, RSA, suffered a breach that effectively gave the hacker a skeleton key for thousands of corporate networks all over the world.
“The people who are supposed to be most sophisticated about network security are constantly getting owned,” said Noah Shachtman, a cybersecurity expert at the Brookings Institution and the editor of Wired’s Danger Room blog. “It used to be that if you wanted to steal secrets from the U.S. government, you would have to go to the Pentagon or Langley, Va. But now, because so much of what our military and intelligence agencies do is actually in private contractor hands, one of the easiest ways to get sensitive information is to break into these corporate and association networks.”
McCarthy said the hackers got the master member list the group uses mainly as an invite list for their events. She said more sensitive information like the credit card numbers of its members were on websites on remote locations.
"The people who are supposed to be most sophisticated about network security are constantly getting owned," said Noah Shachtman, a cybersecurity expert.
INSA announced the breach in part, McCarthy said, because the trade organization has encouraged other businesses to be up front with the public after suffering hacks to their servers. She also said she was most upset that some of the home addresses of the group’s membership were shared.
Shachtman said that the emails could also be valuable to hackers. “INSA is just another Washington trade association, one of a thousand. But the personal information on the membership list could be extraordinarily useful for hackers who want to get access to more sensitive networks,” he said. “With the personal emails of these government and industry officials, a hacker could use this information to deliver very personalized and very convincing scams on some of the intelligence world’s leading lights.”