Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives, marking the first time the government has revealed how often it tipped off the private sector to cyberintrusions.
The alerts went to firms large and small, from local banks to major defense contractors to national retailers such as Target, which suffered a breach last fall that led to the theft of tens of millions of Americans’ credit card and personal data, according to government and industry officials.
“Three thousand companies is astounding,” said James A. Lewis, a senior fellow and cyberpolicy expert at the Center for Strategic and International Studies. “The problem is as big or bigger than we thought.”
The number reflects only a fraction of the true scale of cyberintrusions into the private sector by criminal groups and foreign governments and their proxies, particularly in China and Eastern Europe. The estimated cost to U.S. companies and consumers is up to $100 billion annually, analysts say.
The scale of notifications is an effort to ramp up the sharing of threat information by the FBI, the Department of Homeland Security and other agencies with U.S. companies, officials say. The alerts follow a February 2013 executive order by President Obama to “increase in volume, timeliness, and quality” the cyberthreat information shared with the private sector so people can better defend themselves.
The disclosure comes as the federal government has struggled to pass legislation to set security standards that companies in critical sectors must follow and to increase information-sharing between the public and private sectors.
It also comes amid reports that the National Security Agency has breached the servers of a Chinese telecommunications firm to learn whether the company has been spying on behalf of Beijing, although agency officials say the United States does not steal corporate data to benefit U.S. companies’ competitiveness.
In the absence of cybersecurity legislation, the government last month unveiled a voluntary framework of best practices that companies can follow to secure their computer networks. Lisa Monaco, deputy national security adviser for homeland security and counterterrorism, told industry leaders at a White House event that the government had alerted more than 3,000 companies, officials said.
“When companies are notified that they have been victimized by malicious cyber actors, it should be a wake-up call,” White House cybersecurity coordinator Michael Daniel said in a statement to The Washington Post. “U.S. businesses must improve their cybersecurity.”
Daniel said that companies need to make “smart investments” in personnel and technology, and that staying on top of threats through information-sharing with government agencies is crucial.
“These notifications are helping to build and exercise public-private teamwork on a daily basis,” he said.
About 2,000 of the notifications were made in person or by phone by the FBI, which has 1,000 people dedicated to cybersecurity investigations among 56 field offices and its headquarters. Some of the notifications were made to the same company for separate intrusions, officials said. Although in-person visits are preferred, resource constraints limit the bureau’s ability to do them all that way, former officials said.
Nonetheless, agents are trying to provide companies with useful information that can help them identify the problem and stop the bleeding of data, said special agent Tim Marsh of the FBI’s cyber division.
“One of the frustrating parts for industry was agencies going out and saying, ‘You’re a victim, you’re being targeted, and I can’t tell you anything else.’ So we spend a lot of time making sure that before we send an agent or an investigator out that they have quality information to provide to the company,” he said.
That could include Internet protocol addresses, malware samples and specific attack signatures, industry officials said.
Officials with the Secret Service, an agency of the Department of Homeland Security that investigates financially motivated cybercrimes, said that they notified companies in 590 criminal cases opened last year, officials said. Some cases involved more than one company. The list included Target, which the agency said it alerted in December.
Others notified by the Secret Service last year included a major U.S. media organization, a large U.S. bank, a major software provider, and numerous small and medium-size retailers, restaurants and hotels, officials said.
“Within hours of us coming up with information that we can provide, we would go to a victim,’’ said Edward Lowery, Secret Service special agent in charge of the criminal investigative division. “The reaction would be just like when you’re told you’re the victim of any crime. There’s disbelief, there’s anger, all those stages, because there’s a lot at stake here.”
To better coordinate the alert process, the FBI is expanding a computer system used to track counterterrorism tips and information, called Guardian, to include cybersecurity cases across the government. The idea is to avoid duplication of efforts between agencies and make sure, for instance, that the FBI knows when the Secret Service is notifying a company.
In most cases, the company had no idea it had been breached, officials say. According to Verizon, which compiles an annual data-breach survey, in seven out of 10 cases, companies learn from an external party — usually a government agency — that they've been victimized.
That’s an ironic role reversal, said Steven Chabinsky, former deputy assistant director of the FBI cyber division. “It’s usually the victim calling 911, not 911 calling the victim,” he said.
A company in the Midwest that was notified Wednesday by the FBI welcomed the tip-off, according to an industry official familiar with the case. Company officials were given a spot clearance for a few hours so the agent could brief them on classified threat information, the official said.
In some cases that involve companies with sophisticated capabilities, the government is not telling them what they don’t already know, industry officials said. “What they find is that they’re giving up more information to the government than the government’s giving them that’s of value,” said a cybersecurity consultant who spoke on the condition of anonymity to be candid.
Many of the companies the FBI has notified in past years were defense contractors, said Chabinsky, who stepped down in September 2012. And often it is China that is behind such intrusions, experts say. More than two dozen major weapons systems have been breached by Chinese hackers, who experts say focus on advanced technologies in bio-technology, space and alternative energy.
The FBI often discovers that companies have been hacked by surveilling a virtual stash-house or “hop point” server used by hackers to store data that has been siphoned off from a firm. The hackers use that server to store stolen material from numerous victims, officials said. One hop point could have more than 100 victims.
Often, the FBI makes repeat notifications. “We used to have one agent who, when approaching a company, would say, ‘Unfortunately, this is going to be the beginning of a long-term relationship,’ ” said Chabinsky, who was the FBI’s top cyber lawyer and is now general counsel and chief risk officer for CrowdStrike, a cybersecurity firm. The reason, he said, is that the victim is usually being targeted by an unrelenting foreign power such as China or Russia.
Lewis said that when it comes to theft of intellectual property, those two countries account for the bulk of all cases. “Far and away the largest is China,” he said. “The second-largest is Russia. Between those two, you’re probably looking at more than two-thirds of cases in the United States.”