News Stay informed about the latest enterprise technology news and product updates.

Cyberattackers breach USPS security, but what were they after?

The USPS security breach is a reminder that cyberattacks are relentless. CIOs need to help their organizations prepare for 'left of boom.' Also in Searchlight: Obama takes a stand on net neutrality; IBM discovers a 19-year-old Microsoft bug.

Another federal agency has been the target of cybercrime. Just a couple of weeks after it was revealed the White House's unclassified computer networks were breached, the United States Postal Service (USPS) announced Monday that cyberattackers had stolen data on all its 800,000-plus employees, including their names, addresses and Social Security numbers.

The USPS security breach was discovered in September, officials said, and though they didn't confirm a perpetrator, many security experts speculate that Chinese hackers were responsible because the hack's signature was similar to recent breaches connected to the Chinese government.

What's noteworthy about this attack is that it's unclear what the thieves were after. The USPS doesn't handle classified government information, nor is the stolen employee data as obviously marketable as the credit card information purloined from retail giants such as Target and Home Depot (which this week disclosed further information on its massive cybertheft).

"It's an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyberintrusion activity. The United States Postal Service is no different," said Postmaster General Patrick Donahoe in a statement. In other words, you exist, therefore you're vulnerable.

If everyone is vulnerable, what are businesses to do?

According to a panel of experts at the recent Advanced Cyber Security Center Conference in Boston, instead of trying to predict if and when you'll get hit and what form that cyberattack is likely to take, plan for left of boom. The military term, coined by The Washington Post's Rick Atkinson, refers to the moment before a bomb explodes. Applied to cybersecurity, it refers to how well your organization is prepared just before the "boom," or cyberattack, to ideally prevent it from happening -- or at the minimum, contain the damage.

State Street Corp. CIO Christopher Perretta, part of a diverse panel of experts, offered his thoughts on what constitutes a left-of-boom defense.

For starters, many companies today have heterogeneous infrastructures -- the new stuff that is fairly resilient and the old stuff that you worry about, Perretta said.

"It's about owning that entire response," he said.

In addition, cybersecurity is not about checking the compliance box. It is about having a full-fledged, disciplined risk strategy that recognizes residual risk, the portion of risk left after all that can be done is done, Perretta said.

This starts with understanding that low-probability, high-risk events can happen, that these risks have large implications, and that resources proportionate with those risk levels need to be applied. The governance mechanisms organizations have in place will be the difference between being able to handle residual risk and being undone by it.

Another piece of advice? CIOs must think of themselves as stewards of the company's business operations, not just the service providers for those business operations.  

Sometimes this involves hard decisions, such as shutting down a transaction, regardless of what's on the other end, if there's anything suspicious at play, Perretta said. "It's a debate that says, 'What are the things I'm willing to seriously disrupt my business to protect?' It's an exercise that typically happens in disaster recovery, but should happen day to day," he said.

The bottom line is to think of security not just as an IT responsibility, but something that transcends tools and processes and is built into the fabric of the organization, he said. That's easier said than done, though.

"Changing the way people think about the business is much harder than the technology changes that we do."

CIO news roundup for week of Nov. 10

In other news from this post-election week:

  • President Obama has taken a front-and-center role in the net neutrality debate. In a video statement Monday, Obama said the FCC should follow a stringent set of rules to restrict broadband providers from blocking online content and voiced support of other measures to promote a free and open Internet. Surprisingly, Silicon Valley's response of late has been more subtle.
  • IBM researchers discovered a critical flaw in Microsoft's Windows and Office software in May of this year, but only went public with it this week, after it had worked with Microsoft to fix the flaw. The bug, which hackers could exploit to remotely control a user's machine, has existed in every Windows version since 1995.
  • A video of a karate-fighting robot has been making the rounds online this week. Three hundred and thirty-pound Atlas, developed by Google's wholly owned subsidiary Boston Dynamics, can not only balance on one foot on cinder blocks and raise and lower its arms, ninja style, but also walk on two feet, carry various objects and climb with its hands and feet.
  • Biotechnology company Pathway Genomics is promising a newfound purpose for IBM Watson -- dietitian. It's developing an app that will connect to activity monitors, provide genomic data, and take advantage of the supercomputer, which has access to sources such as medical research journals and text books.
  • Call me Hal 2.0. Amazon just released Echo, a machine that can answer questions, play music, create and update shopping lists, tell jokes -- and, arguably, become just like "part of the family," according to Amazon's promotional video.

Check out our previous Searchlight roundups on Microsoft's free Office apps for mobile and the recent White House hack.

Next Steps

On SearchSecurity, learn more about Home Depot's further disclosure of details on its data breach; plus, find out what these recent hacks illustrate about businesses' security weak points. Then, check out our coverage on how to prove that your security program can be a competitive advantage.

Dig Deeper on Enterprise data privacy management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

State Street's Chris Perretta says CIOs need to be willing to disrupt the business in order to protect it. Have you ever had to shut down a business process in order to protect the company?
Yes, I have shut down business processes when it became apparent they were no longer valuable. This isn't always an easy step - there's a natural reluctance to do anything that feels like failure - but our company is more important than my personal feelings.

However, businesses should try to minimize the occurrence of this - ideally by not creating processes that need to be shut down in the first place. Planning ahead makes life so much easier.
They may have been trying to test the security at the USPS. If they can breach a site that most would not think of, then they may assume that another agency may be using the same security and make that easier to hack. Then move on to the next government agency and see if it's using the same security. Companies tend to use the same across all divisions and locations. If you can get into one you can get into them all.