Policy Documents

The Alarming Trend of Cybersecurity Breaches and Failures in the U.S. Government Continues

Paul Rosenzweig –
November 13, 2012

This summer, the Cybersecurity Act of 2012 (CSA) failed to pass the Senate, with Democrats and Republicans alike voting against the bill. The overriding concern was that the regulatory approach of the bill would be ineffective at best and harmful at worst.

Following the failure of the CSA, the Obama Administration began drafting a cybersecurity executive order that is based on regulations, similar to the CSA. While the CSA and the executive order see government-designed standards and regulations as the way to encourage cybersecurity, the performance of the federal government in securing its own computer systems calls such an approach into question.

Many government agencies are known to have flawed cybersecurity practices, yet despite the best efforts of those creating the standards for these agencies, these organizations often remain vulnerable. Instead of relying on a static, top-down government approach to cybersecurity, the U.S. should have a dynamic solution that leverages the strengths of both the government and the private sector.

What follows is list of federal government cybersecurity breaches and failures since May 2012. The compilation of this list (or any list, for that matter) necessarily requires judgment in determining whether an incident qualifies for the list. This list is by no means complete: Some hacks might not be reported, and others have not even been realized yet. Additionally, the list does not include the large number of private-sector failures. Nevertheless, the seriousness and amount of U.S. government cybersecurity failures undercut the argument for a government-led regulatory approach to cybersecurity. The list is alphabetical by agency.