The U.S. should brace itself for more attacks like one on the U.S. Office of Personnel Management—in which millions of sensitive government records were stolen, the director of the National Security Agency warned on Wednesday
The U.S. government last week said that two cyberattacks on the agency compromised more than 21 million Social Security numbers, 1.1 million fingerprint records, and 19.7 million forms with data that could include a person’s mental-health history.
“I don’t expect this to be a one-off,” said Navy Adm. Mike Rogers, who heads the NSA and the U.S. military’s Cyber Command.
The incident is causing the government to review cybersecurity policies, he added. “As we are working through the aftermath of OPM,” Adm. Rogers said one of the questions is “what is the right vision for the way forward in how we are going to deal with things like this.”
Cyber Command, though responsible for protecting Defense Department networks, wasn’t charged with defending the Office of Personnel Management’s system, he added.
Director of National Intelligence James Clapper last month said China is suspected to be behind the hack.
Adm. Rogers likened the hacking of U.S. government records to last year’s attack on Sony Pictures Entertainment, which revealed sensitive company information. He said such events required a governments and companies to step back and review procedures.
Adm. Rogers was speaking at the London Stock Exchange as part of an outreach effort to the financial sector to raise awareness of cybersecurity threats.
“We are in a world now where, despite your best efforts, you must prepare and assume that you will be penetrated,” he told the group. “It is not about if you will be penetrated, but when,” he said.
David Omand, the former head of the U.K. Government Communications Headquarters, said at the event that the average cost of a breach on U.S. companies is around $20 million. U.K. figures suggest a lower cost, though he said those may be too conservative.
Adm. Rogers said companies and the government needed to work together to protect networks. “Cyber to me is the ultimate partnership. There is no single entity out there that is going to say: ’don’t worry, I’ve got this.’”