Owl Cybersecurity, the company with “the world’s largest commercially available database of DARKINT,” recently published the results of a study on government’s exposure on the darknet. In 90 days, the cybersecurity firm found stolen data from almost 60 government agencies. To the surprise of many, United States defense agencies fared worse than most non-defense agencies. The study showed that the government entity worth the most stolen data on the darknet was the U.S Navy, which scored worse than some of the the worst companies in the private sector.
According to Owl Cybersecurity, relevant data came from “Tor and other interconnected sources including IRC, I2P, ZeroNet, other hacker forums, […] FTP servers, select paste sites, high-risk surface internet sites and more.” From this collection of data sources, the cybersecurity firm pulled stolen credentials, documents, or similar data from 59 agencies. The agencies fit into one of five sectors: defense, cabinet, law enforcement, independent, and branch. Additionally, the company applied their darknet index score. The index score is a number calculated with proprietary “hackishess” algorithms. (This appears to be a system for ranking the appeal of a target to hackers.)
The top 10:
- United States Navy | 16.59
- United States Army | 16.02
- Department of Defense | 15.12
- Department of Justice | 15.09
- Department of Homeland Security | 14.93
- United States Marine Corps | 14.47
- National Aeronautics and Space Administration | 13.60
- Internal Revenue Service | 13.31
- Department of Veterans Affairs | 13.09
- Department of State | 12.66
The top 10 government agencies had a higher average index score than the top 10 in the “Fortune 500 Darknet Index.” However, the highest number on the Fortune 500 list topped that of the US Government Darknet Index. Amazon ranked number one on the Fortune 500 Index with a darknet index score of 19.16 In the government ranking, the Navy took the top spot with a score of 16.59.
“It wasn’t a surprise that [stolen government data] was out there,” Andrew Lewman, the firm’s vice president said. “But what was surprising was the volume of data out there. It was also surprising that defense agencies had the highest amount.” He added that “they’re very good at protecting our shores but they’re not so great about protecting their credentials.”
The average “DARKINT” score of the government agencies was 8.3. Given the amount of money spent in cybersecurity, the company wrote, this was a discouraging result. The average Fortune 500 score was 8.3 and the average score from another industry study—that of German companies—was 5.4 “[We cannot rule out possibilities that commercial companies spend more on information security tools and practices and better train their employees regarding information security or other factors, we suspect that the old adage about government competency sadly holds true,” Owl Cybersecurity noted.
Before making the study available to the public, the government was given the opportunity to examine it. Some agencies expressed interest in learning more.