The Cyber Attack on the Ukrainian Electrical Infrastructure: Another Warning

By Gabi Siboni and Zvi Magen –

Gabi SiboniZvi Magen

On December 23, 2015, malfunctions were reported in portions of the electrical network in western Ukraine, after the operations of 27 distribution stations and three power plants were disrupted, causing the electricity supply system to crash. This was not a routine power outage: the Ukrainian authorities believe that a cyber attack originating in Russia caused the malfunction, and the Security Service of Ukraine has blamed Russia for the power outages. The conclusions of several security companies confirm the suspicion linking the attack to Sandworm, which according to the security company iSight is a Russian group affiliated with the Russian government. Hypotheses regarding a possible motive also support the suspicion that Russia is the party responsible for the attack, perhaps as part of the Russian campaign against cutting off the Crimean Peninsula, annexed by Russia, from electricity supplied by Ukraine. Cyberspace operations also enable Russia to continue denying its involvement in Ukraine, while at the same time persisting in efforts to attack it.

For some time, security experts have warned that critical services – for example, electricity and water supplies – can be attacked through cyberspace. The assumption is that such action requires sophisticated capabilities in cyber intelligence, technology, and operations, and possession of such capabilities is usually attributed to countries that have invested heavily in their development. Until now, even if in possession of such capabilities, most countries have shown restraint in using cyber tools to materially disrupt essential services and critical infrastructure in enemy countries. Events in Ukraine, however, question whether this assumption of restraint is still valid. On December 23, 2015, malfunctions were reported in portions of the electrical network in western Ukraine, after the operations of 27 distribution stations and three power plants were disrupted, causing the electricity supply system to crash. Many homes were cut off from the network. This was not a routine power outage: the Ukrainian authorities believe that a cyber attack originating in Russia caused the malfunction, and the Security Service of Ukraine (SBU) has blamed Russia specifically for the power outages.

Ukrainian Nationalists and a cheering crowd after the toppling of the statue of Communist leader Grigory Petrovsky, Dnipropetrovsk, January 29, 2016. Photo: Stanislas Vedmid / AFP

It is difficult to prove with certainty who was behind the attack, but presumably the relevant authorities in Ukraine, with the help of Western agencies, will ultimately uncover the attacker’s identify. The Ministry of Energy in Kiev has appointed a committee to investigate the affair. Thus far assessments concerning the party responsible for the attack are based on forensic examinations carried out on the damaged computers, which indicates that components in them were previously used by Russian groups. Furthermore, not surprisingly the technological capabilities point to a Russian element.

The conclusions of several security companies confirm the suspicion linking the attack to Sandworm, which according to the security company iSight is a Russian group affiliated with the Russian government. iSight has monitored Sandworm for over a year, and discovered that the group has collected information from the computers of Ukrainian administration officials, and from agencies in the European Union and NATO. Other security experts reported that the group was also focusing on attacking industrial control systems. According to the security company ESET, located in Bratislava, the attackers used backdoor software that makes it possible to conduct operations on the target computers through a remote control server. In the Ukrainian case, use was made of a BlackEnergy component – a Trojan horse used as early as 2014 – to spy on Ukrainian administration computers and plant a malware program called KillDisk on power station computers in western Ukraine.

Hypotheses regarding a possible motive also support the suspicion that Russia is the party responsible for the attack, perhaps as part of the Russian campaign against cutting off the Crimean Peninsula, annexed by Russia, from electricity supplied by Ukraine. In addition, there is a great deal of information about the presence of advanced cyber warfare capabilities possessed by Russia and affiliated organizations, with Russia taking the lead in developing a combat doctrine that encompasses both kinetic and cybernetic activity. In the case of Ukraine, cyberspace operations enable Russia to continue denying its involvement in its neighbor, while at the same time persisting in efforts to attack it.

Effective wielding of the cyber weapon against sensitive targets in another country, in this case Ukraine, is likely to have far reaching consequences, not only for the future course of the particular conflict, but also for conflicts between other countries, or between countries and non-state organizations able to procure both offensive and defensive cyber capabilities. To be sure, similar cases of cyber attacks were recorded in the past. One of the best known examples of attack against infrastructure facilities that caused actual physical damage was the attack on Iranian nuclear installations with the Stuxnet software – alleged by some to have been carried out by Israel and the United States. Attacks in the Baltic states designed to prevent service were attributed to Russia. Nevertheless, the cyber attack in western Ukraine clearly reflects the use of this weapon against critical civilian infrastructure on a larger scale. This event, a precedent tantamount to crossing the Rubicon, is liable to serve as a model for imitation by other countries and perhaps organizations as well, while eroding the barriers of restraint that previously existed. In other words, it appears that the Ukraine incident is a sign that an especially important threshold has been crossed. Espionage, the theft of commercial information, financial crime, and denial of services are tolerable; although bothersome, they do not materially and directly harm the substance of daily life. An attack against the electrical infrastructure, however, can damage critical infrastructure and jeopardize human life. It therefore constitutes a quantum leap in the will to cause damage, in this case by a state.

Like other countries threatened in cyberspace, Ukraine will have to consider how to improve its defensive capabilities against similar events in the future. Israel can provide an example here. Over the past decade, Israel has been able to develop advanced defensive capabilities for its critical infrastructure. Its defensive envelope includes gathering and analyzing intelligence and distributing it to the relevant agencies, as well as monitoring by the Israel Security Agency. This has created an environment of ongoing improvement and enhancement in defensive capabilities. Still, the proliferation of cyber capabilities, which has accelerated in recent years, enables new-old players – terrorist organizations and criminal elements – to acquire capabilities previously considered the exclusive province of nations. Concern is therefore growing that these non-state actors, which lack restraint mechanisms and state-like considerations, will attempt to imitate the model demonstrated in the attack on the electricity infrastructure in Ukraine.

Disruption of the supply of electricity is no trivial matter. It is enough to recall the events in Israel in late 2015 resulting from natural causes, and not a cyber attack: harsh winter weather caused serious disruptions over widespread areas lasting for many days. Israel is especially vulnerable in this aspect, due to the concentrated topology of its electricity grid. It is therefore necessary to continue monitoring related developments in Israel’s strategic environment and throughout the world to assess whether there is a growing trend of cyber attacks able – despite sophisticated defensive measures – to inflict serious damage, and to prepare accordingly.

EDITORS NOTE: This column originally appeared on The Institute for National Security Studies website.

National Security Agency: Spying on American Jews, Israel and the U.S. Congress

Shoshana Bryen is Senior Director at the Washington, D.C. based Jewish Policy Center.  She has been a frequent guest on The Lisa Benson Show regarding US-Israel relations, the Obama Administration and national security.  On the first program of the New Year, January 3, 2016, she appeared  to address allegations raised by a Wall Street Journal article about NSA spying on Israeli Prime Minister Netanyahu and by happenstance, Members of Congress and American Jewish leaders, “US Spy Net  on Israel Snares Congress. “  She also responded to an NER Iconoclast post on whether the Israel Defense Force was prepared to meet the threat of ISIS affiliates on both the Syrian frontier and the Egyptian Sinai. She also spoke of an emerging relationship with Putin’s Russia allowing Israeli freedom to attack Hezbollah targets in Syria.

Listen to the segment with Bryen on the Benson show Podcast of January 3, 2016 starting at the 20 minute mark:

As is our practice in producing the weekly Benson Show, we send our guests a set of suggested questions requesting they select a limited number to respond in what a fast is paced packed 44 minutes.  Bryen prepared written responses to the original of set of questions. Below are her astute and illuminating responses.

What is real story behind the Wall Street Journal report alleging NSA spying on Israeli PM Netanyahu, Congressional members and American Jewish Leaders?

Bryen:  The administration was spying on Congress; maybe still is.  The White House tried to put a layer of protection between itself and illegal NSA activity by saying “do what you want.” If there was a problem or a lawsuit over this, the White House position wouldn’t hold up. NSA was spying on Israel and vice versa – nothing new.

The real targets were Congress and American Jews. I don’t see that Congress knew about this specific spying. Surely no one up there is naive and they know they are listened to. This is important for the next points. That makes the idea that they would get on the phone with Israeli Ambassador to US Ron Dermer and allow him to bribe them over the wire totally ridiculous. Whatever NSA got, they did not get it from tapping Dermer’s phone. They probably also did not get it from tapping Congressional phones because Congress assumes it is tapped and no one was discussing bribery.  What could you bribe a Congressman with to get his/her vote on this?

There was no collusion between Ron Dermer and the American Jewish community. I was part of the machinations opposing the nuclear deal with Iran, although the Jewish Policy Center does not lobby; we are only in the information business. “The Jews” knew their talking points and didn’t need Dermer for anything. If they talked to him, that is one thing.  However, needing him for “talking points,” again, that is ridiculous. If there are intercepts of American Jews talking to Congressional members it would have to come from bugging Congress. Lee Smith, of The Weekly Standard makes the point that if there was bribery or attempted bribery involved, there would already be criminal cases. There are none, of course. So, where does that leave us?

NSA spying is only supposed to be done for issues of National Security. One can make the argument that if the US government thought Israel was going to bomb Iran, it would rise to that level. However by 2013, the US was positive Israel was not going to do that. What comes after is political.

Are the enemies of the White House are Congress and the Jews? Congress because Obama knew it opposed the deal. That is why the talks needed to be secret. Also, the talks leading to the talks needed to be secret. They were worried that Israel would spill the beans. Israel didn’t.

There were several incidents in which the Administration let people know what the problems were.  Lee Smith points in his article to a Jon Stewart interview with the President. There is also The New York Times (NYT) editorial that accused Jews of being more loyal to a foreign government than to the US. Senators Schumer and Menendez were damned as “beholden to donors” – code word for Jews.

Obama told Stewart: “If people are engaged, eventually the political system responds. Despite the money, despite the lobbyists, it still responds.” Stewart said, “What do you mean by lobbyists?” The President didn’t answer, but after the signing of the JCPOA, he said Congress would evaluate this agreement fairly, “not based on lobbying, but based on what is in the national interests of the United States of America.”

The NYT reported on a Democratic Issues Conference in Baltimore where the President said he understood the pressures that senators face from “donors and others.” However, according to the NYT, Obama urged the lawmakers to “take the long view rather than make a move for short-term political gain,” meaning money and Jewish support. Menendez was offended.

Smith actually thinks there was no specific bugging going on, but just an attempt to intimidate Congress and the Jews. I disagree.  They think they are above the law on these things. And they may be, but it doesn’t appear to matter.

Why are media accusations unfounded that American Jewish leaders and U.S. Congressional friends of Israel take their cues from the Israeli Embassy?

Bryen:   Because those accusations presume American Jews NEED someone to tell them how they are supposed to feel about a political issue. On its face that is ant-Semitic. American Jews are a sophisticated community of Americans – although I have some disagreements with where they come out on some issues – they don’t need anyone, particularly a foreign government, to tell them what to think or what to do about issues.

Have these disclosures impacted on US- Israel intelligence cooperation and weapons deliveries to maintain Israel’s Qualitative Military Edge?

Bryen:  No, there is no present impact that I can discern. First, all intelligence agencies assume that they are being spied on by both friends and enemies. It’s nothing new. Second, the relationship works both ways – the American intelligence services rely on Israel for information in the region.

What options does Congress have to bar lifting sequestered funds of Iran now that the Administration announced delays in new sanctions in view of Iran’s violation of ballistic missile testing under UN Resolutions?

They’re talking about new sanctions laws in Congress after the holiday recess. Note that Sen. Chris Coons (D-DE) is the loudest voice on this. He voted FOR the JCPOA and he’s figured out that the deal was a disaster and Secretary Kerry’s “snapback sanctions” were a joke.

Congress can pass any law it wants – sanctions included. Iran’s public interpretation of the deal is that any new sanctions would violate the JCPOA and leave Iran free to withdraw from it – or actually, continue to violate it. The White House appears to be siding with Iran including on the secure visa procedure, which is absolutely an obligation of Congress. Iran remains on the State Sponsor of Terror list because of its support for Hezbollah and Hamas. If the White House does not want more sanctions, it will threaten a veto.  Then you will have the extraordinary spectacle of a U.S. government shielding the world’s top sponsor of terror from the United States Congress.

How prepared is the IDF to contend with threats from ISIS in both Syria and the Sinai?

Bryen:  Israel is in a continual state of readiness.  For years they have had to closely identify and track the threats. They are helped by the determination of Egypt in Sinai – with which the US government should be thrilled. It is the actual implementation of the Camp David Accords. The problem for the US in the Sinai is that we have the Multilateral Force and Observers there – MFO – primarily manned by Americans. It is a holdover from Camp David designed to ensure that the Egyptians don’t move military equipment into Sinai in quantities larger than Camp David permitted. Now it is a target for ISIS and affiliated Bedouin groups.

Israel is helped on the northern front by the fact that at the moment neither the Assad government nor Hezbollah wants to open another front and Russia would not permit it. The Israel-Russia relationship is fascinating.  It is mutually beneficial right now and has the seeds of longer-lasting cooperation.

As for ISIS, while in theory killing Jews would be fine, it doesn’t need a second front either. There is a growing threat of ISIS-inspired organizations on the Syrian border, where multiple local factions have pledged allegiance to ISIS leadership. The more immediate risk, however, is most likely related to ISIS’ possible impact on Israeli Arab youth, both within Israel and in Judea and Samaria.

Given the latest killings of Israelis in Tel Aviv by an Israel Arab, what can the Netanyahu government do to prevent such deadly attacks?

Bryen: We don’t’ have all the information, including whether or not it was actually terrorism. It didn’t have the usual “fingerprints.”  The perpetrator was an Israeli Arab citizen who had served five years for a previous attack on an IDF solider. He used a firearm deliberately hitting two people, not spraying the restaurant for maximum casualties. The attack was in the heart of Tel Aviv and he fled the scene.  Israeli Police hedged on whether it was simply a criminal act. If it was a terrorist, it appears to be of the “lone wolf” variety, which means Israel has the same problem the U.S. does.

EDITORS NOTE: This column originally appeared in the New English Review.

CYBER SECURITY ALERT: Smartphone App allows access by cyber-criminals

Bret Baier from Fox News in an interview with Gary Miliefsky, CEO of SnoopWallreports that information about a popular smartphone application exposes your personal information to cyber criminals.

Read the full SnoopWall Flashlight Apps Threat Assessment Report here.

Americans Want More Protections For Emails and Online Communications

WASHINGTON, D.C. /PRNewswire-USNewswire/ — The Digital 4th coalition unveiled new poll results showing broad and diverse support for stronger email privacy protections – both nationally and in early primary states. According to a survey by Vox Populi Polling, 86% of voters nationwide support an update to the Electronic Communications Privacy Act (ECPA), the 29-year-old law setting standards for government access to emails and online communications. In Iowa, 81% of Democratic voters and 74% of Republican voters are behind ECPA reform. The numbers were similar in New Hampshire, with 84% of Democrat voters and 75% of Republicans in support.

Moreover, 77% of voters across the country believe the government should be required to get a warrant from a judge before obtaining access to emails, photos and documents stored online.

“ECPA reform is overwhelmingly bipartisan and overwhelmingly supported by Americans across the country. There is tremendous momentum with more than 300 members of Congress co-sponsoring legislation requiring a warrant for emails and online communications. The legislation would simply extend Constitutional protections online,” said Gabe Rottman, Legislative Counsel and Policy Advisor at the American Civil Liberties Union (ACLU) and a member of the Digital 4th coalition.

“What’s particularly illuminating is that more than three out of every four voters believe that the government needs to get a warrant before accessing emails and other online communications. Federal agencies like the Securities & Exchange Commission (SEC) have been advocating to circumvent the warrant requirement. It’s clear that Americans see this as nothing more than a power grab. We hope Congress stands up to federal agencies and preserves our constitutional rights online,” said Katie McAuliffe, Federal Affairs Manager at Americans Tax Reform (ATR) and member of the Digital 4th coalition.

“Support for strengthening online privacy spans across all ages, races and political affiliations. This level of support is typically unheard of in politics today. It is clear from our results that Americans want online privacy laws to be updated,” said Michael Meyers of Vox Populi Polling.

Other notable numbers from the poll include:

  • 84% of voters feel that privacy is important (63% extremely or very important) when it comes to the government accessing their online information. Only 16% of voters feel that it is not very important or not important at all.
  • 77% of voters reported that a warrant should be required to access these online communications. 78% of Democrats and 76% of Republicans supported the requirement of a warrant.
  • ECPA reform does have an effect on presidential candidate choice for a majority of American voters. 53%of all likely general election voters stated that they would be more inclined to vote for a candidate who supported strengthening online privacy through ECPA reform.

To read a memo on the full polling results, click here.

Kosovo Muslim arrested for hacking U.S. Military files for the Islamic State

“A statement from the U.S. Department of Justice said Mr Ferizi, known by his moniker ‘Th3Dir3ctorY’, hacked into a U.S. company’s systems in order to take the personal details of 1,351 U.S. military and government staff.” The repercussions of that theft could be felt for quite some time.

“Malaysia arrests Kosovo man for ‘hacking US files for IS,’” BBC, October 16, 2015 (thanks to Lookmann):

A Kosovan man has been arrested in Malaysia for allegedly hacking into a computer database and providing information on US security officials to the so-called Islamic State group.

The man, who is in his 20s, was detained on 15 September, Malaysian police said in a statement on Thursday.

Separately, the US identified him as Ardit Ferizi, thought to head a hacker group called Kosova Hacker’s Security (KHS).

Mr Ferizi will be extradited to the US.

A statement from the US Department of Justice said Mr Ferizi, known by his moniker “Th3Dir3ctorY”, hacked into a US company’s systems in order to take the personal details of 1,351 US military and government staff.

He will be charged with computer hacking and identity theft, and faces up to 35 years in jail, the statement added….

Between June and August this year, Mr Ferizi is alleged to have passed the data on to IS member Junaid Hussain, also known as Abu Hussain al-Britani, who later posted the details online along with a threat to target the officials….

Malaysia has arrested more than 100 people this year, suspected of links to IS, including ten people in August – six of them members of Malaysia’s security forces.

What? 100 people in modern, moderate Malaysia misunderstood Islam so drastically as to adhere to the Islamic State?

RELATED ARTICLES:

“Palestinian” Muslim rioters set Joseph’s Tomb on fire

51% of U.S. Muslims want Sharia; 60% of young Muslims more loyal to Islam than to U.S.

Hackers Reveil How Volkswagen Secretly Cheated Emissions Tests by Gary McGath

Cars are part of the “Internet of Things.” They run not just on gas, which you’re free to analyze, but on computer code, which you aren’t. If this sounds worrisome, it is. Internal computers can greatly improve a car’s performance and safety, but they can have problems that show no symptoms under normal circumstances.

A couple of hackers, with a knowing volunteer at the wheel, took remote control of a Jeep Cherokee over the Internet and could have wrecked it at high speed if they hadn’t stopped when asked to. More recently, Volkswagen was caught rigging its emissions-control software to cheat during EPA testing, letting them publish false information about millions of cars.

Car computers are formally called “electronic control units” (ECUs). One car may have over a hundred of them, running millions of lines of code, networked together. Figuring out what they do takes determination; it’s necessary to pull out their memory chips, read them, and work backwards from machine code to the design logic.

But the biggest barrier may not be technical but legal; copyright laws make it illegal to do this kind of reverse engineering, and the EPA itself has helped automakers to keep their emissions-testing code secret.

The Digital Millennium Copyright Act puts restrictions on extracting copyrighted information from computers, even for legitimate diagnostic purposes. Car makers like this; it puts serious limits on independently created diagnostic tools and gives the advantage to shops that pay for licenses.

The EPA has formally opposed a DMCA exception for car systems, arguing that it would let people modify the code to circumvent limitations on emissions. It said that “the majority of modifications to engine software are being performed to increase power and/or boost fuel economy.” That’s just what Volkswagen did, and it was harder to catch them precisely because of those prohibitions.

The Alliance of Auto Manufacturers, which includes Volkswagen, has taken the same stand. Ironically, their statement declares:

Many of the ECUs embodied in today’s motor vehicles are carefully calibrated to satisfy federal or state regulatory requirements with respect to emissions control, fuel economy, or vehicle safety.

Allowing vehicle owners to add and remove programs at whim is highly likely to take vehicles out of compliance with these requirements, rendering the operation or re-sale of the vehicle legally problematic.

John Deere explicitly opposes a free market in car software:

In contrast to the seemingly benign stated purpose of the proposed exemption, the practical effect of circumventing the TPMs [Technical Protection Measures] at issue will stifle creativity and innovation for vehicle software. Third-party software developers, pirates, and competing vehicle manufacturers will be encouraged to free-ride off the creativity and significant investment in research and development of innovative and leading vehicle manufacturers, suppliers, and authors of vehicle software.

The way to promote creativity and innovation is, apparently, to make it illegal for anyone but themselves.

ECUs can be subject to external attacks as well as internal cheatware. Some devices are connected to the Internet for purposes like traffic alerts and entertainment. If they’re part of the car’s internal network, attackers might be able to subvert the whole car, as the Cherokee hackers did. Good design requires firewalls against such attacks, but developers struggling with requirements and hardware limits may neglect security. With no other eyes on their code, it’s easy to be sloppy.

People have tinkered with cars ever since they were first made. They swap in their own parts, making their cars faster, powerful, and sometimes a lot more annoying. This tradition has helped people to learn how the original parts work and catch problems with them. Spotting flaws and cheats in computer code isn’t as easy as catching bad brakes, but it’s easier when the only barriers are technical. When the government and car manufacturers combine to keep the software secret, the rest of us are stuck in the breakdown lane.

Gary McGath

Gary McGath is a freelance software engineer living in Nashua, New Hampshire.

How the Government Makes Data Hacks a Thousand Times Worse by David M. Brown

In May of 2015, the federal government suffered a massive data breach, a hack that exposed the names and Social Security Numbers of over 21 million people.

In a press release, the Office of Personal Management reported that as a result of its “aggressive effort to upgrade the agency’s cybersecurity posture,” the agency discovered the massive theft of background records, reportedly originating in China, including

identification details such as Social Security Numbers residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.

Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.

This was a new breach — not the same looting of 4.2 million of records that the agency discovered in April of this year.

The news didn’t stop OPM Director Katherine Archuleta, appointed to the post in 2013, from congratulating herself for the agency’s great strides in security. It was her “comprehensive IT strategic plan” that led to the knowledge that these incidents had happened.

Sounds like congratulations are in order. But now it’s September, Archuleta is long gone (she lasted about one day after praising herself for noticing the theft), and the latest news is that the fingerprints of 5.6 million people were also grabbed in the mega-hacking of OPM’s “cybersecurity posture.”

OPM assures us that “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” As of right now… this second… as we hit the press… you probably have nothing to worry about if your fingerprints got stolen from OPM’s data banks. Hurrah.

Even Archuleta would probably concede that discovering a robbery is not quite as good as preventing it. Let’s even go so far as to say that she is less to blame for having failed to fix how her agency functions than is the nature of bureaucracy itself.

Of course, governmental organizations are not the only organizations vulnerable to being cyber-attacked in consequence of lax security. Other victims in recent years have included Target, Chase, and Sony.

But it’s the decades-old privacy-invading policies of the federal government that have routinely converted all such breaches of personal data into potentially limitless disasters for the victims.

The federal government which, decades ago, assured us on the cards stamped with our Social Security Numbers that these digits were “not to be used for purposes of identification” is the same government that now mandates the SSN’s ubiquitous deployment to monitor and tax us.

Today, the Social Security Number is like the number to a combination lock: perhaps not enough by itself to enable a bad guy to rob the safe, but a big, big help. Once your SSN-tagged info is out there in badland, your stolen data can be sold and re-sold and re-re-sold. And your cyber-housed, SSN-tagged stuff can be targeted again and again.

Yet it has become harder and harder to refrain from giving others that number. You can join a club without divulging your SSN. You can open an email account or buy a book, a hamburger, a refrigerator, or a gift card without reporting your SSN. But you cannot put ten dollars in the bank, nor open an investment account, nor apply for a credit card or a job without reporting it. Most often, you cannot rent an apartment or buy a house without reporting it.

Absent unusual efforts to protect your financial and personal privacy (of the kind outlined in J.J. Luna’s book How to Be Invisible), the most you can do by way of preventing cyber-assaults is to take such precautions as using different and non-obvious passwords for different cyber-accounts, and withholding your address, data of birth, and SSN from persons who may ardently request these data but will still do business with you if you refuse.

If your data has been grabbed, you can also — if and when you learn of the theft — arrange to monitor your credit and to block routine access to your credit reports, and perhaps take a few other barn-door-slamming measures. But you cannot, short of engaging in fraud, supply anything other than your actual Social Security Number when a government agency requires that it be supplied.

Our most personal information hasn’t always been thus exposed. Today we are so used to privacy-violating mandates like the Social Security Number tag that we take the necessity of such poisonous violations for granted. But poison does not become nutritious merely because it has become, for now, unavoidable.

David M. Brown

Dead Islamic State hacker linked to Garland, TX jihad attack

This is the kind of person that the U.S. intelligentsia was applauding and abetting when it condemned us for standing up for the freedom of speech in Garland.

“U.S. confirms Islamic State computer expert killed in air strike,” Reuters, August 29, 2015:

The U.S. military confirmed on Friday that a British hacker who was one of the Islamic State movement’s top computer experts and active in encouraging people abroad to carry out “lone wolf” attacks was killed in Syria by a U.S. air strike.

Junaid Hussain of Birmingham, England, was killed on Aug. 24 by a U.S. military air strike on the Islamic State stronghold of Raqqah, said Air Force Colonel Pat Ryder, a spokesman for U.S. Central Command.

Hussain had been involved in “actively recruiting ISIL sympathizers in the west to carry out ‘lone wolf’ style attacks,” Ryder said, using an acronym for the militant group that has seized large parts of Syria and Iraq.

Hussain was responsible for releasing personal information of around 1,300 U.S. military and government employees in recent weeks, and “sought to encourage” attacks against them, U.S. officials said.

One official, speaking on condition of anonymity, said Hussain had also been linked to the release of the names, addresses and photos of 100 U.S. service members on an Islamic State website in March.

Another official said that Washington had evidence that Hussain was in contact with two men who were shot dead when they tried to attack a “Draw Mohammed” cartoon contest in Garland, Texas in early May.

Islamic State claimed in a radio message after the shooting that the two men were “brothers” connected to the group….

RELATED ARTICLE: Former UK defense chief: Cameron lacked “balls” to head off rise of Islamic State

Garland, TX: Islamic State Jihadi ‘radicalized’ by UK Muslim ‘computer geek’

He hacked the Pentagon. He apparently incited one of the Muslims who attacked our free speech event in Garland, Texas to do so. This is one piously lethal individual. One thing he would almost certainly deny being, however, is “British” — contrary to the witless Mailonline headline. His citizenship with the umma and only with the umma.

“British computer geek, 21, who hacked the Pentagon after fleeing to Syria is No3 on the ‘kill list’ of ISIS militants drawn up by US forces – just after Jihadi John and group leader al-Baghdadi,” by Imogen Calderwood, Mailonline, August 2, 2015:

A young computer hacker from Birmingham has been named as Number Three on the Pentagon’s ‘kill list’ of key ISIS operatives.

Junaid Hussain, 21, fled to Syria in July 2013 and is now believed to be leading the ‘Cyber Caliphate’, ISIS’ own branch of hackers.

US officials said there is an ‘intense’ desire to assassinate Hussain, who operates under the alias Abu Hussain al-Britani and was jailed in 2012 for stealing personal information of Tony Blair.

Only Mohammed Emwazi, the hostage killer known as Jihadi John, and the group’s leader Abu Bakr al-Baghdadi are higher on the list, reported The Sunday Times.

After fleeing the UK, when he was on police bail for an alleged violent disorder offence, Hussain has risen rapidly through the ISIS ranks.

He married 45-year-old Sally Jones, a former punk rocker from Chatham, Kent, who converted to Islam and fled to Syria with her 10-year-old son.

Yet another convert somehow gets the idea that Islam requires treason and violence. Yet no authorities are in the least interested in studying this phenomenon.

Jones, who now uses the nomme de guerre Umm Hussain Al-Britani, is believed to have snuck into Syria at the end of last year after an online romance with Hussain.

She is suspected of leading the violent all-female ISIS contingent, known as the Khanssaa Brigade. The group imposes strict Sharia law in the de facto capital of the so-called Islamic State, Raqqa.

The couple, who have been dubbed Mr and Mr Terror, also reportedly used Twitter and the hashtag #LondonAttack in May to incite terror in Britain.

US officials believe he is behind the online radicalisation of at least one of the two gunmen who opened fire at a Prophet Mohammed cartoon competition in Garland, Texas, in May….

RELATED ARTICLE: Obama’s $500 million 50-man “moderate” army: half already dead, captured, out of action

How to Scam the Islamic State

Three Chechen women pretended to be jihadi brides through fake social media accounts, but kept the travel money ISIS sent them instead.

Three young Muslim women have scammed the Islamic State out of over $2,500. The Chechen women set up fake social media accounts and contacted the Islamic State, claiming to be aspirational jihadi brides, titillated by the prospect of moving to Syria.

They only required the funds for travel.

Once ISIS militants had wired them the money, the girls promptly deleted their accounts and pocketed the money.

Chechen police have now arrested them for the scam. Officer Valery Zolotaryov told Moskovsky Komsomolets “I don’t recall any precedent like this one in Chechnya, probably because nobody digs deep enough in that direction.”

He added “Anyhow, I don’t advise anyone to communicate with dangerous criminals, especially for grabbing quick money.”

For women who travel to Syria to become jihadi brides, their husbands hold complete power over them and they face the possibility of a life of sexual abuse.

For more information about the Islamic State, see Clarion Project’s Special Report: The Islamic State (ISIS: ISIL)

RELATED ARTICLES

Children at Increasing Risk of Islamist Radicalization in UK

Three ISIS Terror Trials This Week in America

ISIS: The Next Generation

Islamic State Receives $6.9 Billion in Money Transfers

Authoritarians Like Twitter, Too: Repressive Regimes Can and Do Use Social Media to Solidify Their Grip on Power by Kevin Munger

In May 2014, CNN aired footage of a Ukrainian helicopter being shot [down] by pro-Russian militants. Taken with a cell phone camera and posted on social media, the video showed compelling evidence of the scale and technological sophistication of the Ukrainian conflict.

The video was also fake — it was actually over a year old, and from Syria. CNN retracted the footage and apologized, but the “incident” was still widely discussed on Russian and Ukrainian social media.

In the wake of the Arab Spring, enthusiasm for the power of social media ran high. Nothing else had shown the same power to mobilize protestors living under repressive regimes. With information democratized, the logic ran, dissidents could outflank the centralized media control and propaganda machines so crucial to authoritarian states.

But this logic is flawed, as the faked helicopter video demonstrates. Although social media may have given tech-savvy dissidents a temporary advantage over repressive governments that were unable to keep up, Twitter and its regional analogues are now a fully mature technology.

Just like radio and television, repressive regimes can and do use social media to solidify their grips on power. As a result, the net effects of social media on the possibility of democratic revolution are at best ambiguous. They may actually be negative.

This point has been underappreciated in the enthusiasm for what social media seems to make possible. Our optimism leads us to overlook what is at stake for those in power — and their capacity to evolve new strategies using new tools. We want to believe in magic bullets, hoping that the right technological advancement will empower people to successfully rise up. But it’s at least as likely that the millions or billions of tweets sent by dissidents make them vulnerable, because they are extremely visible, while the strategic responses of government actors often go unnoticed. It’s an ironic inversion of Frédéric Bastiat’s “That Which Is Seen and That Which Is Not Seen.” Rather than people overvaluing government actions because their direct benefits mask the hidden cost borne by individual citizens, those citizens’ actions on social media allow government action to hide in their midst.

Some egregious and sophisticated uses of social media by repressive regimes have recently come to light. In a fascinating story in the New York Times Magazine, Adrian Chen explains the operations of a shady Russian “troll farm” that engages in large-scale, multiplatform acts of misinformation. At one point, they made up an explosion in a chemical plant in Louisiana, started a hashtag (#ColumbianChemicals), and relied on ordinary people to pass the story along, knowing they were unlikely to verify the details. This kind of operation, carried out on “foreign soil,” shows how seriously this Russian agency takes social media. The chemical plant explosion may simply have been an experiment, a proof of concept for what such attacks might accomplish in the future.

Their bread-and-butter social-media strategy is to pay people to pose online as regime supporters. People have acted as “sock puppets” — adopting fake personas on the Internet — since computer networks were first connected, but never at this scale, or with this degree of coordination.

Chen discusses this widespread practice in the Russian context. The existence of Chinese “50 centers” (bloggers and Weibo users paid 50 cents per pro-government post) has been known for nearly a decade. The presence of these people in online communities, voicing pro-regime sentiment, may have a profound dampening effect on protest movements.

Political scientists model the process of protest and revolution as a “coordination problem.” There are two parts to the problem: individual knowledge and common knowledge.

It makes no sense to act alone. Even if I’m completely convinced that the government is evil and needs to be overthrown, it still doesn’t make sense for me to go into the street by myself — I’ll just end up in prison, and the government will be stronger than ever.

But the main force of pro-regime sock puppetry need not be to persuade dissidents that they are wrong. All that is necessary is to confuse dissidents about what other people think. If dissidents think they are isolated, and that most other people support the regime — or even if they are merely uncertain about other peoples’ feelings — they will remain compliant. They have no way of getting accurate information about public opinion. Dissidents likely know that the people they talk to regularly are not a representative sample, and polls are either manipulated or suppressed. A horde of “50 centers” may be enough to cloak widespread resentment in a cloud of regime-supported “approval.”

And, as Duke University economics and political science professor Timur Kuran and others have argued, it’s not even enough to solve the individual knowledge problem; dissidents also must solve the common-knowledge problem. It’s not even enough for me to be convinced that everyone hates the government; unless everyone (or some threshold percentage of people) knows that everyone knows that everyone hates the government, a revolution cannot be successful.

That’s why these sock puppets and “trolls for hire” can be so powerful: they make it a lot harder to get a clear impression of what everyone else thinks, and thus whether a revolution will be successful. Because shared knowledge is so crucial to a revolution, uncertainty can be a killer.

The competition between dissidents and regimes to take advantage of new technology is constantly evolving, and no one can know what the next equilibrium will be. Hopefully, one effect of greater public awareness of repressive regimes’ online strategies will be an increased skepticism of unsubstantiated claims on social media — and an increased demand for depth in how we understand the world.


Kevin Munger

Kevin Munger is a third-year PhD student in the department of politics at New York University.

The Spy in Your Pocket by Joseph S. Diedrich and Nicole Kardell

Does the government need a search warrant to know where you’ve been? Not if your cell phone provider knows. If you don’t like how that sounds, there may be ways to change it.

Take the case of Quartavious Davis, a Florida man convicted of robbing at gunpoint a pizzeria, a gas station, a drugstore, an auto parts store, a beauty salon, a fast food restaurant, and a jewelry store. The prosecution offered multiple lines of evidence, but there was one in particular that Davis’s lawyers objected to: records the government obtained from Davis’s cell phone provider, MetroPCS.

The records, which MetroPCS kept in its normal course of business, showed “the telephone numbers for each of Davis’s calls and the number of the cell tower that connected each call.” From this information, police concluded that “calls to and from Davis’s cell phone were connected through cell tower locations that were near the robbery locations, and thus Davis necessarily was near the robberies too.”

Prosecutors got their hands on the MetroPCS cell tower records using a court-ordered subpoena. In criminal cases like Davis’s, courts may grant subpoenas on “specific and articulable facts showing that there are reasonable grounds to believe” that the records sought “are relevant and material to an ongoing criminal investigation.” Although this standard is higher than that for typical subpoenas, it’s lower than the Fourth Amendment’s probable cause standard.

Not Even a Search

On appeal, Davis argued that the cell tower records were obtained in violation of the Fourth Amendment’s prohibition on unreasonable searches and seizures. But the 11th Circuit — the federal appeals court encompassing Alabama, Georgia, and Florida — disagreed (United States v. Davis).

In fact, the government’s actions weren’t even a “search,” according to the court. In legal terms, a search occurs only when police invade a person’s reasonable expectation of privacy. For example, you have a reasonable expectation of privacy in the content of your phone conversations — what is actually said during your call — so eavesdropping on the conversation would constitute a search.

In Davis’s case, though, the police didn’t eavesdrop on his conversations. Nor did they use GPS to track his precise movements while he was making them. Because they merely obtained business records from a third party, the court says that the police didn’t invade Davis’s privacy:

Davis has no subjective or objective reasonable expectation of privacy in MetroPCS’s business records showing the cell tower locations that wirelessly connected his calls at or near the time of six of the seven robberies.… Instead, those cell tower records were created by MetroPCS, stored on its own premises, and subject to its control. Cell tower location records do not contain private communications of the subscriber. This type of non-content evidence, lawfully created by a third-party telephone company for legitimate business purposes does not belong to Davis, even if it concerns him.

Because there wasn’t a “search,” the Fourth Amendment didn’t even apply.

Outdated Doctrine Meets Modern Society

Despite the court’s logic, something about this case still makes many observers feel uneasy. Even AT&T filed a brief in the case, arguing that the government’s actions were illegal. We all turn over huge amounts of information to third parties every day, and almost all of our activities can be tracked through our “smart” devices. And as the amount of data that businesses collect on us grows, so do concerns over the government’s ability to access that data.

So when the 11th Circuit focused its decision in Davis on something called the third-party doctrine, there was reason for a little gasp. The third-party doctrine was developed by the Supreme Court in the 1970s to draw a line between a person’s “reasonable” expectation of privacy and the information that person voluntarily shares with third parties. Back then, the Supreme Court held that a person has no reasonable expectation of privacy over his or her bank records, because that information was voluntarily provided to the bank. Nor can you have a reasonable expectation of privacy over the phone numbers you dial, because you furnish those numbers to the phone company in order to place calls. And so the government may subpoena these records from the business collecting them without meeting heightened standards under the Fourth Amendment.

The Davis court discussed these cases to support the premise that when people turn over their data to third parties by virtue of using those parties’ services, that information falls outside Fourth Amendment protection. A breathtakingly low point can be found in one of the judges’ concurring opinions:

If a telephone caller does not want to reveal dialed numbers to the telephone company, he has another option: don’t place a call. If a cell phone user does not want to reveal his location to a cellular carrier, he also has another option: turn off the cell phone.

In other words, if you want your information protected by heightened privacy standards, go off the grid.

Today, that position is practically untenable. And this is what makes the 11th Circuit’s opinion troubling: it allows the government easy access to your data by virtue of your participation in modern society. The court’s holding helps grease the slippery slope that takes us away from historically reasonable expectations of privacy.

The court attempted to soften the blow by categorizing the subject information as noncontent data. In other words, the data in the Davis case was less private because it was not the actual substance of phone calls, texts, or other communications. Instead, it was the nonsubstantive cell-tower data that allowed the government to track where Davis was when he made or received calls. But we all know that a precise record of our movements reveals a lot about us, as the dissenting judge in the Davis case pointed out:

A person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.

Toward Privacy

There is still a chance that the Supreme Court will reverse the 11th Circuit’s holding. Even if it doesn’t, other options exist. As mentioned in the Davisdecision, Congress can still legislate greater privacy protections.

The market provides another option. Although a court order forced MetroPCS to provide its records, “federal law did not require that MetroPCS either create or retain these business records.” As technology changes, and as we all become more attuned to privacy issues, we will look to the market for options. When this happens, cell phone providers will benefit from offering an “enhanced privacy” version of their services. Some customers will prefer that their data not be collected at all — or that it be anonymized. Providers could charge a higher price for anonymous services, or customers could forego certain personalized services.

By providing customized levels of privacy, the market can create de facto immunity from third-party “searches.”


Nicole Kardell

Nicole Kardell is an attorney with Ifrah Law, a Washington, DC-based law firm. She represents clients in government enforcement actions and other regulatory compliance matters before federal and state agencies.


Joseph S. Diedrich

Joseph S. Diedrich is a Young Voices Advocate and a law student at the University of Wisconsin.

Will Your Child become a Robot’s Pet? Apple’s Co-founder Thinks So…

I have written about how technology can be used for both good and evil. Technology has become ubiquitous, it is everywhere. Our children and grandchildren are becoming more addicted to technology, as they do so the evil side may rear its ugly head.

The Guardian reports:

Apple’s early-adopting, outspoken co-founder Steve Wozniak thinks humans will be fine if robots take over the world because we’ll just become their pets.

After previously stating that a robotic future powered by artificial intelligence (AI) would be “scary and very bad for people” and that robots would “get rid of the slow humans”, Wozniak has staged a U-turn and says he now thinks robots taking over would be good for the human race.

“They’re going to be smarter than us and if they’re smarter than us then they’ll realise they need us,” Wozniak said at the Freescale technology forum in Austin. “We want to be the family pet and be taken care of all the time.”

Artificial intelligence was the theme of the movie Ex Machina. The prime character is another tech billionaire who believes, like Wozniak, that he can create the perfect AI robot. This dream results in his death and the death of others. As I wrote in my column “Ex Machina: Consciousness without a Conscience“:

This film is disturbing because is shows how humans without a conscience (morality) can, when given the chance, pass along their lack of morality to a machine.

[ … ]

Humans must control their urges to use technology to become God, as Caleb points out to Nathan. Robots must never be allowed to act alone. Think of the film The Terminator. You see machines may have a goal but lack a soul.

If the goal of AI machines is to have us as pets then perhaps we need to rethink having AI machines?

In “Cyber Security: Where are we now and where are we headed?” I warned:

The more we tune in, turn on and hook in to technology the greater the threat to individual privacy and freedom.

[ … ]

What are the future threats?

bio chip embedded in hands

Sub-dermal chip implants.

Restorative and enhancement technologies, biohackers, cyborgs, grinders and sub-dermal technology (chipping). Restorative technologies include devices used to help individuals medically. They are devices, that include a computer chip, used to restore the lives of individuals to normal or near normal. Restorative technologies include devices such as: heart pace makers, insulin pumps and prosthetic devices.

Enhancement devices are those which the individual implants into their bodies outside of the medically approved arena. Individuals can for just $39 buy a glass-encased embeddable chip that works with some Android smartphones.  A full DIY cyborg kit, including a sterilized injector and gauze pads, runs about $100. Amal Graafstra, a cyborg who creates and sells biohacking devices, said, “Some people see the body as a spiritual vessel not to be tampered with.  And some people understand their body is their own, treating it like a sport utility vehicle. I see [biohacking] as, I got fancy new fog lights on my SUV. “

Some of these enhancement devices are being designed to be used with computer games. The idea is to give the gamer a more realistic experience by using sub-dermal technology to provide pleasure and pain as the game is played. Mr. Jorgensen states that the gaming industry is “spending $300 million annually” to provide sub-dermal gaming chips, effectively turning gamers into cyborgs.

Will your grandchild become a cyborg’s pet or become a cyborg? It is immoral to have a human become the “pet” of a robot.

Pet is another name for slave.

RELATED ARTICLES:

Killer Robots Will Leave Humans ‘Utterly Defenseless’ Warns Professor

In ‘Tomorrowland,’ We Get a Glimpse of the Left’s Vision for the Future

‘World’s first’ robot kitchen cooks for visitors at CES Asia in Shanghai

Robot learns skills through trial and error, like you do

Robot Tongue Identifies The Correct Beer Every Time

The End of Boys and Girls: These Companies Are Going to Change How Your Kids Dress [+video]

 

The Ghosts of Spying Past by Gary McGath

In the 1990s, the Clinton administration fought furiously against privacy and security in communication, and we’re still hurting from it today. Yet people in powerful positions are trying to commit the same mistakes all over again.

In the early days, the Internet was thoroughly insecure; its governmental and academic users trusted each other, and the occasional student prank couldn’t cause much damage. As it started becoming available to everyone in the early ‘90s, people saw the huge opportunities it offered for commerce.

But doing business safely requires data security: If unauthorized parties can grab credit card numbers or issue fake orders, nobody is safe. However, the Clinton administration considered communication security a threat to national security.

Attorney General Janet Reno said, “Without encryption safeguards, all Americans will be endangered.” She didn’t mean that we needed the safeguard of encryption, but that we had to be protected from encryption.

In a 1996 executive order, President Clinton stated:

I have determined that the export of encryption products described in this section could harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States, and that facts and questions concerning the foreign availability of such encryption products cannot be made subject to public disclosure or judicial review without revealing or implicating classified information that could harm United States national security and foreign policy interests.

The government prohibited the export of strongly secure encryption technology by calling it a “munition.” Putting code on the Internet makes it available around the world, so the restriction crippled secure communication. The Department of Justice investigated Phil Zimmerman for three years for making a free email encryption program, PGP, available.

The administration also tried to mandate government access to all strong encryption keys. In 1993 it proposed making the Clipper Chip, with a built-in “back door” for government spying, the standard for serious encryption. Any message it sent included a 128-bit field that would let government agencies (and hopefully no one else) decrypt it.

But the algorithm for the Clipper was classified, making independent assessments impossible. However strong it was, it would have offered a single point to attack, with the opportunity to intercept virtually unlimited amounts of data as an incentive to find weaknesses. Security experts pointed out the inherent risks inherent in the key recovery process.

By the end of the ‘90s, the government had apparently yielded to public pressure and common sense and lifted the worst of the restrictions. It didn’t give up, though — it just got sneakier.

Documents revealed by Edward Snowden show that the NSA embarked on a program to install back doors through secret collaboration with businesses. It sought, in its own words, to “insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices” and “shape the worldwide cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS.”

The NSA isn’t just a spy agency; it’s one of the leading centers of expertise in encryption, perhaps the best in the world. Businesses and other organizations trying to maximize their data security trust its technical recommendations — or at least they used to. If it can’t get the willing collaboration of tech companies, it can deceive them with broken standards.

Old software with government-required weaknesses from the nineties is still around, along with newer software that may have NSA-inspired weaknesses. There are still restrictions on the exporting of cryptography in many cases, depending on a complicated set of criteria related to the software’s purpose. Even harmless file identification software, used mostly by librarians, may have to carry a warning that it contains decryption code and might be subject to use restrictions.

With today’s vastly more powerful computers, encryption that was strong two decades ago can be easily broken today. Some websites, especially ones outside the United States that were denied access to strong encryption, still use the methods which they were stuck with then, and so do some old browsers.

To deal with this, many browsers support the old protocols when a site offers nothing stronger, and many sites fall back to the weak protocols if a browser is limited to them. Code breakers have found ways to make browsers think only weak security is available and force even the stronger sites to fall back on it. Some sites have disabled weak encryption, only to be forced to restore it because so many users have old browsers.

You’d think that by now people would understand that secure transactions are essential, but politicians in the US and other countries still want to weaken encryption so they can spy on people’s communications.

The FBI’s assistant director of counter-terrorism claims that strong encryption gives terrorists “a free zone by which to radicalize, plot, and plan.” NSA Director Michael S. Rogers has said, “I don’t want a back door. I want a front door.” UK Prime Minister Cameron says,

In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications. The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.

In 2015 over eighty civil society organizations, companies, and trade associations, including Apple, Microsoft, Google, and Adobe, sent a public letter to President Obama expressing concern about such actions. The letter states:

Strong encryption is the cornerstone of the modern information economy’s security. Encryption protects billions of people every day against countless threats — be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.

In the United States, we have a tradition of free speech, but in many countries, even mild criticism of the authorities needs to travel in secret.

A country can pass laws to weaken its law-abiding citizens’ access to cryptography, but criminals and terrorists exchanging secret messages would have no reason to pay attention to them. They can keep using the strong encryption methods that are currently available and get new software from countries that don’t have those restrictions.

Governments would gain increased ability to spy on people who follow the law, and so would free-lance data thieves, while competent criminals would still be able to communicate in secret. To crib David Cameron, we must not let that happen — again.

Gary McGath

Gary McGath is a freelance software engineer living in Nashua, New Hampshire.

RELATED ARTICLES:

Encryption stalemate: A never-ending saga?

Why Cameron’s encryption limitations will go nowhere

The dynamic Internet marketplace at work: Consumer demand is driving Google and Yahoo encryption efforts

CYBER ATTACK: China Steals 21 Million Federal Employee’s Personal Information

Archuleta_Katherine

OPM Director Katherine Archuleta

The Associated Press reports, “Hackers stole Social Security numbers, health histories and other highly sensitive data from more than 21 million people, the Obama administration said Thursday, acknowledging that the breach of U.S. government computer systems was far more severe than previously disclosed. The scope of the data breach — believed to be the biggest in U.S. history — has grown dramatically since the government first disclosed earlier this year that hackers had gotten into the Office of Personnel Management’s personnel database and stolen records for about 4.2 million people.”

U.S. Senator Marco Rubio (R-FL), a member of the Senate Select Committee on Intelligence, issued the following statement regarding newly released details about the cyberattack against the Office of Personnel Management (OPM):

“OPM officials need to be held accountable and fired for what appears to be utter incompetence. While it is completely unacceptable that our federal databases containing such massive amounts of personal information on federal employees could be so vulnerable in the first place, it’s even more infuriating that this data was hacked seven months ago and the American people are only now being informed about it. This breach has jeopardized our national security because it has given our adversaries information about over 20 million people working for the federal government, including our military and personnel involved in sensitive intelligence functions as well as their families.

“The U.S. needs an offensive cyber capability that can serve as a strong deterrent against enemy state actors and cybercriminals, like those involved in this effort out of China. We also have much work to do to create the strongest possible cyber defenses to protect our government networks and ensure that the agencies handling important tasks such as security clearances are up to the challenge.

“But to be finding out about the extent of this December cyberattack only now is irresponsible and unacceptable. The American people, starting with the people who have had their data breached, deserve more candor, transparency and urgency from the Obama Administration. They’ve been sitting on this reality for seven months. People need to go, starting with the OPM director.”