Posts

CYBER ATTACK: China Steals 21 Million Federal Employee’s Personal Information

Archuleta_Katherine

OPM Director Katherine Archuleta

The Associated Press reports, “Hackers stole Social Security numbers, health histories and other highly sensitive data from more than 21 million people, the Obama administration said Thursday, acknowledging that the breach of U.S. government computer systems was far more severe than previously disclosed. The scope of the data breach — believed to be the biggest in U.S. history — has grown dramatically since the government first disclosed earlier this year that hackers had gotten into the Office of Personnel Management’s personnel database and stolen records for about 4.2 million people.”

U.S. Senator Marco Rubio (R-FL), a member of the Senate Select Committee on Intelligence, issued the following statement regarding newly released details about the cyberattack against the Office of Personnel Management (OPM):

“OPM officials need to be held accountable and fired for what appears to be utter incompetence. While it is completely unacceptable that our federal databases containing such massive amounts of personal information on federal employees could be so vulnerable in the first place, it’s even more infuriating that this data was hacked seven months ago and the American people are only now being informed about it. This breach has jeopardized our national security because it has given our adversaries information about over 20 million people working for the federal government, including our military and personnel involved in sensitive intelligence functions as well as their families.

“The U.S. needs an offensive cyber capability that can serve as a strong deterrent against enemy state actors and cybercriminals, like those involved in this effort out of China. We also have much work to do to create the strongest possible cyber defenses to protect our government networks and ensure that the agencies handling important tasks such as security clearances are up to the challenge.

“But to be finding out about the extent of this December cyberattack only now is irresponsible and unacceptable. The American people, starting with the people who have had their data breached, deserve more candor, transparency and urgency from the Obama Administration. They’ve been sitting on this reality for seven months. People need to go, starting with the OPM director.”

Why Is Snapchat More Secure than the Federal Government? by Andrea Castillo

Cyberhawks have seized upon this year’s massive hack of the Office of Personnel Management (OPM) to shove a wolfish surveillance bill in a sheepish cybersecurity bill’s clothing down America’s throat.

But the “Cybersecurity Information Sharing Act of 2015” (CISA) would have done nothing to stop the hack that exposed as many as 14 million federal employees’ personnel records. The pro-NSA crowd’s arguments are obvious nonsense — if anything, the OPM hack clearly demonstrates the danger of trusting incompetent government bureaucracies to manage huge datasets of sensitive personal information.

But amid all of the hubbub, these self-styled champions of strong cybersecurity — who also just happen to be anti-private encryption and pro-surveillance — have neglected to raise one important question: Why did a goofy picture-sharing app implement basic security measures before the central repository for all federal personnel data did?

This week, Snapchat announced that the private picture messaging service was offering two-factor authentication for its users. This basic measure of security helps to verify that the person logging in is indeed the legitimate owner of their account by sending out a text message with a special access code to the owner’s cell phone.

That way, a hacker must obtain both your password and your mobile phone to access and control your account. It’s simple, but simple security solutions can sometimes mean the difference between a foiled infiltration and a very, very bad day for a Snapchat user.

Of course, it is too much to expect the chief steward of federal employee information to implement such a simple policy. As the beleaguered office’s Inspector General reported last fall, OPM does not require multi-factor authentication to access its information systems.

If a careless OPM employee chose a weak and easy-to-guess password, or emailed it in plain text across an insecure channel, or merely left it on a sticky note on his or her desk (as is common practice in the federal government), than any common hacker could potentially access vast amounts of federal data.

In other words, an application for sharing pictures of wild parties and funny cats has better authentication standards than the federal government’s primary steward of millions of current and former federal employees’ and contractors’ addresses, Social Security numbers, financial information, and health records. Oh, and that of our military leadership and intelligence contacts — several of which are embedded deep undercover in dangerous missions — as well.

Hackers also accessed the feds’ cache of Standard Form 86 files for the aforementioned groups, dragging countless family members, friends, and colleagues into the databreach crossfire.

To call this a huge mess would be the second biggest understatement of the year. The biggest? That OPM’s substantial information security vulnerabilities are entirely unacceptable and directly at fault for the hack.

The OPM’s annual information security reports to Congress have admitted “material weaknesses” and “significant deficiencies” for years. The department lacked an IT team with “professional security experience and certifications”until 2013. Disgruntled employees could have merely walked off with this data if they wanted to, since OPM does not “maintain a comprehensive inventory of servers, databases, and network devices.” Nor did the OPM encrypt any of the data that the hackers stole — they might as well have just invited our forward friends in China to sweep in through the front door!

As Ars Technica’s Sean Gallagher concludes, “Considering the overall condition of OPM’s security, it’s no surprise that an attacker — almost any attacker — could gain a foothold inside the agency’s network. But attackers didn’t just gain a foothold, they had practically a free run of the networks.”

It’s true that Snapchat has hardly been a paragon of good cybersecurity in the past, as previous security vulnerabilities, breaches, misleading marketing, and the infamous “Snappening” testify. However, there is another important difference between Snapchat and the OPM that puts the humble app ahead of the mighty federal office: Snapchat has to learn from its mistakes.

As a private service provider in a hotly-competitive market that must keep its users happy to stay afloat, Snapchat moved quickly to get its security house in order after their big mistakes. They hired the former social network security leader for Google and started to build a “culture of security” within the firm.

They may still have a long way to go, but these investments and cultural prioritization are important first steps that demonstrate a proactive sense of ownership in their platform’s security. And of course, if they keep screwing up, they’ll be sued out the nose and go out of business for good.

We see no such sense of urgency with OPM. The agency received what could have been a saving wakeup call in last year, when it was discovered that Chinese hackers had accessed OPM databases in March of 2014.

OPM had the opportunity to implement simple encryption and authentication measures, tighten up their ship, and increase employee education about good data and security practices. No such luck! The office more or less continued on its merry way.

No one was fired back then and it looks like no one will get fired now. It’s government work, after all.

Unfortunately, OPM is hardly the only sucker on cybersecurity in the federal government, as my research for the Mercatus Center has found. This kind of unbelievably poor cybersecurity posture is the norm rather than the exception.

In fact, it’s hard to pick what is scarier: that the federal government operates under the digital equivalent of leaving all of their doors and windows unlocked and wide open, or that these same federal agencies want more power to manage your personal data through CISA.


Andrea Castillo

Andrea Castillo is the program manager of the Technology Policy Program for the Mercatus Center at George Mason University and is pursuing a PhD in economics at George Mason University.