Saturday, June 20, 2015

How Did Hackers Get The Personal Data of Millions of U.S. Government Employees?

If you’re a U.S. federal government employee, or have ever worked for the federal government, it’s a pretty safe bet hackers now have your social security number, birthday, and home address. An agency called the Office of Personnel Management (OPM), which is effectively the government’s HR department, was systematically hacked for more than a year. The motives of the hackers, believed to be from China, remains unknown. Records belonging to more than 4 million people were stolen.
And much of the information, it seems, has to do with U.S. government employees’ ties to China. Among the files stolen were security clearance applications from a huge number of bureaucrats. In these applications, job hopefuls detailed their family ties, personal friendships, and business relationships in foreign countries. There are justifiable fears right now that a large number of people overseas could be targeted for blackmail or worse based on those ties.
The irony of this is that the United States is one of the world’s strongest cyberpowers, and has unparalleled defense and offensive cyberwar capabilities. The White House itself has massive amounts of tech talent in the executive branch. But the American government, as any contractor or vendor knows, sprawls endlessly. Different agencies have different defenses and safeguards. Compounding the problem is the fact that many of the hackers who attack government systems also target the private sector.
To their credit, the White House has been trying to introduce information sharing between the private sector and the government on hacker intrusions. However, a bipartisan set of cybersecurity legislation going through the Senate failed to pass this week.
There’s plenty of blame to go around on both sides for why the cybersecurity legislation failed. It fell victim to the usual Capitol Hill politicking: Senator Mitch McConnell (R-KY) attached the legislation to a much larger defense policy bill, and Democrats objected to portions of the defense policy bill that had nothing to do with cybersecurity. Even though the legislation, which mainly deals with information sharing between the government and the private sector, would not have prevented the OPM hack, it would have been crucial assistance. The reason OPM was hacked had to do with outdated anti-hacker protection, a lack of basic authentication techniques, and a staggering lack of encryption of sensitive data.
According to Richard Blech of encryption firm Secure Channels, "This is a travesty of the first order. The 'Einstein System' that the OPM used to protect all of that critically sensitive data was futile, and the hackers knew it. The hackers knew once they bypassed Einstein, there would be a virtual treasure trove of valuable data that will forever be usable for future exploits. While you can get a new credit card number, you are not going to get a new social security number or some of the other user-identity-sensitive data. This is going to cost the government and—as usual—the taxpayers billions to clean up this mess, and the repercussions of this breach will have effects for many years to come."
The reason we’re hearing about the OPM attack is because it’s the federal government, and attacks on federal agencies tend to get out. But many similar attacks have taken place against U.S. corporations, ranging from massive Fortune 500 companies to mom-and-pops working in strategic industries, and news hasn’t gotten out on those. These attacks show no signs of slowing down, and they’re something every business owner and entrepreneur has to keep in mind.
In the public sector, protecting government agencies from malicious attacks comes down to a wide array of contractors and products. Staggeringly, there’s no one agency coordinating a response to the OPM hack. According to the Department of Homeland Security, the FBI, and the White House National Security Council, follow-up to the theft of more than 4 million records is being considered as an interagency effort.
The FBI is believed to be taking the lead in the investigation and in clean-up efforts, but the real question is how other government agencies can prevent this sort of mass intrusion by foreign governments, organized crime, or just bored lone wolves.
In the meantime, government employees are furious. The president of a major union representing government workers, J. David Cox of the American Federation of Government Employees, wrote in an open letter that "based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to 1 million former federal employees."
As of press time, there are no encryption, security, and mitigation strategy standards for federal government entities. Every agency, department, and bureau has an individual policy, and attempts to introduce systematic best practices have been stymied by the wildly varying IT setups across the federal government. The federal government, which has shown great wisdom when it comes to groundbreaking data science and open government initiatives, now needs to tackle a new challenge: making sure Washington’s defensive cybersecurity game is good as their offensive game.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.