Saturday, June 20, 2015

Hack N’ Sack

The news about the recent hack of federal personnel records – which the government is telling us traces back to China – was initially a nasty-but-incomplete delving into a limited universe of employee records. The media pressed onward. Leaks suggested that the damage was considerably more than a limited intrusion. Not only was the depth of what was taken a litany of extreme personal details of those whose records were hacked, but there were reports surfacing everywhere that the hack was dramatic in its scope… perhaps embracing every single government employee – from bureaucrat to soldier to spy. Everyone was pissed; some were screaming.
With search engines and computer software with extreme sensitivities, that massive database could now be trolled for every sort of information, identifying medical and mental issues, religious preferences, strengths and weaknesses in assessment reports… just the kind of stuff you would want to know if you considered the United States your main antagonist. Precisely the information you would want should you desire to recruit a legion of spies and those likely to leak information inadvertently.  Blackmail stuff. Stuff about family issues. Stuff you really would never want public even here in the United States.
The game of mutual hacking has been going on for quite a while, and we are as guilty as the next nation in this endeavor. But the obvious weakness evidenced by our inability to stop this most-sensitive intrusion to some of our most sensitive confidential information is staggering. And now the F.B.I. is telling us that we have been subject to another wave of penetration.
“The White House on [June 12th] revealed that hackers had breached a second computer system at the Office of Personnel Management [OPM], and said that President Obama was considering financial sanctions against the attackers who gained access to the files of millions of federal workers.
“Investigators had already said that Chinese hackers appeared to have obtained personal data from more than four million current and former federal employees in one of the boldest invasions into a government network.
“But on [June 12th], officials said they believed that a separate computer system at the agency was breached by the same hackers, putting at risk not only data about the federal employees, but also information about friends, family members and associates that could number millions more. Officials said that the second system contained files related to intelligence officials working for the F.B.I., defense contractors and other government agencies…
“A senior government official, speaking on the condition of anonymity, said that investigators became aware of the second intrusion while assessing the damage from the first breach. The official said the information apparently taken in the second breach appeared not to be limited to federal employees.
“The database contains copies of what is known as Standard Form 86, a questionnaire filled out by applicants for national security positions. The 127-page form can include medical data, including information on treatment or hospitalization for ‘an emotional or mental health condition.’
“In addition, the form asks for detailed information on close relatives and ‘people who know you well.’ The form has spaces for each contact’s home or work address, email address, phone number and other information.
“The personnel office has said that the number of federal employees and applicants affected could rise beyond the four million already reported. If the relatives and close contacts are included, the total number of people affected could be several times as high, officials said.” New York Times, June 12th. Rumors suggest that the 4 million number is exceptionally conservative, “that as many as 14 million current and former civilian U.S. government employees have had their information exposed to hackers…”, June 12th.
How and why did this happen? Why hasn’t the federal government stepped up its overall defense against such attacks? (June 13th) attempts to answer these questions: “To their credit, the White House has been trying to introduce information sharing between the private sector and the government on hacker intrusions. However, a bipartisan set of cybersecurity legislation going through the Senate failed to pass this week.
“There’s plenty of blame to go around on both sides for why the cybersecurity legislation failed. It fell victim to the usual Capitol Hill politicking: Senator Mitch McConnell (R-KY) attached the legislation to a much larger defense policy bill, and Democrats objected to portions of the defense policy bill that had nothing to do with cybersecurity. Even though the legislation, which mainly deals with information sharing between the government and the private sector, would not have prevented the OPM hack, it would have been crucial assistance. The reason OPM was hacked had to do with outdated anti-hacker protection, a lack of basic authentication techniques, and a staggering lack of encryption of sensitive data.
“According to Richard Blech of encryption firm Secure Channels, ‘This is a travesty of the first order. The 'Einstein System' that the OPM used to protect all of that critically sensitive data was futile, and the hackers knew it. The hackers knew once they bypassed Einstein, there would be a virtual treasure trove of valuable data that will forever be usable for future exploits. While you can get a new credit card number, you are not going to get a new social security number or some of the other user-identity-sensitive data. This is going to cost the government and—as usual—the taxpayers billions to clean up this mess, and the repercussions of this breach will have effects for many years to come.’…
As of press time, there are no encryption, security, and mitigation strategy standards for federal government entities. Every agency, department, and bureau has an individual policy, and attempts to introduce systematic best practices have been stymied by the wildly varying IT setups across the federal government. The federal government, which has shown great wisdom when it comes to groundbreaking data science and open government initiatives, now needs to tackle a new challenge: making sure Washington’s defensive cybersecurity game is good as their offensive game.
Archaic, outdated systems, overall incompatibility, political bickering and out-and-out ignorance from our elected representatives as well as “head in the sand” denials and explanations from government authorities. Sure this stuff happens with corporations all the time, but the government? But think about who’s running the bureaucracies and when they graduated from school. How are these folks – the deciders – able to deal with the technologically massive and rapidly accelerating complexity that threatens them?
It is precisely the size and age of the bureaucracy and the relevant leaders that seem more than anything to allow such malicious malignant malfunctions to multiply. Seem that if they don’t have the skills to understand the issues, they really do need to outsource and accept the solutions! Or sack the fools who can’t! Shields up, Lieutenant Worf!
I’m Peter Dekom, but then there are always those who prefer to focus on intrusive social and moral issues while Rome, er Washington, is burning.

No comments: