Security Failure and the OPM Breach

China is currently in the news again, and not just as it relates to Donald Trump’s apartment sale figures.  The massive hack of the Office of Personnel Management, which exposed files containing sensitive information on millions of federal employees, veterans, retirees, etc., has obviously been highly publicized by this point.  From the standard stuff like addresses and Social Security numbers, to information on security clearances and background checks, to data on pensions and life insurance and pay histories, the thieves left no stone unturned, attaining what essentially seems like complete profiles of all the people affected.  It’s hard to even process just how much info was obtained, but it sure makes Snowden’s leaks look like Little League.

Initial suspicions still place the culprits as possibly working for the Chinese government—an accusation which Beijing denies vehemently.  Whatever the truth, we don’t know yet.  Maybe we never will.  23,000 US government emails appear suddenly on the Dark Web, maybe it’s related, maybe it’s not.  Perhaps the attack was state sponsored, or perhaps it was criminal enterprise.

What is more clear is the abdication of responsibility from those closer to home.  Between the theft of 30 years’ worth of this personnel data from at least 10 million federal employees past, present and prospective, coupled with the duration of this hack (since March 2014) and the fact that the OPM and other government offices had already endured multiple exfiltrations of this sort before, and it all adds up to a scathing indictment of the federal government’s security policies and efforts to protect the most private information of those who need it most.

That’s not even getting into the national security implications of the breach.  According to Joel Brenner, former NSA senior official, “The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That’s a gold mine. It helps you approach and recruit spies.”  Any undercover operatives whose information ever made its way onto OPM’s systems might have had their cover blown.  Or, there’s always the option for blackmail, as whoever ends up with the information tries to leverage it for entrance to government computer networks or U.S. secrets.

Yeah, it’s pretty indicative when the lack of encryption for the stolen SSNs isn’t the worst thing to come out of a data breach.  Honestly, we might not even know yet what the worst of the damage is, and that’s the scary part.

The irresponsible, lackadaisical approach to cybersecurity on display here is staggering.  Especially since OPM was warned previously about shortcomings in their security.  They knew that their stored sensitive data was not protected, but didn’t take steps to address this, nor did they even test their security measures to ensure they were sufficient.  The ineptitude seems rampant, andcontinued even after the breach.  Seriously, sending notification emails after the fact with sketchy looking URLs in the subject line (the links were to third party credit monitoring services)?  No wonder employees thought they were phishing scams.

The magnitude of this overwhelming failure, and its potential repercussions, have far eclipsed the other hack that preceded it, a breach of KeyPoint Government Solutions that revealed information of about 400,000 Homeland Security employees.  That’s bad news enough on its own, and surely, without this other OPM story, would be dominating the news cycle right now.

OPM and KeyPoint remind us, however, the fact that there are hundreds of other vulnerable government databases.  Without a sweeping government security “surge,” (as David Auerbach calls it) nothing will change, and government agencies will be increasingly targeted.

I wonder what the Donald will do about all this.

By: Jonathan Weicher