Boldly Going Where Hackers Have Already Been
Captain’s Log. Stardate 94293.37
Travelling back to the early 21st century to examine the state of Earth’s technological interconnectivity and security has revealed some troubling insights into our forerunners. These problems have multiplied like tribbles over the last few years, and one in particular stands out. One Earth year ago, in what would be 2015, the old United States’ Office of Personnel Management—a government agency tasked with managing the nation’s civil service—discovered it had suffered a data breach when its network was infiltrated and its contents pilfered with almost Borg-like efficiency. As far as has been determined, 21.5 million background check records were stolen by cyber criminals believed to be connected to the Chinese military; 4.2 million federal personnel records and 5.6 million employee fingerprints were also accessed.
A group known as the House Committee on Oversight and Government Reform launched a probe into the incident, which has only recently reported that the hackers were in the OPM’s systems for a longer period of time than previously thought. According to the 241 page report, these malicious actors beamed themselves onboard the network as early as July 2012. At that time, and for approximately 17 months after, blatant security gaps in the OPM system, coupled with a negligence related to logging network activity, helped facilitate ease of access. Only in 2014 did the agency begin logging traffic for the Personnel Investigations Processing System, once it had been alerted to nefarious activity that could affect national security personnel and classified material access.
Unfortunately, that is not the end of the story. Logic would dictate that people would need more than a mere password to login to the network of such a critical organization as the OPM, such as the old two-factor authentication method. Such a policy, however, was not in place, and no such secondary ID, like a personal identity verification card, required. “Had OPM leaders fully implemented the PIV card requirement…security controls when they first learned hackers were targeting background investigation data,” say congressional investigators, “they could have significantly delayed or mitigated the data breach discovered in 2015.”
Internal discord within the organization was an additional factor, as the report indicates there were clashes and failures to collaborate between former agency CIO Donna Seymour and the inspector general. Poor security records and a sluggish modernization process also plagued the organization for nearly a decade. Most damning is the accusation that the agency violated an agreement with private contractor CyTech to purchase $800,000 worth of security products after the company initially discovered the hack during a product demonstration. OPM denied this violation, but the report supports CyTech’s claim.
Now, it has also come to light that the committee’s report was drafted along partisan lines, specifically between the two oft-feuding parties that characterized the United States in this era. All the aforementioned details are part of the primary Republican report, which place the majority of the blame on the OPM. Dissenters on the Democrat side, however, say the report absolves private companies of responsibility, when they were in fact key components to this breach. “The OPM breach was achieved using credentials taken from one of OPM’s contractors to disguise its initial movements,” says Elijah Cummings, a congressman from the state of Maryland. He adds that the probe found that these contractors are an integral part of federal cybersecurity, yet are not subject to the same stringent requirements and guidelines as government agencies.
What this means for Americans in 2016, particularly the millions of victims of this cyber attack, is that they will likely never know the full extent of the data stolen. “The intelligence and counterintelligence value of the stolen background investigation information for a foreign nation cannot be overstated, nor will it ever be fully known,” say the investigators.
When we return to our own time, this information on our ancestors’ data security capabilities will be of interest to Starfleet’s Exploratory Division. As we try to learn more of our history, we can see that at this juncture, humanity still has a long way to go.