Image 01 Image 03

OPM data breach disaster even more disastrous

OPM data breach disaster even more disastrous

Hackers reportedly accessed most sensitive info on federal workers

Revelations of the Office of Personnel Management’s (OPM) massive data breach seems to get worse by the day.

Thursday we discussed that per the FBI, the number of people who’s personal data was compromised is upwards of 18 million. OPM’s estimates were around 4 million. In a hearing Thursday, it was revealed that OPM Director Katherine Archuleta hadn’t bothered to speak with the FBI about their numeric discrepancy. Archuleta was also unwilling to answer whether or not prescription and other sensitive health-related data was accessed by hackers.

The White House has also been implicated in this bottomless pit of fail. Wednesday it was disclosed the White House intentionally hid the extent of the OPM hack.

Friday, Fox News reported that according to a senior U.S. official, the data breach included access to “adjudication information;” information used to determine security clearances.

…The Daily Beast, citing a senior U.S. official, reported that the hackers, believed to be based in China, gained access to so-called “adjudication information,” sensitive facts compiled by U.S. investigators about government employees and contractors who apply for a security clearance. The “adjudication information” goes beyond what is required of employees filling out a routine clearance questionnaire, known as Standard Form (SF) 86. The Obama administration admitted earlier this month that information in those forms had been compromised by the hackers.

If the theft of “adjudication information” is confirmed, whoever carried out the hack would have access to a list of federal employees and contractors who are likely targets for blackmail or engagement in espionage against the United States.

“This is worse than [NSA leaker Edward] Snowden, because at least programs that were running before the leaks could be replaced or rebuilt,” a former U.S. intelligence official told The Daily Beast. “But OPM, that’s the gift that keeps on giving. You can’t rebuild people.”

The Daily Beast reports that the “adjudication information” includes the results of lie-detector tests, in which investigators press applicants to reveal deeply personal information. The topics for interrogation can and do include marital problems, drug and alcohol abuse, or an addiction to gambling.

For example, the report mentions one applicant who was reprimanded by his boss for accessing pornography on his work computer. Another, who had a clearance for over 25 years, had been engaging in an off-and-on affair with his college roommate’s wife.

…Generally, any adjudication reports about individual government employees that are made public keep the subject anonymous. However, the unredacted files are kept in the OPM’s adjudication records, which were compromised by the cyberattack. That, in turn, would give foreign spies the easy ability to put names to reports and use the information to their advantage.

The ineptitude…

Pride-and-Prejudice

Thursday, Rep. Will Hurd (R-Texas) penned an op-ed in the Wall Street Journal branding the federal government’s handling of data breaches hypocritical saying, “prevarication and hypocrisy are the federal government’s modus operandi when it comes to data breaches.”

Rep. Hurd’s experience as a CIA agent gives him unique insight on the OPM debacle:

If federal agencies wish to provide effective oversight of the private sector, then they should start by looking in the mirror. Despite clear warnings provided to the OPM, and its failure to heed them, no one has been held accountable.

This needs to be a watershed moment for cybersecurity in the federal government. Other agencies have the same problems as the OPM, deploying outdated legacy systems and exercising poor cyberhygiene. In the wake of this data breach, the heads of other agencies should pull out their own inspector-general reports and begin to address their vulnerabilities.

A strong message must be sent to the public and the employees of the federal government that we take cybersecurity seriously.

Earlier this year, I asked Gene Dodaro, the long-tenured head of the Government Accountability Office, if he could recall ever seeing any federal government employee fired for delays or cost overruns on IT projects. After a long pause, he could not name a single instance. This “do as I say, not as I do” culture runs rampant in Washington. Our government demands accountability from others but offers little itself.

Until the leaders of our federal agencies implement solid cybersecurity measures—such as strong authentication, network monitoring, state-of-the-art data encryption and robust system hygiene—we will continue to play catch-up to our highly sophisticated and well-funded adversaries. The refusal at the Office of Personnel Management to take responsibility and move swiftly to address significant deficiencies leads to only one conclusion. Accountability starts at the top. It’s time for a change in leadership at the OPM.

We couldn’t agree more.

Follow Kemberlee Kaye on Twitter

DONATE

Donations tax deductible
to the full extent allowed by law.

Tags:

Comments

We have more than 18 million people employed in the government? In a country with fewer than 300 million citizens?

Does that not seem completely insane to anyone else?

    this includes military and vets (like me) who were screened for working with nuke/chem/bio weapons.
    there are many people who are no longer employed by the fed gov that are affected by this.

    I R A Darth Aggie in reply to clintack. | June 26, 2015 at 6:09 pm

    The data store also include retirees. I don’t know if it also included temporary employees, such as census takers. If it does, that should be a large number.

    The federal reserve bank of St. Louis has a nice time series of number of federal employees, in which the census spikes are pretty clear.

    But taking everyone who was employed during the Database Era, current and past, it comes to almost 10% of the US population. If this hacking crew is independent of any government, their payday is pretty incalculable. Just as straight up identity theft, it’s worth ~$100 million, but with what it actually contains…probably more like a billion, maybe even several.

Sammy Finkelman | June 26, 2015 at 4:44 pm

It’s a Wild Eye Guess of the number of Social security numbers that might have been stolen.

It’s all people who work, once worked, or applied to work, for the federal government, over the last 30 or so years or whatever, including those in the military, and their family members whose Social Security numbers might be on some form.

The question is, did the hackers rom China actually have the time and the thruput to download it all?

    I R A Darth Aggie in reply to Sammy Finkelman. | June 26, 2015 at 6:00 pm

    Yes. While I am not privy to OPM’s networking infrastructure, I doubt that they’re connected to anything less that an OC-48 fibre connection.

    That’s ballpark 2000 Kbit/s. Even if the hackers throttle their bandwidth usage to avoid detection to say, 10%, that’s still 200 Kbit/s, or about 25 KB/s. Which doesn’t seem like much, until:

    86,400 s * 120 days * 25 KB = ~ 247 GB

    That’s only 10% bandwidth. For 20%, you’re looking at half a terabyte. I’m a bit tired, and I’ve always had issues going from bits/s to bytes/s, so my math maybe off. An old rule of thumb is to “not underestimate the amount of bandwidth that a truck load of tapes rolling down the highway at 70 MPH represents”.

    If nights and weekends are relatively unmonitored, they can press the bandwidth up to 80%. I wouldn’t go higher, some schmuck might notice “hey my pr0n’s kinda laggy WTF?”.

    Of course, I’m assuming they have some sort of network monitoring going on and they could detect unusual traffic patterns. But I’m thinking that’s a bad assumption. I don’t think they’re competent enough to know they should be doing something like that.

      they had root users mucking around from outside, so no, I’m thinking the security setup here was bush-league. or maybe we should start calling that obama-league.

basically we are screwed.

I R A Darth Aggie | June 26, 2015 at 5:46 pm

In the case of security breach, especially one that wasn’t detected for about 4 months and they had access to your database servers, assume all of your data has been taken.

So when are the airheads at MSNBC going to start blaming Bush?

A half century ago (ye gods!), and a bit more recently, when I had various levels of military and DoD security clearances, the kind of “adjudication” information being tossed around today as little more than industrial strength gossip would have been the basis for denial of a clearance. But then, where do we find men of presidential timbre if we exclude serial potheads, or find naval officers of high moral character if we exclude the occasional vice president’s drug using, lying son?

The whole thing has been reduced to one great big J. Edgar Hoover file blackmail caper; we know everything, do as we say or we’ll tell. Of course, the Chinese would never try to manipulare a presidential candidate, say a Hillary Clinton, would they?

Where indeed?

    Paul in reply to Owego. | June 27, 2015 at 5:31 pm

    Given the recent behavior of supposedly “conservative” members of Congress, and the Chicago-politics background of this administration, I seriously wonder if there isn’t some major blackmailing going on. If so, somebody needs to grow a set of balls and expose it.