Office Of Personnel Management Breach and CISA

Congress has been trying to pass some sort of cyber security bill for 3 or 4 years now, but up until last December, was never able to pass one.  Part of the reason is that knowledgeable people understand that this information sharing will likely not help you or me at all.

Last December, Congress quietly placed what was the CISA bill (S.754) inside the federal budget bill that was passed quickly so as to avoid shutting down the government.  There was very little debate – there was no time – and the intelligence community was able to negotiate the weakening of language that required companies that share information with the government – in exchange for which they get immunity in case anyone sues them for doing that – to make sure that there is no personally identifiable information being shared,  While some people read the law as protecting privacy, others read it in the opposite manner.

The weakened privacy protections say that a company cannot share information that they KNOW to be personally identifiable and KNOW that is irrelevant to cyber security.  That seems like a pretty big loophole to share almost anything.  The good news is that many companies will try to avoid sharing any information with the government because of the negative business PR when they get outed as sharing data with the government. See Wikipedia for more information.

What we don’t know is how the government might use this law to “encourage” companies to share information if they want, say, government help or government contracts.

One note.  The law requires DHS and ODNI to provide procedures for sharing information within 60 days of enactment of the law.  If enactment, in this case, means when the President signed it, that means they the procedures must be sent to Congress this week, so stay turned.

So how does this relate to OPM?

Whether the data provided by private industry directly contains your PII or not, it is likely that the data may be sensitive to the company sharing it.  As a result, those companies are counting on the government to protect that information.

Almost a year ago the U.S. Office of Personnel Management acknowledged the fact that hackers made off with information on around 20-25 million Americans – many in positions of trust and who have access to sensitive classified information.

Based on my background, I assumed I was one of those people.

So, I waited for a letter to arrive.  By October I still had not received a letter, which I thought odd.

So I went to the OPM web site and there is a process, they say, that will tell you whether OR NOT your information was breached.  No response.

So I called the OPM call center and asked them to resubmit my request.  And, still, no letter.

Remember, in both of these cases I should have received a letter either way – whether my information was compromised or not.

So I wrote to my Senators and and asked for their help.  One did not respond to my letter;  the other talked to the OPM who said, go their web site.

So I did, again.

Finally, today, about 10 months after the breach was announced, I got a letter.  Yes, I was included.

What was taken?  Name, address, social security number, date and place of birth, where I have lived, education including dates and degrees, employment history, personal foreign travel history, immediate family members (and actually I would call that extended family – it includes brothers and sisters, their spouses and their children),  business acquaintances and personal acquaintances.

Oh yeah, also all 10 of my fingerprints. OPM says they are not sure how an attacker would misuse them, but they are pondering the question.

Based on that, here is my – and a lot of other people – thought on CISA.

If the government cannot keep information such as the list above out of the hands of hackers, how likely is it that they can keep information that I share with them regarding threats – which certainly could include enough information for another hacker to figure out how the original hacker planned to attack me or other sensitive information- including an attack vector that might still be valid – safe and secure.

Especially since once I share it with Homeland Security they can share it with a whole raft of other agencies. so not only do we have to worry if DHS is keeping the information secure, but we also have to worry about the other agencies that get that information from DHS keeping it secure.

It will be interesting to see what the procedures say when they come out – maybe this week.

Addendum:  BestVPN reported that there was a private, invitation only meeting between the government and the CIOs of the largest companies where DHS tried to convince the CIOs that they were from the government and were here to help them.  As Ronald Reagan said, those are the most terrifying words in the English language (see the clip on YouTube).

Curiously, only 58% of the CIOs in attendance think that CISA will increase corporate cooperation with the government.  Because the government, they say, is useless at cyber security.  The FBI even admitted it, the article says, after the OPM breach.

As part of the roll out, DHS and/or NSA has created at least two new systems.  TAXII, a messaging system to exchange information and STIX, a threat parsing system.

DHS says that they will start this program – maybe already done – with a few select companies.  Who might those be?  They have not said and I bet those companies are not going to tout that they are participating.

Information for this post came from BestVPN and other news.

Leave a Reply

Your email address will not be published.