Tag Archives: OPM Breach

OPM Capital Hill Hearing Summary

IAPP published a summary of the hearings on Capitol Hill regarding the OPM breaches.  The revelations certainly explain the mess, but also continues to raise the question about where Congress has been over the last 6 years.  It is certainly OK to beat up OPM management, but I don’t see Congress taking any of the heat that they should be taking.

So, what does the article say (see article)?

  • While OPM admits that 4+ million people’s information was compromised as a result of the first breach, they are unwilling to say how many people were affected by the second breach.
  • After intense interactions, Katherine Archuleta, director of the OPM would only admit that they have records on 32 million people.  The reason that she is being so cagey – besides the fact that they are still trying to figure out what was taken – is that if the SF86s and related data from security clearance background checks were taken, the number of people affected could be 100 million.  This is due to the fact that people have to provide information on relatives, employers, references, friends, neighbors, etc.  For every one SF86, it could affect 10-30+ other people.  For most of these people, there is significantly less information than for the applicant, but still, there is information.  And, if the investigators notes were hacked, then all bets are off.  Comments made by people under threat of being put in jail if the did not cooperate and who were told that what they said to investigators was confidential, is now in the wild.  If certain information becomes public and the source of the information also becomes public, careers could be ruined and, I assume, lawsuits could be filed against the people who made the statements.
  • The OPM Inspector General said that they had a “suitcase” of concerns and said OPM’s response to the incidents were “dangerous”.  I would think Congress should have been asking OPM to explain what they were doing to fix the problems and what assistance and funding they needed to fix them for years, but until now, Congress hasn’t done anything.
  • The IG said, in no uncertain terms, that what they are doing now will fail – that they are rushing through projects, not doing the basics, not focusing on doing it right.  Logic would say that Congress should tell OPM to slow down, to show Congress a plan,  to bring their experts who are designing the fixes to Congress to explain what they are doing.  But Congress is doing none of this.
  • The IG also said that they are frustrated by the amount of time it takes OPM to provide answers to their questions and when they do get the answers, eventually, the answers are total crap.
  • Magically, the OPM was able to contract with an outsource vendor in less than 48 hours to handle the breach notification service.  Not exactly the amount of time you expect it to take to do a thorough, well planned evaluation and strategy.  The answer that Congress got about how this happened was, in my opinion, smoke and mirrors.
  • Archuleta admitted that credentials from vendor KeyPoint were used in the attack and that the Keypoint contract was still in force – even though USIS’s contract was terminated after they were breached.
  • I said the other day that the OPM was using systems developed in the 1980s.  Apparently I was wrong.  Archuleta admitted that a COBOL based system developed in 1959 is still in use.  To put that in different terms, that would be sort of like building today’s skyscrapers with rollers and pulleys rather than excavators and cranes.
  • The House committee clearly wants Archuleta gone – they blatantly said so – and while that is probably what needs to happen, firing her will make zero difference until and unless Congress does it’s job.  Just this week, Congress  punted, yet again, on spending money to fix the problem.  Unfortunately, this is not a surprise.

This story will continue to unfold, but unless the pressure stays on Congress, it will go back into the dark recesses of the Washington bureaucracy.

More OPM Revelations

Katherine Archuleta, in testimony before Congress said that she realized when she assumed her post 18 months ago that the agency had huge cyber security issues.

When pressed on why the data was not encrypted, her response was that it is hard to do on systems that are that old.

However, Dr. Ozment, DHS assistant secretary for cybersecurity said that encryption would have done no good because the attackers had valid credentials – likely from social engineering (see article).

House Oversight Chairman Jason Chaffetz (R-UT) said that Archuletta and OPM CIO Donna Seymour “utterly failed” because  11 key internal OPM systems that store 65 percent of OPM’s data were not properly certified as secure.  The OPM IG, apparently, has reported for the last 8 years, according to Rep. Chaffetz, that OPM’s security posture was akin to leaving the doors and windows open and hoping that no one would walk in.

During his opening statement, Chaffetz read verbatim from a 2009 OPM inspector general report that noted, “The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance.” Similar statements were read from 2010 and 2012 reports, each more dire than the last

Rep Chaffetz, as chair of the House Oversight Committee, should have been reading those reports.  Isn’t that what oversight means?  Did he do anything about it during the last 6 years or did he wait until the kaka hit the fan to take notice.  Assuming his committee was “oversighting” things, they certainly read the IG’s annual reports.  I don’t recall him introducing any bills increasing OPM’s funding to replace those antique systems from the 80s and 90s.  In fact, I don’t recall him saying a thing on the subject.  Maybe we should investigate why Chaffetz wasn’t doing his job.

This doesn’t mean that I am defending Archuletta and Seymour – there is likely enough blame to share.  If you read the Ars Technica article above, you will see that things are pretty grim – much of which is laid on Congress’ doorstep for not funding and overseeing things.

OPM outsourced system administration – you know, those folks with the keys to the kingdom.  One, in particular, was in Argentina.  Another was in the People’s Republic of China.  Who’s fault is that?  Save money.  The hell with security.  And background checks – those are a joke too.  When OPM fired USIS after they were breached, the job of doing background checks went to KeyPoint.  Those investigators use their personal GMail accounts because the company doesn’t provide them with company email accounts.

Given how old most of the civilian IT infrastructure in D.C. is, it is amazing that it actually operates at all.  Think about all the horror stories we have heard about FAA and IRS systems for example.

SECURITY. CONVENIENCE.  COST.  PICK ANY ONE.  Maybe, if you are lucky, you get two.  Three is not going to happen.

Archuletta probably needs to go, but fixing this mess will cost billions and if Congress is not willing to spend the money, I would discourage anyone competent from taking the job.  Just my two cents.



OPM Breach, USA Freedom Act, Net Neutrality and Other Items

Several short items  – The battle over NSA spying is not over, the OPM breach is better or worse than we thought, The first ruling on net neutrality is here, Senator McConnell is trying to insert the cyber protection bill CISA inside the defense appropriations bill in a way that does not allow for debate.  Crazy Thursday.

First, The House voted today to defund two NSA backdoor spying programs that Rep. Thomas Massie (R-KY) said are worse than the NSA bulk data collection.  The NSA admitted that it sometimes spies on Americans communications under an authority that was intended to apply only to foreigners.  The amendment would require the NSA to get a warrant first.  The other amendment would block funds for NSA projects to build vulnerabilities INTO security products (see article).  These amendments to the NDAA are far from certain as there is a lot of mischief going on in the Capital over the NDAA.

The OPM is now saying that people’s SF-86 security questionnaires were not compromised in the breach.  However, AFGE union head David Cox wrote to the OPM saying that based on sketchy information released by the OPM, the target of the hackers was the central personnel repository database, which contains information on every federal employee, retiree and a million former employees.  Cox said that the data that the hackers stole included Social Security numbers, birthdays, addresses, military records, job and pay histories, and various insurance information, in addition to age, gender, and race data.  Since the OPM is being pretty quiet, we do not yet know the truth (see article).

The U.S. Court of Appeals for the D.C. Circuit has ruled against the telecom and cable companies to block the FCC plan to regulate Internet providers like other telecom carriers (the so called Title II classification).  The court did grant the request from both sides to expedite the hearing on the merits, but in the mean time, the rules go into effect on Friday, baring a ruling to the contrary from a higher court (see article).

Sen. Mitch McConnell is at it again.  This time he is trying to insert the long delayed cyber security bill known as CISA into the National Defense Authorization Act in a way that does not allow for debate or amendment.  The NDAA is a must pass bill, but President Obama has already said me may veto it for other reasons.  Adding other, totally unrelated bills into that bill will not improve its chances for passing.  McConnell says that because of the OPM breach, he is resorting to this strange approach.  The fact that CISA only applies to private companies, which does not include the OPM seems to make this argument misplaced (see article).  There are a number of Senators who are not happy with McConnell right now, so stay tuned.

ICANN, The organization that currently manages Internet names and numbers has been talking about giving up control, which currently rests with the Department of Commerce, to an independent international organization.  Some folks do not like the U.S. giving up power that it has over the Internet while others think it is a good idea.  In any case, ICANN said that there is no way it will be ready to do this by the September 30th target date.  September 30th is the end of the current existing contract between DoC and ICANN.  ICANN won’t even submit a proposal to the government on how this might work until mid October and who knows how long the evaluation process might take (see article).

OPM Breach – What Was Taken?

The government seems to be avoiding telling us what information was taken.  This could be because they don’t know – or because they do know.  One speculation that keeps coming up, and that the OPM has not denied, is that the hackers got SF-86 data.  If that is true, that is a problem.  I will explain in a moment, but the OPM has admitted that the data was not encrypted.  Other people in the know have said that the government is focusing too much on perimeter security.  While perimeter security is important, it does little for the case where your employees invite the attackers in by, say,  clicking on a link.

The SF-86s, if they were compromised, would be the holy grail for attackers like China trying to build a database of federal government employees and contractors.  If you apply for a government security clearance, you fill out an SF-86.  In that form you tell the government about yourself – where you have lived, where you have worked, every family member, your friends, your references, etc.

While we don’t actually use the SF-86 form itself any more – eQIP, a web based system replaced it – the blank form is still available here.  I don’t know, but I suspect, that eQIP is just a web front end that generates and validated the data and then produces an SF-86 for the actual government process.

To give you an idea of how invasive the SF-86 is, the form itself is 127 pages long.

Besides information like your social , date of birth, place of birth, height, weight, other names you have used, citizenship information – including naturalization information if you became a citizen, where you went to school and even more information, it asks about any crimes you were convicted of.

It also asks for some of that information, like socials for your relatives, so all of a sudden, that 4 million identities becomes 40 million.  I am not clear if the OPM is going to notify all those people that their information has been compromised as well.

SO, if you are merely an identity thief, you know have a vast database of information that cannot get replaced like a credit card can be, of information to answer security questions and create false identities to commit crimes.

If you are a foreign power and you want to commit espionage, you now have the data to figure out who can be blackmailed and for what.

And, there is really NOTHING that you to protect yourself.

And, you cannot sue the government, no matter what happens.

It is really, pretty much, a mess.

Explain to me how 18 months of credit monitoring will help you against being blackmailed.   Or protect you from a identity thief using that information to get access existing financial resources.

I was reading about Lifelock after I wrote the post on identity protection services yesterday and their higher end plans ($220-$330 a year, if you buy in advance) do offer to monitor your checking and brokerage accounts, but they do not say how.  The only way I can see that working is if you give them access to your accounts.  If true, you are counting on them not being breached and, at least for my bank, they say that if you give someone access and there is fraud, the bank is no longer responsible to make you whole.  And even if you do subscribe to this, it reports after the fact – after the crook has stolen your money.

I don’t think there is an easy way out of this one, unfortunately, *IF* the attackers got millions of SF-86s.

Attackers are getting smarter and businesses in general, are not keeping pace.

If someone broke into your network and stole your equivalent of SF-86s and quietly left, would you even know?  What would the impact on your business be if you lost your customer lists, trade secrets, patent applications, business processes or other crown jewels?

Ponder that for a moment.