Saturday, June 13, 2015

WHAT CHINESE HACKERS KNOW ABOUT ALL OF US

It looks like the major media are lightly stepping over the recent revelation that Chinese hackers have been rooting around in the Office of Personnel Management's files for over a year. For those that don't know what the Office of Personnel Management is, here is a brief summary:

OPM controls thousands of agents who go forth and investigate the background information provided by all employees of the United States who require a National Security Clearance in order to work for the U.S. Government. That includes all military officers and most enlisted personnel. It includes most State Department employees and Foreign Service Officers and it includes almost all of the bureaucrats working in every other job. For instance, CIA, NSA, DIA, Secret Service personnel require security clearances and background investigations as do all FBI agents and all the other agents one can think of.

OPM's databases are online and include completed copies of this form.  Go ahead and look. You know you want to see how bad it is knowing that these are not only compromised but almost certainly include the OPM agent's report of investigation and notes which are used to limit or deny clearances and deny access.

I won't be surprised to learn that all of those who completed the paperwork for Special Background Investigations are clearly denoted and their access described in fuller detail. You know, the people who require Q clearances or access to Restricted or Formerly Restricted Data. It probably even has clues for who was investigated or reinvestigated as access requirements ballooned and moved beyond Top Secret.

The terrible thing about OPM is that they were quick off the ball a decade ago and required all submissions of form SF 86 to be made electronically. ie, all of us squirted our personal information directly into OPM's computers because they refused to accept paper submission of SF 86's after 2005.

I think every single person involved in this fiasco at OPM must be fired and horsewhipped and then deported to Iran. Where was their Information Vulnerability Assessment? Where was their cyber security? Why wasn't the data encrypted given how insanely valuable it could be to an up and coming superpower? This catastrophe ranks up there with Hanssen, Ames and Walker for the damage it has caused and will cause going downstream.

This won't be solved by firing the #1 bureaucrat. This requires the wholesale demotion and firing of every person involved in safeguarding the information they acquired and retained in the leaky sieve laughingly known as the security database.

2 comments:

Ex Bootneck said...

If memory serves me… Last year the Inspector General of the OPM issued his report, which screamed blue murder over the lack of security within the agency. We both know that such reports are only worth a damn if something is done to rectify the points contained within. Lip service and the passage of time tend to make good bed fellows...

When I was in the game over here, it was almost impossible to rectify even the most severe pick up points found during a full blown security inspection, as more often than not the agencies budget pot would inevitably be empty. The threat of an invite to the Second Sea Lords Office for tea (without biscuits) would normally be sufficient for the 'No1 Head' to find funds for running repairs - that would be drawn from an obscure Health & Safety budget, or an obscure benevolent fund. Failing a security team inspection was (and still is) a nail in senior commands promotion coffin. And rightly so.

The OPM requires a new broom to sweep clean, as well as a 'staff rolling replacement program' with penalties attached to pay and pensions.

Mind blowing stuff indeed.


HMS Defiant said...

This rose to the level of criminal neglect. It is a serious violation of the Privacy Act and every single exposure of a social security number in this context brings with it a major fine and the potential for up to 5 years in jail per incident.

This is the tip of the iceberg. Everything has been hacked by this point. All those private privileged notes and records and files have been hoovered up by the bad guys. It doesn't help that so many of the software writers bowed to corporate and Federal demands and left back doors into just about every program running today. Exploit one and you can exploit them all.