There is not a physical or virtual media outlet that is not featuring a story about the revelation June 4 that for the second time in the past year the U.S. Office of Personnel Management (OPM), which for those not familiar is the government’s HR department responsible for federal employee confidential personal information including things like background checks, has been hacked. As the stories, including the one by my colleague Maurice Nagle, have highlighted as many as four million records may have been compromised at OPM and also the U.S. Department of the Interior.
As the story is unfolding we know a few things. The first is that investigators believe the breach was accomplished by Chinese hackers with a strong indication that the hack was done by or for the Chinese government. Several experts familiar with these types of attacks have said the malicious code used to carry out the hack are striking similar to the tools used by previous attacks identified as coming from China.
In response, Chinese Foreign Ministry Spokesman Hong Lei said Friday in Beijing that: "China itself is also a victim of cyberattacks," He added, "China resolutely tackles cyberattack activities in all forms,” and further elaborated that China would like to have more global cooperation "to build a peaceful and safe, open and collaborative cyberspace." Zhu Haiquan, a spokesman from the Chinese Embassy in Washington commented that: "Cyberattacks conducted across countries are hard to track, and therefore the source of attacks is difficult to identify. Jumping to conclusions and making hypothetical accusation is not responsible and counterproductive."
Second, it appears that information about congressional employees and those of the judicial branch of government were not compromised, and that detailed and highly sensitive information about intelligence operatives were likely not appropriated either. Because of the early nature of the investigations it remains unclear just how much damage has been done.
Third, as is now standard operating procedure, OPM is warning potential victims (current and prior) government employees to monitor their financial statements and get new credit reports.
Fourth. As with the previous data breach at OPM, questions are being raised about why it took so long to detect the problem and why such a thing could have happened in the first place since OPM specifically and U.S. government agencies in general are high value targets that Homeland Security officials admit are under daily massive attacks. Such attacks are not confined to state-sponsored actors looking to find new weaknesses to exploit, but for a variety of reasons capture the attention of a broad swath of the bad actor community.
A few choice words from the experts
Needless-to-say my inbox is suffering from an overload of IT security expert opinion. And, as has been customary when such high profile attacks become public, it only seems appropriate to share a few I think are reflective of professional concerns.
Mark Bower, Global Director - Product Management, HP Security Voltage commented: "Theft of personal and demographic data allows one of the most effective secondary attacks to be mounted: direct spear-phishing to yield access to deeper system access, via credentials or malware thus accessing more sensitive data repositories as a consequence.
“These attacks, now common, bypass classic perimeter defenses and data-at-rest security and can only realistically be neutralized with more contemporary data-centric security technologies adopted already by the leaders on the private sector.
“Detection is too late. Prevention is possible today through data de-identification technology.
“So why is this attack significant? Beyond spear-phishing, knowing detailed personal information past and present creates possible cross-agency attacks given job history data which appears to be in the mix. Thus, it’s likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defense or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft."
Richard Blech, CEO, Secure Channels stated: “This breach should give all citizens massive concern.
“OPM seems a tad blasé about this breach stating that ‘OPM, using new tools, discovered the breach in April, said officials at the agency who declined to comment on who was behind the hack.
“The new tools cannot be very good if it takes four months to find out you have been breached. The speed and velocity that stolen data proliferates through the hacker black market means that said data has already been exploited. The higher valued data that is held by OPM should have all been deeply encrypted. Their new tools that are detecting and alerting mean nothing if the data is still stolen. The goal is to leave data useless to the hacker when stolen.
“Congratulations, four months later and your state of the art technology has notified you that security and protection has been treated as an after the fact afterthought.”
Igor Baikalov, chief scientist, Securonix observed: “The Annual Hackathon at the Office of Personnel Management is on, and for the second year in a row, Chinese hackers seem to be in the lead, according to federal officials.
“Just like a year ago, the breach at OPM was discovered in the spring, announced in the summer, but apparently was going on since earlier winter. Just like a year ago, DHS Einstein identified the hack, although this time it took over 4 million records to get noticed – apparently, even automated intrusion detection system suffers from breach fatigue. Just like a year ago, the agency is working aggressively to assess the impact, to notify and offer credit monitoring to millions of victims, and to continue ‘protecting our federal employee data from malicious cyberincidents.’
“The only difference from last year is that now the Pentagon has a new cyber strategy that specifically calls out retaliation as a viable cyber option not only in response to an attack, but also as a principal factor of deterrence. Are we ready to explore it?”
The cynicism of the pros is certainly justifiable. With it being a given that no protection capability is failsafe, and the attackers are highly sophisticated and motivated, what is puzzling based on tools that are available really is why detection took so long. We here in the U.S. are no doubt going to be subjected to a lot of hand wringing and finger pointing by our politicians but the fact remains that at a minimum one can hope there is a increased sense of urgency around assuring, aka funding and exercising oversight, all government information at least are using the best tools and best practices.
Attracting skilled and dedicated public servants is hard enough without putting them at what could be substantial pain if not real financial and other types of risk. Having the OPM compromised twice in one year has a chilling effect, especially since we don’t know where the trail will ultimately lead on this.
Whether retaliation is a deterrent or not seems problematic. One would think given everything that has come out about the NSA and its practices that not only is the U.S. intelligence community actively engaged in developing and using offensive cyber weapons, but that the targets are more than aware of this. What is not problematic is the need to stay current, and hopefully that new era of cooperation that the Chinese government ironically wants to encourage.