“The agency that allowed hackers linked to China to steal private information about nearly every US government employee and detailed personal histories of military and intelligence workers with security clearances failed for years to take basic steps to secure its computer networks, officials acknowledged to Congress on Tuesday.
China denies involvement in the cyberattack, and no evidence has been aired publicly proving Chinese involvement although the government says it has “moderate confidence” China was involved…..
The criticism came from within, as well. Michael Esser, the agency’s assistant inspector general for audit, detailed a yearslong failure by OPM to adhere to reasonable cybersecurity practices, and he said that that for a long time, the people running the agency’s information technology had no expertise.
Last year, he said, an inspector general’s audit recommended that the agency shut down some of its networks because they were so vulnerable. The director, Katherine Archuleta, declined, saying it would interfere with the agency’s mission.
The hackers were already inside her networks, she later acknowledged.
“You failed utterly and totally,” said committee chairman Jason Chaffetz, a Republican. “They recommended it was so bad that you shut it down and you didn’t.”……
Chaffetz said the two breaches “may be the most devastating cyberattack in our nation’s history”, and said OPM’s security policy was akin to leaving its doors and windows unlocked and expecting nothing to be stolen.
“I am as distressed as you are about how long these systems have gone neglected,” Archuleta said, adding at another point: “The whole of government is responsible and it will take all of us to solve the issue.”….
And because their security clearance applications contain personal information about friends and family, those people’s data is vulnerable as well.”
Read the full article at The Guardian
Senetas high assurance security comments
US Congress heard a damning indictment of the Office of Personnel Management, which seems to have neglected basic cybersecurity practices, which led to personal information of almost every government employee being stolen.
Rightly so! It seems that yet again, the most important criticism arising from a serious data breach is simple – a failure to act and a failure to encrypt.
In these cases arguments and discussions focus too much on the complexities of ‘walls’, ‘moats’, and intrusion detection etc.. The issue is very simple: Why was such sensitive information not identified and encrypted to the US government’s own certification standards?
If that sensitive employee information were robustly encrypted, these two breaches would not be “the most devastating cyberattack in our nation’s history”!
Moreover, when the US inspector general’s audit recommended that the agency shut down some of its networks because they were so vulnerable; it was a certainty the agency would either find a work-around or not act at all. So, as the director, Katherine Archuleta, commented: “it would interfere with the agency’s mission” and they didn’t act at all.
BUT, shutting down the networks was not so necessary anyway, when had the director implemented a robust encryption policy, the data would be safe and useless to the hackers.
Encrypting sensitive data is not really a difficult concept.