As it becomes apparent that the federal data breach experienced by the Office of Personnel Management (OPM) is larger than first believed, exposing the Social Security numbers and personnel records of every federal worker – and as reports emerged that some of those records had surfaced on the darknet – members of Congress clashed over languishing cyber-security legislation.
In a letter to OPM Director Karen Archuletta (found here on scribd.com), American Federation of Government Employees (AFGE) President David Cox said, “Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”
Included in that is “every affected person's Social Security number, military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race union status, and more,” he said.
Chris Roberts, founder and CTO of OneWorldLabs (OWL) told FoxNews that login credentials into OPM systems have already hit the darknet. “The recent OPM breach was identified, noted and the credentials and identities have been discovered online and are being traded actively,” Roberts said in the report. Roberts, who recently caught flack from the FBI for allegedly hacking into airplane systems, added that typically means accounts "are usually ‘live' and are part of a larger breach.”
Calling the breach a “travesty,” Richard Blech, CEO and co-founder of Secure Channels said in emailed comments to SCMagazine.com that “while you can get a new credit card number, you are not going to get a new Social Security number or some of the other user identity sensitive data.”
The breach “is going to cost the government and – as usual – the taxpayers billions to clean up this mess, and the repercussions of this breach will have effects for many years to come,” Blech predicted.
Phil Lieberman, CEO of Lieberman Software, took the federal government to task for preaching security to private industry but not taking that advice to heart itself.
“It is a tragedy that the executive branch, as well as NIST and NSA, have been preaching the gospel of security by design, segmentation of data and control, proper identity management, as well as effective monitoring,” Lieberman said in comments emailed to SCMagazine.com. “Here with OPM we have an agency entrusted with the defense of its government employees ignoring the guidance given by the government, as well as failing to implement off-the-shelf technologies that are common to the commercial realm.”
Noting that in “every tragedy there is an opportunity to create a better future,” Lieberman said President Obama will now be tasked with dealing with serious threats from the outside and weaknesses from inside government. “I hope that the legislature backs him, as well as the unions, to change the government so that there will not be a repeat of this scenario (or at least make future attacks less effective),” he said.
Indeed, Senate Majority Leader Mitch McConnell, R-Ky., used the breach to try to push through the Cyber-security Information Sharing Act (CISA) as an amendment to the Defense Authorisation Bill and admonished Democrats for playing politics if they attempt to block the bill, infuriating senator Harry Reid.
“For five years, five years, we tried to get a cyber-security bill up,” said Reid, according to a report in The Hill. “Every time we got it up, it was stopped by the Republicans. Every step of the way my Republican friends blocked us. So talk about cynicism and hypocrisy.”
CISA was given the go-ahead in a 14-1 vote last March by the Senate Intelligence Committee but Congress did not move on it quickly. Privacy groups have expressed dissatisfaction with the bill, saying that it “disregards the fact that information sharing can – and to be truly effective, must – offer both security and robust privacy protections.”
In a 56-40 vote Thursday, the Senate failed to gain enough support for the Defense Authorisation Bill to push it through.
French Caldwell, former vice president and fellow at Gartner and now chief evangelist at MetricStream, noted, "While information-sharing bills may be a step in the right direction for cyber-security, there is one major factor that has not been addressed by this legislation: the significance of anonymising data while still making it useful for the greater good."
In comments emailed to SCMagazine.com, Caldwell said that while data anonymisation has not been addressed enough in the current bill, it “could be later through the regulation that emerges after the fact.” But, he added, “in order for this important initiative to truly be effective, the governing body needs to establish and enforce standards for information-sharing, or risk non-participation by the companies that could very well hold the keys to overcoming some of our world's toughest cyber-security issues."
Another issue looming large is how to react or retaliate to the breach. While the government has not officially fingered China as orchestrating the attack, it is widely believed the nation has been tooling around in federal systems for a year or so.
“More and more officials are pointing fingers to China as the most likely culprit in the attack, but there was no official statement to that regard and it's naive to expect one,” Igor Baikalov, chief scientist at Securonix said in comments emailed to SCMagazine.com.
But Baikalov urged the U.S. not to claim any moral high ground. “First of all, the U.S. spies for "national security advantages" just like China does,” he said. “Second, and most frustrating, the problem is that there's not much the U.S. can do to retaliate for this attack: economic sanctions (a no-brainer in the North Korea case) are hardly applicable to the country that holds most of your national debt.”
While Lieberman noted that “unfortunately, there is no response that undoes the consequences of the exploit and there is no consequence appropriate to the action taken by this nation-state,” he did say “the president can drop the hammer on the entire federal government and the legislature can now mandate appropriate changes for the federal government to minimize the chance of a repeat of this scenario.”