1: How Did It Happen? Well, Why Did Your Car With The Top Down, Keys In, Parked in Da Hood Get Stolen?
Someone, somewhere, decided that they didn’t want to spend the money: undoubtedly they had budget constraints.
So the sensitivity of the data wasn’t properly identified, passwords were used instead of a stronger scheme, the systems involved had “superuser” or “root” accounts that by definition have access to everything, and the users who had access to those root accounts were Chinese nationals in China, who — I think we can fairly say — didn’t meet the U.S. government’s standards for computer security.
Perhaps the biggest issue of all is that the government had centralized the collection of that data into a single web-based system, e-QIP, which means that all this data was collected in one place.
I would bet money that each of these decisions came down to someone saying: “Oh, that’s too hard,” “Hiring offshore workers is cheaper,” “That’s too inconvenient.”
At each of those steps, some security was lost because someone decided it was easier to relax the requirements than to get the more expensive and annoying solution. And while the inspector general was calling out the hazards, no one was willing to rock the boat.
It’s worth it to Read The Whole Thing™ — Charlie’s been around long enough to see a Death March software project or two — but the bottom line seems to be, because OPM secured it like the Last Guy Still Using AOL® secured his cute-kitten .jpg files.
2: Nobody Knows How Big The Numbers Are — Because Execs Are Lying
Second, there are some new numbers, and we’re expecting the release of even larger numbers Friday (too late for the evening news). We’ve seen the numbers build from 2.9 to 4 to 14 to 18 to 29 to 32 Million. It gets hazy fast. For instance:
- OPM Director Katharine (“Fat, Incompetent and Stupid is so a way to go through life”) Archuleta, selected for that job by the usual process of Washington racial/ethnic/sex beancounting, insisted that the agency’s final number was 4.2 million. At the same hearing, an FBI officer, Acting Assistant Director for Cyber James Trainor, stood by the Bureau’s 18 million estimate, briefed earlier to Senators by FBI Director James Comey. Trainor, unlike Archuleta, showed his work: an OPM memo, exposing Archuleta as either an incomptent, a liar, or (the smart money says) an incompetent liar.
- House Oversight Chairman Jason Chaffetz, R-Utah, brought up the 32 million number. However, that’s just the cleared personnel and applicants that OPM has mishandled data for; each person’s 150-page questionnaire or electronic equivalent also exposes the data of numerous other persons (references, employers and supervisors, family members, foreign friends) and, more alarmingly yet, the threads that form the skein of relationships of all those people have also been exposed to a hostile intelligence service.
Of course, their defense is, they’re not lying, they’re just so wrapped up in their own red tape they can’t generate diddly.
But the bottom line is this: if you have completed an SF 86 paper security questionnaire or the replacement Electronic Personnel Security Questionnaire (EPSQ) on e-QIP at any time since the early or mid-1980s, you had best assume your secrets are secrets no more.
OPM did not investigate all DOE clearances, so if you had a nuclear clearance but not a DOD one, your information may be safe.
3: They Say They’re Not Lying Now; Forget Lie They Got Caught In Already
Third, the data was exposed as early as 2013 and the OPM senior executives cooperated, de facto, with the hostile intelligence service by minimizing and concealing the extent and seriousness of the breach then. CNN again (emphasis ours):
The roots of the recent OPM breach could be traced to an earlier 2013 OPM breach, investigators now believe. At the time, OPM officials minimized what was taken by hackers, who are believed to be the same responsible for the latest breach. But it turned out what was taken provided blueprints to the OPM network, valuable information for future intruders.
At Wednesday’s House Oversight hearing, Donna Seymour, the agency’s chief information officer, said that in the 2013 breach, hackers took “some manuals about our systems.”
Asked if those manuals were akin to blueprints of OPM’s computer systems, Seymour answered, “It would be fair to say that would give you enough information that you could learn about the platform, the infrastructure of our system, yes.”
Seymour called it a breach of security.
But that contrasts with earlier statements by OPM officials.
What do you think… are they lying now, or were they lying then? Does what we should do with them change based on the answer to this question? (What should we do with them? And should it involve tar, feathers, fire, a trebuchet, and easy assembly instructions?)
In a 2014 interview with WJLA-TV in Washington about the 2013 breach, Archuleta minimized the damage.
“I can tell you the most important piece: No personal identification information was compromised,” she said. “That’s the most important thing. That happened because of the good work and dedication of our employees.”
About the 2013 breach, Archuleta added: “Again, we did not have a breach in security. There was no information that was lost. We were confident as we worked through this that we would be able to protect the data.”
She’s right about one thing: this has happened because of the good work and dedication of her and her employees. Although we’re not sure what the adjective “good” is doing in there.
But it now looks like they didn’t just minimize the response. They deliberately misrepresented the scope and scale of the compromise, according to the Wall Street Journal (requisite Google Search if you’re paywalled out).
The Obama administration for more than a week avoided disclosing the severity of an intrusion into federal computers by defining it as two breaches but divulging just one, said people familiar with the matter.
An OPM spokeswoman said the agency had been “completely consistent’’ in its accounting of the data breach.
Well, yeah, she and her agency have been completely consistent. They’ve consistently lied. Example? Here’s one from that same article:
A day after the public announcement, an OPM spokesman said there was “no evidence to suggest that information other than what is normally found in a personnel file has been exposed.’’ By that time, the FBI already knew—and told OPM—that security-clearance forms had been tapped, officials said.
You can tell when Archuleta and Co. lie. Their lips move.
4: Did You Hear The One About The Screwed-Up Response?
Fourth, when the OPM went to notify even the initial 4.2 million victims they admit having, they botched it all over again, using a wildly insecure and unverified email system. (Hardly a surprise. Most key OPM systems were and are running with no or self-generated encryption and signing certificates). According to Navy Live (an official DOD site):
OPM began conducting notifications to affected individuals using email and/or USPS First Class mail on June 8, 2015. Recognizing the inherent security concerns in this methodology, with OPM and CSID support, DoD suspended notifications to employees on June 11, 2015, until an improved, more secure notification and response process is in place. Late June 15, 2015, OPM advised that email notification resumed. Email notifications should be complete by June 22, 2015. U.S. Postal mail notifications will take longer.
By the way, here’s what an email fraud alert for the crapola lowest-bidder “credit monitoring” service OPM bought no-bid from some crony and is force-feeding to victims looks like:
Yeah, just like a Nigerian scam!
Are that company’s servers as secure as OPM’s (which is to say, not terribly?) Or do you just get hacked yourself if you’re dumb enough to click the Log In Now button in a shady-smelling email like this? Click that red button and you may just find out. (Not here of course. Here it is just a harmless picture. We think).
5: FLEOA’s Recommendation Doesn’t Work
Fifth, here is what is happening when federal Special Agents, intelligence agency staff and contractors, and other cleared personnel call up the credit bureaux about their records, they’re getting blown off. As one disillusioned Fed put it to us:
The credit companies have so many calls from government employees for fraud alerts that they want you to go online and do it. They do not want your call.
At first, the staff at Experian, TransUnion, etc., may have fielded the calls personally, but soon the party line was “Don’t waste time on Federal employees and contractors.” Those unfortunates should not expect personal service; after all, the credit resellers aren’t getting paid for helping victims of enemies foreign (hackers) and domestic (OPM brass). Instead, some outfit you never heard of got a huge no-bid contract to further surveil you. (Wonder if there’s a kickback to the OPM panjandrums).
“Hang up and order a credit report online.” Click.
Soon, the firms’ initial voicemail menus were changed to cut hack victims off before even getting to that point. When you dial in, before you get the voice menu, you’re told not to bother calling the telephone line, if you’re an OPM victim. They can’t stop you from getting your one statutory credit report per year, but they can make it as difficult as they like — and they do.
The Bottom Line
OPM, after doing just about everything they could do to give away the security data, now is finger-pointing, to the extent it’s doing anything. (Hey, you can’t interfere with the 10 AM-3 PM Federal workday with a two-hour lunch. That’s an entitlement for these drones). They haven’t even updated their own data breach information page since the 23rd — two full days ago.
Director Archuleta seems to think that these so-called “workers” are more useful to the taxpayers than the same number of empty chairs. Where’s the evidence for that proposition?
She also thinks that OPM has been a good steward of secret and sensitive information. On which planet, in which galaxy, does this remarkable condition obtain? Not, we submit, on ours.
She has decided, to the extent this idle bag of suet decides anything, that what the OPM really needs to recover from this Grand Slam of Beltway hackery is to hire another Beltway tusker, to be called a “Cybersecurity Advisor.”
Sounds like a job for Jamie Gorelick.