OPM Breach: US Gov policy one of 'benign neglect'

happygeek 2 Tallied Votes 462 Views Share

As news breaks that a second breach at the federal Office of Personnel Management may have seen another set of data, potentially more valuable than that accessed during the first, Philip Lieberman, President of privileged identity management specialists Lieberman Software, has been talking about what went wrong. Here's what he had to say on the matter:

The apparent US Government policy with regard to the protection of commercial enterprises attacked by nation states and others has been benign neglect (perhaps a shoulder to cry on). Current law and government policy forbid commercial enterprises to take any action against the attacker and handle the matter via the rule of law and in the appropriate jurisdiction. Since there has been little to no recourse possible, commercial enterprises have been attacked and damaged with little government assistance. We are told to build better walls and operate in a defensive mode even though both our government and governments of others have cyber weapons that commercial enterprises with no effective defence. Using technologies such as air gaps, segmented networks, encryption, privileged identity management, can reduce the damage and scope of damage caused by these weapons. So there is no real defence, only the concept of acceptable loss.

On the other hand, the US Government has been clear that an attack on its citizens and systems would result in severe response directed by the government itself (which is well within its power and rights). However, there are two issues to review: first the government agency OPM did not implement appropriate controls in line with the sensitivity of the data it was managing, and did not implement even basic controls to limit the amount of damage to an acceptable loss. Second, there will be an inevitable consequence to the intruder, but unfortunately, a bell cannot be unrung and even with retribution, the information about the government employees is now out in the wild and in the hands of an entity that could cause a great deal of grief for the entire country.

It is a tragedy that the Executive Branch as well as NIST and NSA have been preaching the gospel of security by design, segmentation of data and control, proper identity management, as well as effective monitoring. Here with OPM we have an agency entrusted with the defence of its government employees ignoring the guidance given by the government as well as failing to implement off-the-shelf technologies that are common to the commercial realm. A fix for the problem was a phone call away to virtually any of the defence contractors in the beltway who have been dealing with these types of attacks for decades.

Unfortunately, this problem now falls on the President as Commander and Chief as to an appropriate response. Unfortunately, there is no response that undoes the consequences of the exploit and there is no consequence appropriate to the action taken by this nation state. The President can drop the hammer on the entire Federal Government and the legislature can now mandate appropriate changes for the Federal Government to minimize the chance of a repeat of this scenario.

The statements by the Federal unions is a good sign that they too are ready to allow the implementation of appropriate technologies for privileged access and identity management, auditing, and a change in job rules to allow the Federal Government to operate in secure manner appropriate to the threats of this day and age.

At its core, this was not so much a problem of technology, as much as it was a lack of process, systems design, lack of external oversight such as the use of penetration testing and red/blue team war games to check and repair weaknesses, as well as the lack of technology and cyber defence staff to automatically stop the attack and at worst, minimize the consequence.

In every tragedy there is an opportunity to create a better future. As the Commander in Chief, the President will now need to deal with serious threats from the outside and serious weaknesses within his own government. I hope that the legislature backs him as well as the unions to change the government so that there will not be a repeat of this scenario (or at least make future attacks less effective).

MidiMagic 579 Nearly a Senior Poster

There is only one way to keep sensitive data safe from hacking: Never connect computers containing sensitive data to the Internet.

almostbob 866 Retired: passive income ROCKS

the OPM don't care, because its
Other
People's
Money

jwenting 1,889 duckman Team Colleague

There is only one way to keep sensitive data safe from hacking: Never connect computers containing sensitive data to the Internet.

wrong. Even then it's not secure. Someone with an external harddisk or USB stick and access to the data can easily leech it all.
And it doesn't even have to be intentional. People working with such systems often have to transport blocks of data to other systems by such means.
Those USB sticks can get lost, be stolen, the person himself may be untrustworthy and deliberately hand the data (or copies) to third parties.
The recipient and his systems of course have the same potential holes/flaws.

And that happens all the time.

The only way to keep sensitive data from being exposed to people who have no rights to it is to destroy it in such a way that it can't be recovered. Which means paper records get burnt, electronic records get destroyed by powerful magnets and then the storage media melted down.
And all that under the scrutiny of several rings of armed guards.

Agilemind 0 Posting Whiz in Training

the OPM don't care, because its
Other
People's
Money

Ironically, I wouldn't be surprised if it was actually budgetary cut-backs which caused OPM to either not invest in the software etc... to properly defend their systems or to not be able to hire people with appropriate expertise to know how to do that (considering the difficulty in firing public servants often cuts are done via hiring freezes).

Investing in gov't services often actually saves money in the long run because it enables proper preventative measures to be taken which are a lot cheaper that trying to put out the fire after it has started. (Hence how the US can spend more on healthcare but have lower life expectancy than most other developped nations).

If the American people are only willing to pay for the military, spy agencies and police forces they will find themselves spending much much more to chase down problems than it would cost them to prevent those problems in the first place.

jwenting 1,889 duckman Team Colleague

If the American people are only willing to pay for the military, spy agencies and police forces they will find themselves spending much much more to chase down problems than it would cost them to prevent those problems in the first place.

Those too don't get any money. It all goes towards feel-good programs that buy easy votes for congresscritters.
The US military is at its lowest state of readiness, equipment, and manpower since before the start of WW2 for example.
Foreign intel is even worse off. What does get funded are programs to spy on their own citizens, as those in power are terrified of what those they supposedly serve will do when they've been led by the nose.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.