As news breaks that a second breach at the federal Office of Personnel Management may have seen another set of data, potentially more valuable than that accessed during the first, Philip Lieberman, President of privileged identity management specialists Lieberman Software, has been talking about what went wrong. Here's what he had to say on the matter:

The apparent US Government policy with regard to the protection of commercial enterprises attacked by nation states and others has been benign neglect (perhaps a shoulder to cry on). Current law and government policy forbid commercial enterprises to take any action against the attacker and handle the matter via the rule of law and in the appropriate jurisdiction. Since there has been little to no recourse possible, commercial enterprises have been attacked and damaged with little government assistance. We are told to build better walls and operate in a defensive mode even though both our government and governments of others have cyber weapons that commercial enterprises with no effective defence. Using technologies such as air gaps, segmented networks, encryption, privileged identity management, can reduce the damage and scope of damage caused by these weapons. So there is no real defence, only the concept of acceptable loss.

On the other hand, the US Government has been clear that an attack on its citizens and systems would result in severe response directed by the government itself (which is well within its power and rights). However, there are two issues to review: first the government agency OPM did not implement appropriate controls in line with the sensitivity of the data it was managing, and did not implement even basic controls to limit the amount of damage to an acceptable loss. Second, there will be an inevitable consequence to the intruder, but unfortunately, a bell cannot be unrung and even with retribution, the information about the government employees is now out in the wild and in the hands of an entity that could cause a great deal of grief for the entire country.

It is a tragedy that the Executive Branch as well as NIST and NSA have been preaching the gospel of security by design, segmentation of data and control, proper identity management, as well as effective monitoring. Here with OPM we have an agency entrusted with the defence of its government employees ignoring the guidance given by the government as well as failing to implement off-the-shelf technologies that are common to the commercial realm. A fix for the problem was a phone call away to virtually any of the defence contractors in the beltway who have been dealing with these types of attacks for decades.

Unfortunately, this problem now falls on the President as Commander and Chief as to an appropriate response. Unfortunately, there is no response that undoes the consequences of the exploit and there is no consequence appropriate to the action taken by this nation state. The President can drop the hammer on the entire Federal Government and the legislature can now mandate appropriate changes for the Federal Government to minimize the chance of a repeat of this scenario.

The statements by the Federal unions is a good sign that they too are ready to allow the implementation of appropriate technologies for privileged access and identity management, auditing, and a change in job rules to allow the Federal Government to operate in secure manner appropriate to the threats of this day and age.

At its core, this was not so much a problem of technology, as much as it was a lack of process, systems design, lack of external oversight such as the use of penetration testing and red/blue team war games to check and repair weaknesses, as well as the lack of technology and cyber defence staff to automatically stop the attack and at worst, minimize the consequence.

In every tragedy there is an opportunity to create a better future. As the Commander in Chief, the President will now need to deal with serious threats from the outside and serious weaknesses within his own government. I hope that the legislature backs him as well as the unions to change the government so that there will not be a repeat of this scenario (or at least make future attacks less effective).

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

There is only one way to keep sensitive data safe from hacking: Never connect computers containing sensitive data to the Internet.

There is only one way to keep sensitive data safe from hacking: Never connect computers containing sensitive data to the Internet.

wrong. Even then it's not secure. Someone with an external harddisk or USB stick and access to the data can easily leech it all.
And it doesn't even have to be intentional. People working with such systems often have to transport blocks of data to other systems by such means.
Those USB sticks can get lost, be stolen, the person himself may be untrustworthy and deliberately hand the data (or copies) to third parties.
The recipient and his systems of course have the same potential holes/flaws.

And that happens all the time.

The only way to keep sensitive data from being exposed to people who have no rights to it is to destroy it in such a way that it can't be recovered. Which means paper records get burnt, electronic records get destroyed by powerful magnets and then the storage media melted down.
And all that under the scrutiny of several rings of armed guards.

the OPM don't care, because its
Other
People's
Money

Ironically, I wouldn't be surprised if it was actually budgetary cut-backs which caused OPM to either not invest in the software etc... to properly defend their systems or to not be able to hire people with appropriate expertise to know how to do that (considering the difficulty in firing public servants often cuts are done via hiring freezes).

Investing in gov't services often actually saves money in the long run because it enables proper preventative measures to be taken which are a lot cheaper that trying to put out the fire after it has started. (Hence how the US can spend more on healthcare but have lower life expectancy than most other developped nations).

If the American people are only willing to pay for the military, spy agencies and police forces they will find themselves spending much much more to chase down problems than it would cost them to prevent those problems in the first place.

Edited 1 Year Ago by Agilemind

If the American people are only willing to pay for the military, spy agencies and police forces they will find themselves spending much much more to chase down problems than it would cost them to prevent those problems in the first place.

Those too don't get any money. It all goes towards feel-good programs that buy easy votes for congresscritters.
The US military is at its lowest state of readiness, equipment, and manpower since before the start of WW2 for example.
Foreign intel is even worse off. What does get funded are programs to spy on their own citizens, as those in power are terrified of what those they supposedly serve will do when they've been led by the nose.