The “Real” OPM Data Breach

A lot has been made and should be made of the theft of over 21 million federal employees’ sensitive personnel records and security clearances. 

Everyone rightly, although somewhat selfishly, is worried about identity theft and the compromised privacy of their information.

The government is worried about hostile nation states using the pilfered information to bribe or coerce military, intelligence, high-level politicals, and others to turn and work for them or otherwise to use against them. 

But what is grossly missing in this discussion is not what information presumably the Chinese stole and how they will use it against us, but rather what information they inserted, altered, or otherwise compromised into the OPM personnel and security databases when they got root access to it.

Imagine for a moment what could hostile nations or terrorists can do to this crown jewel database of personnel and security information:

– They could insert phony records for spies, moles, or other dangerous persons into the database–voila, these people are now “federal employees” and perhaps with stellar performance records and high level security clearances able to penetrate the depths of the federal government with impunity or even as superstars!

– They could alter personnel or security records taking prominent or good government employees and sabotaging them to have questionable histories, contacts, financial, drug or criminal problems and thereby frame or take-down key government figures or divert attention from the real bad guys out there and tie our homeland security and law enforcement establishment in knots chasing after phony leads and false wrongdoers and villains.

Given that the timeline of the hack of OPM goes back to March and December 2014, this was more than enough time for our adversary to not only do to our data what they want, but also for the backup tapes to be affected by the corrupt data entering the system. 

The damage done to U.S. national security is unimaginable. As is typically the case with these things, “An ounce of prevention is worth a pound of cure.” Instead of investing in security, now we can invest in “credit monitoring and identity theft protection” for a very sparse three years, while federal employees will go a lifetime in information jeopardy, and the federal government will be literally chasing its tail on personnel security for decades to come. 

With the price so low to our adversaries in attacking our systems, it truly is like stealing and much more. 😉

(Source Photo: Andy Blumenthal)

18 Million–Change The SSNs

So, maybe one of the most detrimental hysts of information from the Federal government in history. 

Now involving over 18 million current and former federal employees, including military and intelligence personnel. 

No getting around it, but we are major screwed here–this is a treasure trove of personal and privacy information ready to use for identity theft, blackmail, assassination/decapitation attacks at home and work addresses, kidnapping of family members, and literally attacking our national security apparatus from the very inside out–it’s people. 

Imagine, if at the time of its choosing, an adversary attacks our nation, but preempts this with sophisticated and coordinated attacks on our critical government personnel–generals, spy masters, political kingpins, and other key decision makers–thereby distracting them from their duties of safeguarding our nation. 

This is our new Achilles Heel and overall a security disaster bar none!

Well, we can’t go back and put the genie back in the bottle–although wouldn’t it be nice if such critical information (if not encrypted–already unforgivable) would have a self-destruct mechanism on it that we could at least zap it dead.

But for the people whose personal identities are at risk–whose social security numbers (SSNs) and dates of birth (DOBs) have been compromised what can we do? 

While we can’t very well change people DOBs, why not at least issue them new SSNs to help thwart the adversaries peddling in this information in the black markets. 

If we can put a man on the moon, surely we can issue some 18 million new SSNs and mandate government and financial institutions to make the necessary updates to the records. 

This is not rocket science, and certainly we owe this much to our people to help protect them.

Will our government be there for it’s own employees and patriots? 😉

(Source Photo: here with attribution to Donkey Hotey)

People Are Our Greatest Asset, Goodbye!

The Chinese are smart and talented, and there is a cyberwar going on. 

They are suspected are having just stolen the personnel information of 4 million federal government workers.

And there are 4.2 million active, including 1.5 million military personnel. 

So if as they are apt to say, “people are our greatest asset”…

…then we just sort of lost the CROWN JEWELS in terms of highly personal, sensitive, and critical information on the people that handle everything from defense and diplomacy to the economy, energy, the environment, justice, and health and wellbeing. 

Oops!

This is getting scary folks. 

When the adversary through cyber (and other) espionage can know our people, our technology, our communications, virtually everything…then we got some big vulnerabilities!

If we can’t defend ourselves adequately (at least for now), I hope at least we are doing okay on the offense! 😉

(Source Photo: Andy Blumenthal)

Dire Warnings On Cybersecurity

This week Adm. Michael Rogers, the Director of the National Security Agency and head of U.S. Cyber Command issued a stark warning to the nation about the state of cybersecurity:

With our cybersecurity over the next decade, “It’s only a matter of the ‘when,’ not the ‘if,’ that we are going to see something dramatic.“

The Wall Street Journal reports that he gave ” a candid acknowledgement that the U.S. ISN’T yet prepared to manage the threat!”

China and “one or two others” [i.e. Russia etc.] are infiltrating our SCADA networks that manage our industrial control systems, including our power turbines and transmission systems,.

The cyber spies from the nation states are “leaving behind computer code that could be used to disable the networks  in the future.”

Can you imagine…you must imagine, you must prepare–not if, but when. 

(Source Photo: Andy Blumenthal)

Remodulate The Shields For Cyber Security

I really like the concept for Cyber Security by Shape Security.

They have an appliance called a ShapeShifter that uses polymorphism to constantly change a website’s code in order to prevent scripted botnet attacks–even as the web pages themselves maintain their look and feel.

In essence they make the site a moving target, rather than a sitting duck.

This is like Star Trek’s modulating shield frequencies that would prevent enemies from obtaining the frequency of the shield emitters so they could then modify their weapons to bypass the shield and get in a deadly attack.

In real life, as hackers readily change their malware, attack vectors, and social engineering tactics, we need to be agile and adapt faster than the enemy to thwart them.

Changing defense tactics has also been used by agencies like Homeland Security to alter screening methods and throw potential terrorists off from a routine that could be more easily overcome.

I think the future of IT Security really lies in the shapeshifter strategy, where the enemy can’t easily penetrate our defenses, because we’re moving so fast that they can’t even find our vulnerabilities and design an effective attack before we change it and up our game again.

And hence, the evil Borg will be vanquished… 😉

Government Shutdown – Starbucks

So today is Day #2 of the Federal Government Shutdown.

This is a picture from the local Starbucks that is typically billowing at lunch time–as you can see it’s basically a morgue.

Unfortunately, hard-working Federal employees, contractors, and local business are feeling the impact!

Even from those that are still working, there is word of “survivor’s guilt”–like with a plane crash or other calamity, when those who survive the catastrophe question why they were so fortunate when the others weren’t so lucky and perished.

With both the budget shutdown and the impending debt ceiling showdown–we are facing the perfect storm, with real negotiation and compromise yet to emerge.

With this all, our significant national problems aren’t going away–to the contrary, Iran and North Korea are still global nuclear threats, Syria still has chemical weapons, the economy remains on shaky ground (in the paper today, the once high-flying pharmaceutical company Merck is planning to lay off 20%!), the national debt continues to spiral out of control (albeit at a “slower pace”), cybersecurity remains a major national security risk (although Cyber Command continues to stand up its new headquarters and firepower), and so much more.

Bubble stocks rose again yesterday after an almost 20% one-year return. Not only that, but the safety of gold took a beating again after an almost 40% one-year decline (full disclosure, I am a recent investor in the latter). One has to wonder how long it will take for sanity to prevail once again.

(Source Photo: Andy Blumenthal)

Raising The Bar On Cybersecurity

Good video by the The Washington Post (2 June 2012) on the importance and challenges of cybersecurity.

There are 12 billion devices on the Internet today and this is projected to soar to 50 billion in the next decade.

Cybersecurity is paramount to protecting the vast amounts of critical infrastructure connected to the Internet.

There is a lot riding over the Internet–power, transportation, finance, commerce, defense, and more–and the vulnerabilities inherent in this is huge!

Some notable quotes from the video:

– “Spying, intrusions, and attacks on government and corporate networks occur every hour of every day.”

– “Some sort of cyberwar is generally considered an inevitability.”

– “Cyberwar although a scary terms–I think it is as scary as it sounds.”

– “Right now the bar is so low, it doesn’t take a government, it doesn’t take organized crime to exploit this stuff–that’s what’s dangerous!”

We all have to do our part to raise the bar on cybersecurity–and let’s do it–now, now, now.

(Source Photo: here with attribution to University of Maryland Press Releases)

Cyberwar, You’re On

There was significant news this week about the U.S. and Israel making major inroads with cyberwar capabilities.

First, the New York Times today (1 June 2011) writes about alleged Bush and Obama administrations’ “increasingly sophisticated [cyber] attacks on the computer systems that run Iran’s main nuclear enrichment facilities”–sabotaging as many as a 1000 centrifuges, delaying their deadly program by as much as 2 years, as well as conducting cyber espionage to strengthen our negotiating hand.

The cyber offensive program code-named Olympic Games allegedly involved cyber weapons codeveloped by the United States’ National Security Agency and Israel’s advanced cyber corps, Unit 8200.

The malware included such programs such as Stuxnet, Duqu, and The Flame and according to Bloomberg BusinessWeek (30 May 2012) may date as far back to 2007.

These cyber attacks have been viewed as the best hope of slowing the Iranian’s sinister nuclear program while economic sanctions have a chance to bite.

Additionally cyber attacks were viewed preferentially over using traditional kinetic military options and potentially causing a regional war in the Middle-east.

At the same time, the use of cyber weapons is a double-edged sword–if we use it on others, this may encourage cyber proliferation and it’s eventual use on us–and as the NYT writes, “no country’s infrastructure is more dependent on computer systems and thus, more vulnerable to attack than the United States.”

Therefore, it was good to see in The Washington Post yesterday (30 May 2012) that the Pentagon’s Defense Advanced Research Projects Agency (DARPA) is pursuing Plan X–“ambitious efforts to develop technologies to improve its cyberwarfare capabilities, launch effective attacks, and withstand likely retaliation.”

“If they achieve it, they’re talking about being able to dominate the digital battlefield just like they do the traditional battlefield.”
The “five-year $110 million research program” is seeking to accomplish three major goals in arming U.S. Cyber Command at Fort Meade for cyber war:

1) Mapping Cyberspace–create realtime mapping of the entire cyberspace and all its devices for commanders to use in identifying targets and disabling them and seeing enemy attacks.

2) Building A Survivable O/S–Just like DARPA invented the Internet as a survivable messaging and communication system, so too, they want to develop a battle-ready operating system for our computers (like a tank) “capable of launching attacks and surviving counterattacks.”

3) Develop (Semi-)Autonomous Cyber Weapons–so cyber commanders can engage in “speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code.”

Just to be clear, with cyber warfare, we are not just talking about computers taking out other computers–and end there, but rather this is where computers take out computers that are controlling critical infrastructure such as the power grid, transportation systems, financial systems, supply chain, command, control, and communications, weapons systems, and more.

“Cyberwar could be more humane than pulverizing [targets]…with bombs,” but I doubt it will be.

Imagine, virtually everything you know coming to a complete halt–utter disruption and pandemonium–as well as the physical effects of that which would ensue–that’s what cyber war is all about–and it is already on the way.

So as, Richard M. George, a former NSA cyberdefense official stated: “Other countries are preparing for a cyberwar. If we’re not pushing the envelope in cyber, somebody else will.”

It is good to see us getting out in front of this cyber security monster–let’s hope, pray, and do everything we can to stay on top as the cyberspace superpower.

(Source Photo: Andy Blumenthal taken of mural at National Defense University, Washington D.C.)

Those In The Know, Sending Some Pretty Clear Warnings

There have been a number of leaders who have stepped up to tell people the real risks we are facing as a nation.

They are not playing politics–they have left the arena.

And as we know, it is much easier to be rosy and optimistic–let’s face it, this is what people want to hear.

But these leaders–national heros–sacrifice themselves to provide us an unpopular message, at their own reputational risk.

That message is that poor leadership and decision-making in the past is threatening our present and future.

Earlier this week (15 May 2011), I blogged about a documentary called I.O.U.S.A. with David Walker, the former Comptroller General of the United States for 10 years!

Walker was the head of the Government Accountability Office (GAO)–the investigative arm of Congress itself, and has testified before them and toured the country warning of the dire fiscal situation confronting us from our proclivity to spend future generation’s money today–the spiraling national deficit.

Today, I read again in Fortune (21 May 2012) an interview with another national hero, former Admiral Mike Mullen, who was chairmen of the Joint Chiefs (2007-2011).

Mullen warns bluntly of  a number of “existential threats” to the United States–nukes (which he feels is more or less “under control”), cyber security, and the state of our national debt.

Similarly, General Keith Alexander, the Director of the National Security Agency (NSA) and the head of the Pentagon’s Cyber Command has warned that DoD networks are not currently defensible and that attackers could disable our networks and critical infrastructure underpinning our national security and economic stability.

To me, these are well-respected individuals who are sending some pretty clear warning signals about cyber security and our national deficit, not to cause panic, but to inspire substantial change in our national character and strategic priorities.

In I.O.U.S.A., after one talk by Walker on his national tour, the video shows that the media does not even cover the event.

We are comfortable for now and the messages coming down risk shaking us from that comfort zone–are we ready to hear what they are saying?

(Source Photo: here with attribution to Vagawi)

Cloud Second, Security First

Leadership is not about moving forward despite any and all costs, but about addressing issues head on.

Cloud computing holds tremendous promise for efficiency and cost-savings at a time when these issues are front and center of a national debate on our deficit of $14 trillion and growing.

Yet some prominent IT leaders have sought to downplay security concerns calling them “amplified…to preserve the status quo.” (ComputerWorld, 8 August 2011)

Interestingly, this statement appeared in the press the same week that McAfee reported Operation Shady RAT–“the hacking of more than 70 corporations and government organizations,” 49 of which were in the U.S., and included a dozen defense firms. (Washington Post, 2 August 2011)

The cyber spying took place over a period of 5 years and “led to a massive loss of information.”(Fox News, 4 August 2011)

Moreover, this cyber security tragedy stands not alone, but atop a long list that recently includes prominent organizations in the IT community, such as Google that last year had it’s networks broken into and valuable source code stolen, and EMC’s RSA division this year that had their SecurID computer tokens compromised.

Perhaps, we should pay greater heed to our leading cyber security expert who just this last March stated: “our adversaries in cyberspace are highly capable. Our defenses–across dot-mil and the defense industrial base (DIB) are not.” (NSA Director and head of Cyber Command General Keith Alexander).

We need to press forward with cloud computing, but be ever careful about protecting our critical infrastructure along the way.

One of the great things about our nation is our ability to share viewpoints, discuss and debate them, and use all information to improve decision-making along the way. We should never close our eyes to the the threats on the ground.

(Source Photo: here)