Summary: We’re into the phase of the OPM records breach scandal where the US public policy crisis process predictably breaks down into finger pointing and aggressive guessing. Here is a brief on what little we know, and pointers on what we certainly don’t know. {2nd of 2 posts today.}
Contents
- How was it done?
- What was taken?
- Who was at fault?
- Who did it?
- Panic!
- For More Information
(1) How was it done?
We can learn the bare bones about this series of attacks from the statement by Office of Personnel Management (OPM) Director Katherine Archuleta (bio here) to the House Oversight and Government Reform Committee. For an easier to read version see this typically excellent ars technica article by Sean Gallagher…
Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
Beyond this we hear mostly guesswork.
(2) What was taken?
Lots of high-volume guessing in the news. The best answer might be: lots was taken. The Director’s statement says “we have not yet determined its scope and impact”. For a more precise answer see…
When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM’s systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, “I would be glad to discuss that in a classified setting.” That was Archuleta’s response to nearly all of the committee members’ questions over the course of the hearing this morning.
… Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM’s systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM’s data breach may just be the biggest one that the government knows about to date. {ars technica}
(3) Who was at fault? The key question we refuse to answer.
Congress increasingly prefers the role of journalist and scold to that of legislature. They’re not strong on managing the Republic, but they love to point fingers when things go wrong.
“We get exactly the IT security we’re willing to pay for” by Steven J. Vaughan-Nichols at ZDnet — “A big part of the Office of Personnel Management’s security fiasco can be blamed on hopelessly archaic computers and a government that refuses to fund their replacements.” Excerpt; red emphasis added.
In 2011, the OPM’s Federal Data Center Consolidation Initiative (FDCCI) observed that the last major OPM data center update happened in the mid 1990s. In other words, Windows 95 was the hot new desktop when OPM’s mainframes were last given a through overhaul. As you might guess, in 2011 the OPM already realized that “Many critical applications at OPM are hosted on legacy platforms and have not been re- architected in many years. In some cases, documentation of these systems is lacking, making it difficult to estimate time and cost of consolidation.”
Why? The OPM’s IT deparment “has historically been underfunded, especially on the operations side, making it difficult to make investments in consolidation projects, even when those have positive ROI in later years.”
The OPM report shows that the organization was well aware of its problems. Looking ahead, the agency wanted to move to a modern virtualized, cloud-based system, but it was never sufficiently funded.
After the OPM was hacked in March 2014 — oh yes this successful attack wasn’t the first — Seymour said “Our antiquated technology may have helped us a little bit.” It didn’t this time. Security by obscurity never works for long.
Fast forward to this year. In the OPM’s 2016 budget request, it asked for $32 million more. Archuleta wrote “Most of these funds will be directed towards investments in IT network infrastructure and security. As a proprietor of sensitive data – – including personally identifiable information for 32 million federal employees and retirees — OPM has an obligation to maintain contemporary and robust cybersecurity controls.”
Clearly, OPM long knew they had a major problem on their hands due to their reliance on out-of-date equipment and software. They knew their obsolete IT infrastructure made them more vulnerable to hackers. And, they knew what the answer was. It’s just too bad they couldn’t get Congress to pay for it.
Congress, which has been mired in partisan politics for years, has been barely able to function at all. For example, Congress barely kept the Department of Homeland Security running earlier this year.
The real culprits behind the OPM hack aren’t Archuleta and Seymour They’re the scapegoats. The real blame should fall on Congress, which as they showed in the 2013 budget sequestration, refuse to rationally budget for critical government needs.
Without sufficient funding, the OPM might as well tried using stone knives and bear skins to secure its systems. Just because Mr. Spock could work technical miracles on Star Trek with obsolete tech is no reason to think OPM’s IT staff could do it in real life.
Ars technica seconds this motion to blame Congress.
But some of the security issues at OPM fall on Congress’ shoulders — the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM’s investigation process told Ars, was essentially a company made up of “some OPM people who quit the agency and started up USIS on a shoestring.”
When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—”a bunch of people on an even thinner shoestring. Now if you get investigated, it’s by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account.”
(4) Who did it?
As usual, government officials point to the enemy most useful to blame. Today that’s China. The stenographers at the major media dutifully report what they say as fact, despite the overwhelming consensus of security experts (i.e., those not paid by the government) that attribution of competent attacks ranges from difficult to impossible. The government has given us no basis to believe they have reliable evidence pointing to China.
Perhaps we’ll never know who did it until they use the information stolen. If we do not hear about its use, then we should re-think the story.
For more about this see…
- Cyberwar: About Attribution (identifying your attacker). by Marcus Ranum.
- How do we identify our attackers in cyberspace? by Marcus Ranum.
- The horror of cyberspace: we can’t easily identify our attackers, by Marcus Ranum.
- Identifying the guilty: tying nation states to cyber espionage, by Emilio Iasiello.
(5) Panic!
Typical when a crisis management process collapses, panic spreads. As we see in today’s Military Times. I expect it will get worse. Promoting panic is the primary tool used by the Deep State to keep us fearful and supportive of their work. Remember the anthrax scare that played a big role after 9/11 in changing the path of America!
Anxiety is spreading among defense officials and the military community that the recent theft of federal government data linked to China may affect hundreds of thousands of service members.
Compounding those concerns is the limited information made public by the Office of Personnel Management.
Some military officials believe the recent hack targeting the civilian-run OPM seized information from tens of thousands of Standard Form 86s, which are required for all service members and civilians seeking a security clearance. That includes service members of all ranks, officers and enlisted, in a wide range of job specialties and assignments.
“They got everyone’s SF-86,” one Pentagon official familiar with the investigation told Military Times. The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.
Of course, every problem is an opportunity for Right-wing hackery, as in this by Richard Fernandez at PJ Media: “Social Engineering“. He blames the director of the Office of Personnel Management, with the odd complaint that “Nowhere, however does her biography indicate that she knows diddly squat about computers, computer networks or security.” Also, he finds it odd that an HR person is proud of her membership in an “inclusive workforce that reflects the diversity of America”. Both of these things are quite typical of HR managers. Richard needs to get out more.
(6) For More Information
Update: “‘EPIC’ fail. How OPM hackers tapped the mother lode of espionage data” by Sean Gallagher at ars technica.
If you liked this post, like us on Facebook and follow us on Twitter. See all posts about Cyber-espionage and Cyber-war! To learn more about this vital subject, here are some useful books:
- Kevin Mitnick’s Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
,
- Andy Greenberg’s This Machine Kills Secrets: How WikiLeakers, Cypherpunks, and Hacktivists Aim to Free the World’s Information
,
- Brian Krebs’ Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door
.
- Kim Zetter’s Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon
, describing the new era of war and preparing you for the next attack (see a review here).
Throwing more money at OPM’s systems would not have resulted in better, better managed systems – it would have resulted in up-to-date systems that were compromised. Newer is not better; the problem is lack of management vision, lack of critical focus, and a complete failure to understand the significance of transitive trust applied to data. A complete bonehead sitting behind a Windows 95 machine is not any more or less dangerous than the same complete bonehead sitting behind a high-end desktop running a new release of a cool operating system. This is what is sometimes referred to in computer customer service as an “EBCK” (Error Between Chair and Keyboard)
it’s hard to read accurately between the lines but it sounds like credentials were stolen, which probably means a fairly basic phishing attack. Put that atop the fact that apparently OPM’s auditors had been pointing out problems for years, and I’m not convinced the attacker was any more sophisticated than an introductory-level script kiddy. There has been nothing presented that sounds in the remotest like that this was a sophisticated state-sponsored attack; it sounds like it was an average attack against an unsophisticated target.
Marcus,
Thank you! That’s useful analysis.
What does someone — China or Mafia or boy-next-door do with millions of personnel records? Who has the resources to use it? Selling it sounds like a fast track to Leavenworth. Or if they’re really angry, to a Federal supermax prison.
During the Cold War, the Russians used this sort of information to identify people they could compromise for future spy operations.
It is likely to be a hired attack from somebody fairly big in the spy circles (Russia, Israel, the Mexican drug cartels) looking to do the same sort of thing. In theory it could have been commissioned by members of the Deep State to keep government employees on their toes or to look for the next Edward Snowden, but I find that far-fetched.
Pluto,
It could have been any of those. Or hacker groups doing this for fun. Guessing tells us nothing. The govts’ statements suggest that know nothing.
The ars technica article today is a joke, saying the gov’t thinks it was China because the hackers used a windows PowerShell attack. That is nuts, as this is commonly used by hackers. They might as well say it was China because they used Excel.
The latest story is that OPM farmed out the work on the databases to overseas contractors, some of whom were based in mainland China. There have also been PRC nationals who were working onsite in DC as H1b consultants with root access to systems and databases.
Les,
The origin of that story is the ars technica story quoted in this post. These quotes look weakly substantiated, IMO. The great problem with these exciting stories is that rumors are more plentiful and exciting than facts.
Per the House hearing, the hackers stole the logins through private contractors. See http://www.nextgov.com/cybersecurity/2015/06/heated-house-hearing-offers-new-clues-how-hackers-broke-opm-networks/115474/ .
It’s not that the contractors were spies but that their locations and nationalities made them more vulnerable.
Les,
Be careful about interpreting anonymous sources. They have a long record of proving to be false. Especially when, as here, they shift the blame from the govt agency to outside contractors.
Remember the fact that Snowden “downloaded1.7 million documents”? Repeated endlessly as gospel truth. A year later the head of the NSA admitted that they have no way of knowing, and they just made up that number.
For more examples of stories about these incidents proving to be lies see Why do we believe, when the government lies to us so often? Let’s try to do better this time.