So the Office of Personnel Management (OPM) admits it’s suffered what just might be the worst data breach in history, with some 4 million Federal employees’ personal data exposed, and China is once again to blame.
But there’s no escaping that OPM is also to blame. The bad guys breached the data wall in December and went undetected until April; that’s a lot of time to wreak havoc. And it was the second data breach at OPM in less than a year.
Access to all that data means the Chinese – assuming the government’s accusations are correct – now have a mother lode of insight on everyone in the Federal government. There’s enough data there that, in conjunction with other data easily harvested on the open Web, a data-savvy enemy can know pretty much all there is to know about anyone who’s anyone in the Federal government.
Here are some of the most interesting comments we’ve seen since the breach:
Why China: “I have yet to see any exploit that has this level of sophistication and data targeting,” saidKen Ammon, chief strategy officer at security firm Xceedium. “By sophistication, what I’m talking about is what you do to start getting the data out. Getting in is way too easy, but there’s nobody who’s had that level of sophistication for data exfiltration outside of Russia and China. Between the two, I’m placing my bets on the Chinese, because they have had a pretty consistent mission of gathering personal data. The raw data can be used in many ways, and none of them in our national interest.”
Willing to spend: “Only a couple of weeks ago, the government made an important move, and said they recognized the need to increase visibility inside their networks,” said Michael Brown, who until 2012 helped implement the Einstein intrusion-detection technology as the director of cybersecurity coordination at the Department of Homeland Security. “I think you’ll see a move now to buy the technology necessary to do that. It’s an admission that the Einstein program and other current programs are important but not sufficient.”
Out of date defenses?: “Einstein 3 was state of the art two years ago,” said James Lewis, senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington. Einstein 3 is an intrusion detection system employed by Federal agencies. “It’s good, but it’s not enough, and we know that because the commercial security industry is already moving away from that kind of defense.”
Protect the data, not just the system: “Cybersecurity must mean more than protecting the system — it must also include protecting data,” said John Cohen, former acting undersecretary for intelligence and analysis at DHS. “If information contained within government and private-sector systems is encrypted, then the harm caused by cyberattacks such as this one would be minimal.”
Hard work: “A sophisticated adversary will spend millions getting into that network, developing advanced malware that doesn’t make a lot of noise and won’t trip the wires,” said Bas Alberts, the head of special projects for the Federal Services Branch of cybersecurity company Immunity Inc. “Network defense is hard, and it’s even harder to do at scale.”
Tip of the spear: “Theft of personal and demographic data allows one of the most effective secondary attacks to be mounted: direct spear-phishing,” said, Mark Bower, a security expert with Hewlett-Packard. This offers access to deeper system access via credentials or malware “thus accessing more sensitive data repositories as a consequence. Beyond spear-phishing, knowing detailed personal information past and present creates possible cross-agency attacks given job history data appears to be in the mix. Thus, it is likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defence or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft.”
If Bower is right – and the smart money says he is – then this breach paved the way for many more to come. Said a government cyber expert this week: “Right now, we’re just cyber skirmishing. God help us if we get to all-out cyber war.”
Join the conversation. Post a comment below or email me at bglanz@300brand.com.