OPM breach could be digital Pearl Harbor for U.S.
Government has no time to waste to conducting security overhaul
By Gary Stoller, ThirdCertainty
Talk of a digital Pearl Harbor has circulated in the security and intelligence communities for more than a decade.
Could the massive breach of the U.S. Office of Personnel Management be just that?
In a recent editorial piece, former Department of Homeland Security intelligence undersecretary Charles Allen posits the notion that the OPM hack compromised America’s national security in “infinite ways.”
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
Allen is now chairman of the Security Policy Reform Council at the Intelligence and National Security Alliance, and principal at The Chertoff Group cybersecurity consultancy. Prior to his stint at DHS, Allen served in the CIA for more than four decades.
So his observations carry some weight. Allen asserts that the OPN hack casts “doubt on the integrity of our entire security clearance system.”
A consensus is gelling in the global cybersecurity and intelligence communities that Allen is on the mark.
“Once a system that’s connected to so many other systems is compromised, there is a potential for widespread compromise that will likely have ripple effects for some time,” says Chief Technology Officer Bryan Ware of cybersecurity analytics vendor Haystax Technology, based in Tysons Corner, Va.
Information likely to migrate
Jamie Miller, CEO of Mission Multiplier Consulting, a cybersecurity consultant with headquarters in Huntsville, Ala., believes “the likelihood is very high that the compromised information will be sold to other hackers over a long period of time.”
In theory, Miller says, the hackers now have access to millions of Social Security numbers, passport numbers, birth dates and locations, mothers’ maiden names, current and former addresses, schools attended, relatives’ and friends names, and information about countries visited and military experience.
The data thieves absconded with sensitive OPM dossiers for 21.5 million individuals, including 19.7 million government employees, contractors and political figures who submitted to deep background investigations as part of applying for security clearances.
Also in the data thieves’ possession are dossiers on 1.8 million others, primarily spouses or co-habitants of applicants—and fingerprints of about 1.1 million individuals.
The spy versus spy scenarios are endless.
Hackers may have planted their own data
Haystax’s Ware, who discussed the OPM breaches with Allen at the Aspen Security Forum in late July, worries that the intruders, additionally, may have tampered with records left in place at OPM, “either changing personnel data or perhaps inserting new personnel by a foreign intelligence service.”
“Without even compromising a person by using his personal information to coerce him, there is enough information in this data to successfully steal or forge an identity and perhaps use that identity to gain access to information,” Ware observes.
Eric Chiu, president of HyTrust, a Mountain View, Ca.-based cloud security automation company, notes that the stolen OPM data “can not only be used to create accounts and siphon funds, but it’s even more scary that it can provide a target list for nation states and terrorists to go after government employees with access to sensitive data.”
Security Evangelist Andy Hayter of Atlanta-based G DATA Software, which sells software to protect against viruses and malware, concurs.
“The integrity of our entire security clearance system is in doubt,” Hayter says. “Simply fixing the hacked system may not be enough or may not be done in time, with enough integrity, to ward off another hacking attempt.”
No easy fix
Mitigation, of course, is possible—but not easy. Haystax’s Ware and other information security experts point to numerous converging and conflicting issues that need to be addressed.
“We have to determine if our existing construct for collecting, storing and integrating this data across agencies is still the right construct,” Ware says. “But, most importantly, we need to have a robust counterintelligence program to identify personnel who might be vulnerable to a foreign intelligence service.”
The United States now needs to pay very close attention to folks with top-secret security clearances. “Get those people specific help about the ways they might be exploited and establish a contextual monitoring system that looks for indications that those personnel are being compromised or that their identity is being stolen,” Ware says.
Paul Kurtz, the CEO of TruSTAR Technology and a former White House cybersecurity adviser, says “a complete and comprehensive review of all government IT systems must begin as soon as possible,” and past warnings about security issues “must be taken seriously.”
TruSTAR, based in Baltimore and San Francisco, launched in April the first global anonymous cyber incident sharing platform for enterprises.
No time to waste
Kurtz asserts that “a thorough review of existing (federal) systems should be happening now to determine where new security measures should be instituted, where existing security measures are in place but not being monitored, and, in some cases, where a system cannot be secured in its current state and taken offline.”
Kevin Bocek, Venafi’s vice president of security strategy and threat intelligence, says if “OPM had been using basic SSL/TLS encryption technologies, they wouldn’t be in this predicament in the first place.”
Venafi is a Salt Lake City-based cybersecurity company that develops software to secure and protect cryptographic keys and digital certificates.
Bocek says the federal government issued quick fixes after announcing the breaches. And the Office of Management and Budget mandated federal agencies use HTTPS encryption to start securing Web traffic.
“While both of these initiatives are a good start, much more will need to be done—and quickly,” Bocek says.
Wider use of encryption Web traffic could be counterproductive, and introduce new ways for data thieves to innovate, he says.
“More encrypted traffic will require bad guys to use HTTPS and either forge or compromise certificates to mount effective cyber attacks,” Bocek warns. “Having more encrypted traffic will make the U.S. an even bigger target for cyber criminals who can hide, take on trusted status and remain undetected, using unprotected keys and certificates.”