OPM breach could be digital Pearl Harbor for U.S.

Government has no time to waste to conducting security overhaul

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Talk of a dig­i­tal Pearl Har­bor has cir­cu­lat­ed in the secu­ri­ty and intel­li­gence com­mu­ni­ties for more than a decade.

Could the mas­sive breach of the U.S. Office of Per­son­nel Man­age­ment be just that?

In a recent edi­to­r­i­al piece, for­mer Depart­ment of Home­land Secu­ri­ty intel­li­gence under­sec­re­tary Charles Allen posits the notion that the OPM hack com­pro­mised America’s nation­al secu­ri­ty in “infi­nite ways.”

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

Charles Allen, Security Policy Reform Council chairman and principal at The Chertoff Group
Charles Allen, Secu­ri­ty Pol­i­cy Reform Coun­cil chair­man and prin­ci­pal at The Chertoff Group

Allen is now chair­man of the Secu­ri­ty Pol­i­cy Reform Coun­cil at the Intel­li­gence and Nation­al Secu­ri­ty Alliance, and prin­ci­pal at The Chertoff Group cyber­se­cu­ri­ty con­sul­tan­cy. Pri­or to his stint at DHS, Allen served in the CIA for more than four decades.

So his obser­va­tions car­ry some weight. Allen asserts that the OPN hack casts “doubt on the integri­ty of our entire secu­ri­ty clear­ance system.”

A con­sen­sus is gelling in the glob­al cyber­se­cu­ri­ty and intel­li­gence com­mu­ni­ties that Allen is on the mark.

Once a sys­tem that’s con­nect­ed to so many oth­er sys­tems is com­pro­mised, there is a poten­tial for wide­spread com­pro­mise that will like­ly have rip­ple effects for some time,” says Chief Tech­nol­o­gy Offi­cer Bryan Ware of cyber­se­cu­ri­ty ana­lyt­ics ven­dor Haystax Tech­nol­o­gy, based in Tysons Cor­ner, Va.

Infor­ma­tion like­ly to migrate

Jamie Miller, CEO of Mis­sion Mul­ti­pli­er Con­sult­ing, a cyber­se­cu­ri­ty con­sul­tant with head­quar­ters in Huntsville, Ala., believes “the like­li­hood is very high that the com­pro­mised infor­ma­tion will be sold to oth­er hack­ers over a long peri­od of time.”

In the­o­ry, Miller says, the hack­ers now have access to mil­lions of Social Secu­ri­ty num­bers, pass­port num­bers, birth dates and loca­tions, moth­ers’ maid­en names, cur­rent and for­mer address­es, schools attend­ed, rel­a­tives’ and friends names, and infor­ma­tion about coun­tries vis­it­ed and mil­i­tary experience.

The data thieves abscond­ed with sen­si­tive OPM dossiers for 21.5 mil­lion indi­vid­u­als, includ­ing 19.7 mil­lion gov­ern­ment employ­ees, con­trac­tors and polit­i­cal fig­ures who sub­mit­ted to deep back­ground inves­ti­ga­tions as part of apply­ing for secu­ri­ty clearances.

Also in the data thieves’ pos­ses­sion are dossiers on 1.8 mil­lion oth­ers, pri­mar­i­ly spous­es or co-habi­tants of applicants—and fin­ger­prints of about 1.1 mil­lion individuals.

The spy ver­sus spy sce­nar­ios are endless.

Hack­ers may have plant­ed their own data

Haystax’s Ware, who dis­cussed the OPM breach­es with Allen at the Aspen Secu­ri­ty Forum in late July, wor­ries that the intrud­ers, addi­tion­al­ly, may have tam­pered with records left in place at OPM, “either chang­ing per­son­nel data or per­haps insert­ing new per­son­nel by a for­eign intel­li­gence service.”

With­out even com­pro­mis­ing a per­son by using his per­son­al infor­ma­tion to coerce him, there is enough infor­ma­tion in this data to suc­cess­ful­ly steal or forge an iden­ti­ty and per­haps use that iden­ti­ty to gain access to infor­ma­tion,” Ware observes.

Eric Chiu, pres­i­dent of HyTrust, a Moun­tain View, Ca.-based cloud secu­ri­ty automa­tion com­pa­ny, notes that the stolen OPM data “can not only be used to cre­ate accounts and siphon funds, but it’s even more scary that it can pro­vide a tar­get list for nation states and ter­ror­ists to go after gov­ern­ment employ­ees with access to sen­si­tive data.”

Secu­ri­ty Evan­ge­list Andy Hayter of Atlanta-based DATA Soft­ware, which sells soft­ware to pro­tect against virus­es and mal­ware, concurs.

The integri­ty of our entire secu­ri­ty clear­ance sys­tem is in doubt,” Hayter says. “Sim­ply fix­ing the hacked sys­tem may not be enough or may not be done in time, with enough integri­ty, to ward off anoth­er hack­ing attempt.”

No easy fix

Mit­i­ga­tion, of course, is possible—but not easy. Haystax’s Ware and oth­er infor­ma­tion secu­ri­ty experts point to numer­ous con­verg­ing and con­flict­ing issues that need to be addressed.

We have to deter­mine if our exist­ing con­struct for col­lect­ing, stor­ing and inte­grat­ing this data across agen­cies is still the right con­struct,” Ware says. “But, most impor­tant­ly, we need to have a robust coun­ter­in­tel­li­gence pro­gram to iden­ti­fy per­son­nel who might be vul­ner­a­ble to a for­eign intel­li­gence service.”

The Unit­ed States now needs to pay very close atten­tion to folks with top-secret secu­ri­ty clear­ances. “Get those peo­ple spe­cif­ic help about the ways they might be exploit­ed and estab­lish a con­tex­tu­al mon­i­tor­ing sys­tem that looks for indi­ca­tions that those per­son­nel are being com­pro­mised or that their iden­ti­ty is being stolen,” Ware says.

Paul Kurtz, the CEO of TruSTAR Tech­nol­o­gy and a for­mer White House cyber­se­cu­ri­ty advis­er, says “a com­plete and com­pre­hen­sive review of all gov­ern­ment IT sys­tems must begin as soon as pos­si­ble,” and past warn­ings about secu­ri­ty issues “must be tak­en seriously.”

TruSTAR, based in Bal­ti­more and San Fran­cis­co, launched in April the first glob­al anony­mous cyber inci­dent shar­ing plat­form for enterprises.

No time to waste

Kurtz asserts that “a thor­ough review of exist­ing (fed­er­al) sys­tems should be hap­pen­ing now to deter­mine where new secu­ri­ty mea­sures should be insti­tut­ed, where exist­ing secu­ri­ty mea­sures are in place but not being mon­i­tored, and, in some cas­es, where a sys­tem can­not be secured in its cur­rent state and tak­en offline.”

Kevin Bocek, Venafi vice president of security strategy and threat intelligence
Kevin Bocek, Venafi vice pres­i­dent of secu­ri­ty strat­e­gy and threat intelligence

Kevin Bocek, Venafi’s vice pres­i­dent of secu­ri­ty strat­e­gy and threat intel­li­gence, says if “OPM had been using basic SSL/TLS encryp­tion tech­nolo­gies, they wouldn’t be in this predica­ment in the first place.”

Venafi is a Salt Lake City-based cyber­se­cu­ri­ty com­pa­ny that devel­ops soft­ware to secure and pro­tect cryp­to­graph­ic keys and dig­i­tal certificates.

Bocek says the fed­er­al gov­ern­ment issued quick fix­es after announc­ing the breach­es. And the Office of Man­age­ment and Bud­get man­dat­ed fed­er­al agen­cies use HTTPS encryp­tion to start secur­ing Web traffic.

While both of these ini­tia­tives are a good start, much more will need to be done—and quick­ly,” Bocek says.

Wider use of encryp­tion Web traf­fic could be coun­ter­pro­duc­tive, and intro­duce new ways for data thieves to inno­vate, he says.

More encrypt­ed traf­fic will require bad guys to use HTTPS and either forge or com­pro­mise cer­tifi­cates to mount effec­tive cyber attacks,” Bocek warns. “Hav­ing more encrypt­ed traf­fic will make the U.S. an even big­ger tar­get for cyber crim­i­nals who can hide, take on trust­ed sta­tus and remain unde­tect­ed, using unpro­tect­ed keys and certificates.”

More on the OPM breach:
Com­pa­ny with con­trac­tors gone wild gets OPM deal
Law­mak­ers want to pull clear­ance con­trol from OPM
New num­bers show stag­ger­ing depth of OPM breach



Posted in Data Breach, News & Analysis