There is a little-followed mini-series, a Security-drama playing out in the lives of Government Employees right now -- but you wouldn't know it from all the Sky-is-Falling, Beware-of-ISIS reporting, flooding the Media bread-lines.
You see EVERYTHING that defines you, as YOU -- your Electronic Identifiers as it were -- recently fell into the hands of some "unknown" foreign invader(s), and barely an alarm has been raised.
Apparently they are "still assessing" the depth of the problem(s) ... taking place in center ring.
Security clearance hack stretches back full year
by Cory Bennett, thehill.com -- June 19, 2015
Office of Personnel Management (OPM) officials acknowledged late Thursday that a data breach exposing security clearance data occurred a full year ago, The Washington Post reported.
The revelation that hackers spent a full year in the OPM networks without being discovered gave them considerable time to pilfer as much data as they wanted.
[...]
The infiltrated system also includes private data on workers’ families and financial records. Government contractors were in the database as well, officials confirmed Thursday.
[...]
Such an exhaustive portfolio could be used for many types of digital exploitation, blackmail or even to recruit informants, according to security experts.
[...]
They hacked "personnel" information including: SS#, DOB, Past Addresses, former Employers, Bank Acct# etc, etc.
EVERYTHING that good Hacker needs, to virtually become YOU! (if you were one of the unfortunate MANY, that is ...)
Certainly there will be Hell-to-Pay for this 'attack on the Homeland' -- no stone unturned, no sanction too strict ... ~Well~
White House Weighs Sanctions After Second Breach of a Computer System
by Michael D. Shear and Scott Shane, nytimes.com -- June 12, 2015
[...]
At the White House, officials said that Mr. Obama was weighing the use of an executive order he signed in April that allows the Treasury secretary to impose sanctions on individuals or groups that engage in malicious cyberattacks, or people who benefit from them.
[...]
Mr. Obama signed the executive order after the attack on Sony Pictures’ computer network, an intrusion that American officials believe was carried out by the government of North Korea. The order gives the administration the ability to freeze assets in the United States, bar Americans from doing business with groups that sponsor cyberattacks, and cut the groups off from American goods and technology. But the use of the sanctions authority could be more significant if Mr. Obama wielded it against China, which officials believe has continued to sponsor cyberattacks even as the two nations warily seek a working relationship in other areas.
[...]
Security experts say the forensic evidence from the attacks suggests that they were the work of a sophisticated Chinese group that for the past three years has targeted a number of government agencies and defense contractors.
[...]
"Weighing your options" is DC-speak for "treading lightly for now" -- and we hope people forget about this soon.
The Sony Hack did not get weighed and watered down. They got swift action, considering the source.
And there-in lies the rub. China is not North Korea -- so sensibilities must not be jostled.
Who are we, to call that Gander, a Goose?
The Urban Dictionary defines "Security Theater" as
... security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.
You know, those TSAS warm and fuzzy pat-down, the evil-eyeing every foreigner in a public place, the 24-7 surveillance both on-line and off -- these are examples of "Security Theater" -- we condone as a Nation, all for the sake of protecting our "National Security."
Putting a similar focus on protecting the personal and sensitive data of millions of Government Employees (and critical Databases) -- Not so much. Afterall, they have signed their "Disclaimed Rights" away ...
And here's what it means to leave the Security Program "front door" unlocked:
OPM continued to display "the lack of a centralized security management structure necessary to implement and enforce IT security policies," despite specific and repeated warnings in their recent Security Audits, like this:
• We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s IT security program. [pg 8]
It would seem those in charge of our "National Security" apparatus find it more useful to
deflect blame --
rather than assume it. Afterall, it's such a complex system, with so many moving parts ... so many Security-players, who could ever fathom where
the ultimate problem lies:
In Data Breach, Reluctance To Point The Finger At China
by David Welna, npr.org -- July 02, 2015
[...]
Adm. Michael Rogers is among the American officials most likely to know which country perpetrated the Office of Personnel Management's massive data breach, possibly the biggest hack ever of the U.S. government. He's not only director of the National Security Agency, but also heads the U.S. Cyber Command.
[...]
"I'm not gonna get into the specifics of attribution," he said. "That's a process that we're working through on the policy side. There's a wide range of people, groups and nation states out there aggressively attempting to gain access to that data."
[...]
Federal law enforcement sources tell NPR the personal data of at least 18 million federal workers may have been accessed through the OPM computer system. Some China experts say assigning blame in this case can be tricky, because cyberspying there is often outsourced to nongovernment contractors.
[...]
The few times 'the Snooze' has bothered to step into this Data Breach story, it has been to "blame China (probably)" --
and let it go, at that.
As if, since it is only "routine espionage" --
Case is closed. We can all go back to our 'previously scheduled programming'.
Everything is just Hunky-Dory down in Rip-City.
Well, there are some cyber-security experts who would cast aspersions on this "Status Normal" FUBAR assessment:
Catching Up on the OPM Breach
by Brian Krebs, krebsonsecurity.com -- June 15, 2015
[...]
[I]n his speech, [Mike] Burgess [chief information security officer at Telstra, Australia’s largest telecom provider] railed against media reports about high-profile cyber attacks that created an atmosphere of what he called “attribution distraction” and “threat distraction.” A reporter with ZDNet captured Burgess’s thoughts with this quote:
“Don’t get me wrong….I’m not saying that attribution isn’t important. I’m not saying that issues of source, great technical intelligence, and other forms of intelligence to understand the threat and the intentions of those looking to steal information from you, or disrupt your organisation for some purpose that may be unknown to you, [are not important].” (sic)
“But what I observe, what I fear, what I see too much of, is many commentators, many in the industry, and many in media, focus on attribution, with very little focus on the root cause. No-one should lose valuable information where at the root cause there is a known remedy. For me, that is unforgivable in this day and age. And I’ve got to tell you -- my view at least -- too much of this distraction around attribution takes away from focusing on what’s really important here.”
[...]
“That’s partially because in the two years since Edward Snowden’s leaks about U.S. surveillance, the Obama administration has repeatedly argued that hacking into computer networks to spy on foreigners is completely acceptable behavior,” writes Brendan Sasso. “It won’t be so easy for the U.S. to express indignant outrage just because it’s on the opposite side of the surveillance this time.”
[...]
If I'm reading between those not so subtle lines correctly -- Our National Security ring-leaders are hesitant to point a
finger Megaphone at China, because China just might return us
the same Spy-vs-Spy favor.
[ PS. That previous link has a good summary Timeline of the ever-widening scope of other recent Governmental Hacks. Breaches that seem to be working from a similar M.O. Brian Krebs is considered a credible wonk in the cyber-security field.]
Well, here is the final scene in the mini-series for now. It should be both comforting and disconcerting, to anyone who has been a unwitting "target" of the recent Personnel-File, FBI-Background-Check data siphoning episodes ... all 18 million and counting of you ...
Largest federal workers union sues OPM over breach
by Cory Bennett, thehill.com -- June 30, 2015
[...]
The American Federation of Government Employees (AFGE) on Monday became the first to sue the Office of Personnel Management (OPM) in the wake of the massive data breach that has shaken the government.
[...]
The government often enjoys “sovereign immunity,” meaning it cannot face civil suits or prosecution over most subjects, several people said. Essentially, you cannot sue the government unless it says you can.
[...]
The OPM seemed to try and get out in front of the situation in its notification letter sent to victims of the breach.
“Nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose,” it read.
Who's looking out for YOU, Baby?
If those disclaimers, and lack of {National Security} outrage, and vague amorphous responses as appropiate, are any indications
-- It is apparently No One. Still.
But No Worries! I can still take off my belt, shoes, empty my pockets, and pour out my drinking water, and play touchy-feely -- everytime I want to take a long-distance ride. They got THAT covered in spades.
"National Security" afterall is not only someone's a Special Task Force's Top priority -- it is the best Theater the American Taxpayer can buy, ... and Buy ... and BUY.