China’s cyber attack at OPM: when an act of war is merely a “security breach”

If it’s not the Russians, then it’s the Chinese.  When first reported by US officials, as many as four million federal employees and contractors  had their personnel records hacked at the federal Office of Personnel Management (OPM), with the FBI tracing  the hacking back to China.  Coming on the heels of cyber attacks within the IRS which affected about 100,000 US households, with previous hackings of healthcare provider, Anthem, Home Depot and Target, it looks like open season here in America, whether you’re a citizen or “undocumented worker.”

However, the breach at the OPM is in debacle territory, because of the nature of the information that was stolen.  At first, it was reported that name, address, birth date and social security info was hacked.   Now as the truth dribbles out, we learn that form SF-86 , completed by federal employees undergoing security and background checks.  Those forms contain knowledge and disclosures of people known past and present, as well as individual behaviors and personal information (divorces, affairs, finances and debt) that could not only endanger lives of, let’s say CIA agents and their foreign “assets”, contractors/sub-contractors who work with foreign contacts.  This cyber attack (and it is just that not some “security breach”), puts families and individuals at risk of personal humiliation and blackmail, or in worst case scenarios imprisonment or death.  Remember the Dr. Shakil Afridi, the Pakistani doctor who helped us get bin Laden?  Still rotting in a Pakistani prison, while the State Dept. has earmarked $900 million in Pakistani aid for 2016.

When you think debacle can not get much worse, we’re finding that we’re just shy of meltdown mode.  In the June 24 edition, The Wall Street Journal reports that the hacking was greater than initially thought.  FBI Director James Comey, in his briefing on Monday with Senators, reported 18 million records were possibly compromised, based upon OPM’s internal report.  The OPM and White House now acknowledge that not only were personnel records hacked, but security clearance records as well.  And to maximize damage control, they treated the OPM hack as two distinct breaches, a key point the FBI disputes.

“Officials familiar with the behind-the-scene discussions say OPM’s denials were based on a peculiar interpretation of what had happened at the agency. Officials at the White House and OPM agreed to handle the OPM problem as at least two separate breaches—one of the personnel files, and one of the security clearance forms, these officials said.

That had major implications for the initial description of damage. Rather than saying the hack implicated the private details of an estimated 18 million people—and potentially millions more if you count the relatives and close friends listed on the security clearance forms—the agency said about four million people were potentially affected.

The FBI, which is investigating the OPM hack, didn’t define it the same way. When responding to computer attacks on companies or government agencies, the FBI leaves it to the victim agency to say publicly and to its employees what was taken. In the case of the OPM hack, however, FBI officials, including the director, James Comey, also had to speak to lawmakers about the incident, and he didn’t discuss the incident in the “two breaches’’ terms that OPM used, according to people familiar with the matter.”

According to another article, OPM was put on notice in early 2014 that it was a target, when the Chinese hacked into the system, but did not download records.

At the House Oversight hearings Wednesday morning, where OPM Director, Katherine Archuleta appeared, Chairman Jason Chaffetz (R-UT) opened the hearings by reading a prepared statement beginning with, “….$529 billion is how much the federal government has spent on IT since 2008. Roughly, $277 million has been spent at the Office of Personnel Management, roughly 80% of that money has been spent on legacy systems.”   During Ms. Archuleta’s sworn statement, she pointed out that she is hiring a cyber security expert who will be starting August 1, and will also host a meeting with private sector companies experiencing their own cyber security issues.  Additional ‘it’s not my fault’ finger pointing can be found here in her earlier June 16 statement before the House Oversight Committee.

Do you get the queasy feeling that we have an ill-prepared, doe-in-the-headlights, dinosaur federal government manned by bureaucrats out of a 1990’s environment?  Watching Archuleta’s performance earlier, you can ascertain she’s a clueless political hack, or much worse, a diversity token leading OPM.  When’s rollout in 2013 caused massive embarrassment for the White House that ultimately resulted in HHS Secretary Kathleen Sebelius’s resignation, the IT patches and fixes were applied in record time.  Yet continual Chinese and Russian hacking results in, “we are working on it” “we are hiring cyber security experts” in various forms.

Lest you think that the Federal government is alone in its incompetence in not taking more strident, urgent measures to combat hacking of vital information, the private sector is equally guilty.   A recent Congressional Research Service report has warned that there have been ever increasing cyber attacks against the nation’s power grid, water supply and other critical infrastructure.  Our country’s utility companies meet the bare minimum requirements/standards by the US government.

As our politicians, media, and special interest groups continue to bombard us with social causes — from the Confederate flag to gay marriage to socially engineered communities — the real threats to our country are ignored, until one day we go to turn the lights on and nothing happens.  We access our bank accounts and find they’ve been raided.   And it’s the average Joe and Jane who is going to bear the brunt and the terrible cost of the blindness and nonchalance of our country’s political and private leadership.


Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.