Before We Pass CISA As A Response To OPM Hack, Shouldn't We Look At What The Feds' Cybersecurity Practices Were?

from the just-saying... dept

As we've been discussing, some surveillance hawks in Congress have been trying very hard to push CISA through into law, often using the disastrous OPM hack as evidence for why it's needed. Yet, as we've pointed out multiple times, there's nothing in CISA that would have prevented OPM from being hacked. Instead, the Senators pushing CISA and using the OPM hack as the reason seem to be blindly flailing around assuming that because both are tangentially related to "cybersecurity," people will believe that it all "works."

The reality, of course, is that CISA has nothing to do with the OPM hack, but is really a backdoor surveillance bill, designed to give immunity to companies sharing info with the NSA, that it can feed into its system that it uses to monitor all "upstream" traffic. Senator Ron Wyden has been warning about this for months, without too many people paying attention -- because fear! cybersecurity! hack!

So, Wyden's latest strategy is to look a little more deeply at the OPM hack itself and what the government's National Counterintelligence and Security Center (NCSC) did (if anything) to prevent the hack. In a letter to NCSC, Wyden asks for details of what steps it had taken to protect OPM.
The National Counterintelligence and Security Center (NCSC) is tasked with a very important mission, which includes defending the nation's classified information and assets from exploitation by foreign adversaries. The importance of this mission has recently been underscored by compromises of sensitive US government personnel data.
And thus, the following questions:
  1. Did the NCSC identify OPM's security clearance database as a counterintelligence vulnerability prior to these security incidents?
  2. Did the NCSC provide OPM with any recommendations about how to secure this information?
  3. At least one official has said that the background investigation information compromised in the second OPM hack included information on individuals as far back as 1985. Has the NCSC evaluated whether the retention requirements for background investigation information should be reduced to mitigate the vulnerability of maintaining personal information for a significant period of time? If not, please explain why the existing retention periods are necessary?
There may be a variety of reasons for sending this letter -- but one clear one is to send the following message: before Congress rushes around demanding CISA as a response to the OPM hack, shouldn't we look at how our own processes failed to prevent that attack? And that's especially true given that the point of CISA is to trust the very same government to help private companies with cybersecurity. If the government can't even do the most basic things to protect its own data, why are we rushing to pass a law that is entirely premised on the idea that the government can help others protect their data?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cisa, congress, cybersecurity, ncsc, opm, opm hack, ron wyden


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 13 Aug 2015 @ 3:09pm

    why are we rushing to pass a law that is entirely premised on the idea that the government can help others protect their data?

    Replace protect with share, and you have the real question that needs an answer.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 13 Aug 2015 @ 3:12pm

    Cybersecurity is meaningless when all your efforts to secure are offensive and all your efforts to contain are in the form of making more access available. Till this is mentality is solved, cybersecurity is in the same place as MADD over nuclear weapons are.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 13 Aug 2015 @ 4:58pm

    If the German government wants access to my system, no problem here. But if the American government does no thanks. Sad I trust a foreign entity more than my own government. After seeing how good the NSA and US government in general is at protecting their own servers and respecting our right to privacy I don't want them to have access, even though I assume they do have it when I face the internet. When the RIAA and MPAA lawyers and congressmen collectively known as the MAFIA get done there will be no internet to access in any way shape or form, and that will be one less bill a month for me to pay, hell, I might even be able to afford to retire.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 13 Aug 2015 @ 7:44pm

    The bill of rights must be suspended...

    because of the OPM hack. There's just no way around it, I'm afraid. It simply must be done! Think of the children!

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 13 Aug 2015 @ 7:51pm

    Pass it now!

    No, silly Mike. We don't need due process, investigation and consultation! We need to captialise on this hack while it's still fresh in people's minds! The sooner it gets passed, the sooner we can collect even more data! I mean, the sooner it gets passed, the sooner we can stop those evil [foreign adversary/ies] from hacking us!

    link to this | view in thread ]

  6. icon
    Robert Freetard (profile), 13 Aug 2015 @ 8:38pm

    Why was the database connected to the internet in the first place?

    Who though it was a good idea for the OPM's security clearance database to be accessible from the entire, world wide internet and has that person been fired yet??

    Even MORE to the point, what other databases and control systems are internet connected that plainly should not be?

    link to this | view in thread ]

  7. identicon
    Anonymous Howard, Cowering, 14 Aug 2015 @ 4:12am

    #7 - Robert Freetard

    Answers:
    Everyone, and especially the intruders. OPM handles civilian personnel issues (including clearances) for the entire Federal government. And no, everyone has not yet been fired.

    All of them; although your definition of plainly apparently includes post hoc recriminations.

    Remember, the only secure data storage is one that has no connection to any other point, and that pretty much precludes its ever being a useful thing.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 14 Aug 2015 @ 4:23am

    Its default connect every pc to the web,
    AT this point the federal government
    get close to zero points when it comes to security.
    right now there,s 1000,s of servers with public user data ,names ,social security no,s
    maybe runnng windows xp, ie 6 totally unsecure ,
    The opm did not even have data encrypted ,
    not even using basic security procedures from 3 years ago .
    SO WHY we should want to give more private info to the government to put on servers or hand around to
    more agencys which could be hacked in a year or
    anytime in the future .
    opm had user data from 1985 to 2015 .at this point theres major hacks every few months in the us .
    Right now china can read government emails on various
    servers ,
    the basic service of government email data is not yet secure .
    Most companys wait a few days or weeks to announce they were hacked into or public user data was acessed .
    Companys or the federal government are hiring contractors from india or china based on the lowest bid
    to handle various contracts in regard to handling
    computing services .
    These people work for maybe 9 dollars a hour .
    How easy would it be for a hacker or spy to get a job
    and infiltrate these contractors to get acess to data ,passwords , user id,s etc
    very easy .
    article here covers opm hack.
    http://www.cringely.com/
    SO outside foreign companys already have acess to
    the a lot of data on us citizens ,employment data ,birth dates,social security nos,etc
    There needs to be one government agency who has just one function
    set standards and procedures for security and protect data on all government servers ,pcs .
    And provide acess to experts and advice to companys
    and state governments re cybersecurity and outside threats to computer networks .
    Ths bill will just allow more private companys to send user data to the government .

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 14 Aug 2015 @ 5:22am

    Depending on the us government to secure your data is like going to a catholic priest and asking for advice as to the best method of contraception .

    link to this | view in thread ]

  10. icon
    ArkieGuy (profile), 14 Aug 2015 @ 7:30am

    Senator Ron Wyden

    In the past when Senator Wyden asked questions like these (publicly), he knew the answers and knew the public wasn't going to like the answers.

    I have to wonder what he knows about the answers to these questions and what he's foreshadowing.....

    link to this | view in thread ]

  11. identicon
    GEMont, 14 Aug 2015 @ 2:25pm

    From the No-Brainer Department

    Easy one.

    ===============================================

    From the Orifice of the NSA.

    In answer to your inquiry concerning Government
    Security Measures Practices.

    1. National Security. Terrorists. ISIL. Hacks. Muslims.

    2. National Security. Terrorists. ISIL. Hacks. Muslims.

    3. National Security. Terrorists. ISIL. Hacks. Muslims.

    We regret that due to "National Security and all that,
    you know.", we cannot divulge anything at this time
    concerning your concerns. Soooooooo Sorry.

    Head of Primary Anal Retention, NSA.

    ===============================================

    ---

    link to this | view in thread ]

  12. icon
    Seegras (profile), 17 Aug 2015 @ 8:00am

    Wrong Answer

    The question is thus:

    If the OPMs system gets broken into because a security hole was not patched, what should we do?

    And the answer CISPA gives is:

    We should let the NSA hoard more security holes, so that they cannot be patched and allow the NSA to snoop on everyone.

    This is just incredibly stupid.

    link to this | view in thread ]

  13. identicon
    GEMont, 17 Aug 2015 @ 2:03pm

    Re: Wrong Answer

    Eventually the sleeping giant will realize that its security agents care not one iota for the security of the nation, and are actually in the business of using the nation's information horde to profit themselves and their masters in high places.

    If you look over the totality of the so-called "security apparatus", all you will find is make-shift facades, designed more to fool the public into believing it has a security apparatus than to actually do anything remotely akin to national security.

    The agencies use outdated computers purchased fifteen years ago, running ancient software that is easily spoofed and in no way capable of doing the job the agency claims to be doing.

    Forensics turns out to be a crock of made up on the fly shit, designed to simply incarcerate as many people as possible and create an appearance of a drug crisis.

    The agents charged with catching terrorists use all their technology to spy on their own civilian population, meaning either that they suspect the public are terrorists, or that they are more interested in collecting dirt on everyone for blackmail than in catching any terrorists, leading to the questions - do terrorists actually exist, and if so, why are the security people of the US not at all concerned about them.

    Every aspect of the National Security Machine proves blatantly that those charged with the safety of the public, are not in the least bit interested in the safety of the public.

    As more inside information leaks out - and it will as more young people realize they are being tricked by their government and its corporate handlers - the whole facade will be shown to be a simple, but efficient business model, designed to steal everything possible before the shit finally hits the fan economically and the parasites run for greener pastures, while the ship of state sinks beneath the waves of debt and poverty.

    ---

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.