Before We Pass CISA As A Response To OPM Hack, Shouldn't We Look At What The Feds' Cybersecurity Practices Were?
from the just-saying... dept
As we've been discussing, some surveillance hawks in Congress have been trying very hard to push CISA through into law, often using the disastrous OPM hack as evidence for why it's needed. Yet, as we've pointed out multiple times, there's nothing in CISA that would have prevented OPM from being hacked. Instead, the Senators pushing CISA and using the OPM hack as the reason seem to be blindly flailing around assuming that because both are tangentially related to "cybersecurity," people will believe that it all "works."The reality, of course, is that CISA has nothing to do with the OPM hack, but is really a backdoor surveillance bill, designed to give immunity to companies sharing info with the NSA, that it can feed into its system that it uses to monitor all "upstream" traffic. Senator Ron Wyden has been warning about this for months, without too many people paying attention -- because fear! cybersecurity! hack!
So, Wyden's latest strategy is to look a little more deeply at the OPM hack itself and what the government's National Counterintelligence and Security Center (NCSC) did (if anything) to prevent the hack. In a letter to NCSC, Wyden asks for details of what steps it had taken to protect OPM.
The National Counterintelligence and Security Center (NCSC) is tasked with a very important mission, which includes defending the nation's classified information and assets from exploitation by foreign adversaries. The importance of this mission has recently been underscored by compromises of sensitive US government personnel data.And thus, the following questions:
- Did the NCSC identify OPM's security clearance database as a counterintelligence vulnerability prior to these security incidents?
- Did the NCSC provide OPM with any recommendations about how to secure this information?
- At least one official has said that the background investigation information compromised in the second OPM hack included information on individuals as far back as 1985. Has the NCSC evaluated whether the retention requirements for background investigation information should be reduced to mitigate the vulnerability of maintaining personal information for a significant period of time? If not, please explain why the existing retention periods are necessary?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cisa, congress, cybersecurity, ncsc, opm, opm hack, ron wyden
Reader Comments
Subscribe: RSS
View by: Time | Thread
Replace protect with share, and you have the real question that needs an answer.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
The bill of rights must be suspended...
[ link to this | view in thread ]
Pass it now!
[ link to this | view in thread ]
Why was the database connected to the internet in the first place?
Even MORE to the point, what other databases and control systems are internet connected that plainly should not be?
[ link to this | view in thread ]
#7 - Robert Freetard
Everyone, and especially the intruders. OPM handles civilian personnel issues (including clearances) for the entire Federal government. And no, everyone has not yet been fired.
All of them; although your definition of plainly apparently includes post hoc recriminations.
Remember, the only secure data storage is one that has no connection to any other point, and that pretty much precludes its ever being a useful thing.
[ link to this | view in thread ]
AT this point the federal government
get close to zero points when it comes to security.
right now there,s 1000,s of servers with public user data ,names ,social security no,s
maybe runnng windows xp, ie 6 totally unsecure ,
The opm did not even have data encrypted ,
not even using basic security procedures from 3 years ago .
SO WHY we should want to give more private info to the government to put on servers or hand around to
more agencys which could be hacked in a year or
anytime in the future .
opm had user data from 1985 to 2015 .at this point theres major hacks every few months in the us .
Right now china can read government emails on various
servers ,
the basic service of government email data is not yet secure .
Most companys wait a few days or weeks to announce they were hacked into or public user data was acessed .
Companys or the federal government are hiring contractors from india or china based on the lowest bid
to handle various contracts in regard to handling
computing services .
These people work for maybe 9 dollars a hour .
How easy would it be for a hacker or spy to get a job
and infiltrate these contractors to get acess to data ,passwords , user id,s etc
very easy .
article here covers opm hack.
http://www.cringely.com/
SO outside foreign companys already have acess to
the a lot of data on us citizens ,employment data ,birth dates,social security nos,etc
There needs to be one government agency who has just one function
set standards and procedures for security and protect data on all government servers ,pcs .
And provide acess to experts and advice to companys
and state governments re cybersecurity and outside threats to computer networks .
Ths bill will just allow more private companys to send user data to the government .
[ link to this | view in thread ]
[ link to this | view in thread ]
Senator Ron Wyden
I have to wonder what he knows about the answers to these questions and what he's foreshadowing.....
[ link to this | view in thread ]
From the No-Brainer Department
===============================================
From the Orifice of the NSA.
In answer to your inquiry concerning Government
Security Measures Practices.
1. National Security. Terrorists. ISIL. Hacks. Muslims.
2. National Security. Terrorists. ISIL. Hacks. Muslims.
3. National Security. Terrorists. ISIL. Hacks. Muslims.
We regret that due to "National Security and all that,
you know.", we cannot divulge anything at this time
concerning your concerns. Soooooooo Sorry.
Head of Primary Anal Retention, NSA.
===============================================
---
[ link to this | view in thread ]
Wrong Answer
If the OPMs system gets broken into because a security hole was not patched, what should we do?
And the answer CISPA gives is:
We should let the NSA hoard more security holes, so that they cannot be patched and allow the NSA to snoop on everyone.
This is just incredibly stupid.
[ link to this | view in thread ]
Re: Wrong Answer
If you look over the totality of the so-called "security apparatus", all you will find is make-shift facades, designed more to fool the public into believing it has a security apparatus than to actually do anything remotely akin to national security.
The agencies use outdated computers purchased fifteen years ago, running ancient software that is easily spoofed and in no way capable of doing the job the agency claims to be doing.
Forensics turns out to be a crock of made up on the fly shit, designed to simply incarcerate as many people as possible and create an appearance of a drug crisis.
The agents charged with catching terrorists use all their technology to spy on their own civilian population, meaning either that they suspect the public are terrorists, or that they are more interested in collecting dirt on everyone for blackmail than in catching any terrorists, leading to the questions - do terrorists actually exist, and if so, why are the security people of the US not at all concerned about them.
Every aspect of the National Security Machine proves blatantly that those charged with the safety of the public, are not in the least bit interested in the safety of the public.
As more inside information leaks out - and it will as more young people realize they are being tricked by their government and its corporate handlers - the whole facade will be shown to be a simple, but efficient business model, designed to steal everything possible before the shit finally hits the fan economically and the parasites run for greener pastures, while the ship of state sinks beneath the waves of debt and poverty.
---
[ link to this | view in thread ]