Before We Pass CISA As A Response To OPM Hack, Shouldn't We Look At What The Feds' Cybersecurity Practices Were?

from the just-saying... dept

As we've been discussing, some surveillance hawks in Congress have been trying very hard to push CISA through into law, often using the disastrous OPM hack as evidence for why it's needed. Yet, as we've pointed out multiple times, there's nothing in CISA that would have prevented OPM from being hacked. Instead, the Senators pushing CISA and using the OPM hack as the reason seem to be blindly flailing around assuming that because both are tangentially related to "cybersecurity," people will believe that it all "works."

The reality, of course, is that CISA has nothing to do with the OPM hack, but is really a backdoor surveillance bill, designed to give immunity to companies sharing info with the NSA, that it can feed into its system that it uses to monitor all "upstream" traffic. Senator Ron Wyden has been warning about this for months, without too many people paying attention -- because fear! cybersecurity! hack!

So, Wyden's latest strategy is to look a little more deeply at the OPM hack itself and what the government's National Counterintelligence and Security Center (NCSC) did (if anything) to prevent the hack. In a letter to NCSC, Wyden asks for details of what steps it had taken to protect OPM.

The National Counterintelligence and Security Center (NCSC) is tasked with a very important mission, which includes defending the nation's classified information and assets from exploitation by foreign adversaries. The importance of this mission has recently been underscored by compromises of sensitive US government personnel data.

And thus, the following questions:

1. Did the NCSC identify OPM's security clearance database as a counterintelligence vulnerability prior to these security incidents?
2. Did the NCSC provide OPM with any recommendations about how to secure this information?
3. At least one official has said that the background investigation information compromised in the second OPM hack included information on individuals as far back as 1985. Has the NCSC evaluated whether the retention requirements for background investigation information should be reduced to mitigate the vulnerability of maintaining personal information for a significant period of time? If not, please explain why the existing retention periods are necessary?

There may be a variety of reasons for sending this letter -- but one clear one is to send the following message: before Congress rushes around demanding CISA as a response to the OPM hack, shouldn't we look at how our own processes failed to prevent that attack? And that's especially true given that the point of CISA is to trust the very same government to help private companies with cybersecurity. If the government can't even do the most basic things to protect its own data, why are we rushing to pass a law that is entirely premised on the idea that the government can help others protect their data?

Filed Under: cisa, congress, cybersecurity, ncsc, opm, opm hack, ron wyden