US Intelligence Community's Cavalier Attitude Towards OPM Hack

from the that-old-thing... dept

We've obviously written a few times now about the big OPM hack that was revealed a few months ago, in which it appears that hackers (everyone's blaming China for this) were able to get in and access tons of very, very private records of current and former government employees -- apparently including tons of SF-86 forms. Those forms are required to be filled out for anyone in a national security job in the government, and it basically requires you to 'fess up to anything you've ever done that might, at some point, reflect badly on you. The basic idea behind it is that if you've already admitted to everything, then it makes it much harder for anyone to somehow blackmail you into revealing US national security secrets. But, of course, that also makes those documents pretty damn sensitive. And, by now of course you've heard that the Office of Personnel Management was woefully unprepared to properly protect such sensitive data.

Two recent statements made by top intelligence community leaders again should raise questions about why these guys have been put in charge of "defending" against computer attacks. First up, we have the head of the NSA, Admiral Mike Rogers. Back in August, we noted that Senator Ron Wyden had asked the National Counterintelligence and Security Center (NCSC) if it had even considered the OPM databases "as a counterintelligence vulnerability" prior to these attacks. In short: did the national security community who was in charge of protecting computer systems even realize this was a target. As Marcy Wheeler pointed out last month, Admiral Rogers more or less admitted that the answer was no:

After the intrusion, “as we started more broadly to realize the implications of OPM, to be quite honest, we were starting to work with OPM about how could we apply DOD capability, if that is what you require,” Rogers said at an invitation-only Wilson Center event, referring to his role leading CYBERCOM.

NSA, meanwhile, provided “a significant amount of people and expertise to OPM to try to help them identify what had happened, how it happened and how we should structure the network for the future,” Rogers added.

In other words, the guy who is literally in charge of the "US Cybercommand" organization that is supposed to protect us from computer-based attacks didn't realize until after the hack that this might be a relevant target.

Then, fast forward to last week, where Rogers' boss, Director of National Intelligence James Clapper, testified at a Congressional hearing about the hack. After admitting that CIA employees had to be quickly evacuated from China after the hack, he more or less said that the US shouldn't retaliate, because this was "just espionage" and that the US has basically done the same thing back to them. At least that's the implication of his "wink wink, nod nod" statement to the Senators:

Director of National Intelligence James R. Clapper Jr., testifying before the Senate Armed Services Committee, sought to make a distinction between the OPM hacks and cybertheft of U.S. companies’ secrets to benefit another country’s industry. What happened in OPM case, “as egregious as it was,” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”

And, he said, “We, too, practice cyberespionage and . . . we’re not bad at it.” He suggested that the United States would not be wise to seek to punish another country for something its own intelligence services do. “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks.”

Now, he's actually making a totally valid point concerning what the US's response should be. Escalating this issue by hitting back at China isn't going to help anything. Rather, of course, the US government should have done a much better job protecting the information in the first place.

But when you look at these statements together, it shows the somewhat cavalier attitude of the US intelligence community towards actually protecting key US assets. And that's because the US intelligence community is -- as Clapper basically admits -- much more focused on hacking into other countries' systems. For a while now, people have questioned why the NSA should be handling both the offensive and defensive "cybersecurity" programs. The theory has long been that because the NSA is so damn good at the offensive side, it's better positioned to understand the risks and challenges on the defensive side. Yet, given that the NSA's overall mission is so focused on breaking into other systems, it seems that whenever the two conflict, the offensive side wins out and less is done to protect us. The simple fact that the US intelligence community is basically admitting that we do exactly these kinds of attacks on China, yet never considered the same might be done to us, should raise pretty serious questions about why we let the intelligence community handle protecting us against such intrusions in the first place.

Filed Under: admiral mike rogers, china, cybersecurity, james clapper, nsa, opm, opm hack, surveillance, us cyber command

Before We Pass CISA As A Response To OPM Hack, Shouldn't We Look At What The Feds' Cybersecurity Practices Were?

from the just-saying... dept

As we've been discussing, some surveillance hawks in Congress have been trying very hard to push CISA through into law, often using the disastrous OPM hack as evidence for why it's needed. Yet, as we've pointed out multiple times, there's nothing in CISA that would have prevented OPM from being hacked. Instead, the Senators pushing CISA and using the OPM hack as the reason seem to be blindly flailing around assuming that because both are tangentially related to "cybersecurity," people will believe that it all "works."

The reality, of course, is that CISA has nothing to do with the OPM hack, but is really a backdoor surveillance bill, designed to give immunity to companies sharing info with the NSA, that it can feed into its system that it uses to monitor all "upstream" traffic. Senator Ron Wyden has been warning about this for months, without too many people paying attention -- because fear! cybersecurity! hack!

So, Wyden's latest strategy is to look a little more deeply at the OPM hack itself and what the government's National Counterintelligence and Security Center (NCSC) did (if anything) to prevent the hack. In a letter to NCSC, Wyden asks for details of what steps it had taken to protect OPM.

The National Counterintelligence and Security Center (NCSC) is tasked with a very important mission, which includes defending the nation's classified information and assets from exploitation by foreign adversaries. The importance of this mission has recently been underscored by compromises of sensitive US government personnel data.

And thus, the following questions:

1. Did the NCSC identify OPM's security clearance database as a counterintelligence vulnerability prior to these security incidents?
2. Did the NCSC provide OPM with any recommendations about how to secure this information?
3. At least one official has said that the background investigation information compromised in the second OPM hack included information on individuals as far back as 1985. Has the NCSC evaluated whether the retention requirements for background investigation information should be reduced to mitigate the vulnerability of maintaining personal information for a significant period of time? If not, please explain why the existing retention periods are necessary?

There may be a variety of reasons for sending this letter -- but one clear one is to send the following message: before Congress rushes around demanding CISA as a response to the OPM hack, shouldn't we look at how our own processes failed to prevent that attack? And that's especially true given that the point of CISA is to trust the very same government to help private companies with cybersecurity. If the government can't even do the most basic things to protect its own data, why are we rushing to pass a law that is entirely premised on the idea that the government can help others protect their data?

Filed Under: cisa, congress, cybersecurity, ncsc, opm, opm hack, ron wyden

Senate, Once Again, Looks To Bring Back CISA: Surveillance Expansion Bill Pretending It's A Cybersecurity Bill

from the information-sharing-with-whom dept

We've discussed the "cybersecurity" bill, CISA, that's been making its way through Congress a few times, noting that it is nothing more than a surveillance expansion bill hidden in "cybersecurity" clothing. As recent revelations concerning NSA's surveillance authorities have made quite clear, CISA would really serve to massively expand the ability of the NSA (and other intelligence agencies) to do "backdoor searches" on its "upstream" collection. In short, rather than protecting any sort of security threat, this bill would actually serve to give the NSA more details on the kind of "cyber signatures" it wants to sniff through pretty much all internet traffic (that it taps into at the backbone) to collect anything it deems suspicious. It then keeps the results of this, considering it "incidental" collections of information.

In an incredibly cynical move, supporters of the surveillance state have seen OPM hacks as a ridiculous excuse to push to pass this bill. Senator Mitch McConnell tried to include it in the defense appropriations bill by pointing to the OPM hack. That gambit, thankfully, failed.

But that's not stopping the supporters of the surveillance state. During recent Congressional hearings, surveillance state supporter Senator John Cornyn claimed that CISA would be back for a vote before the end of the month, despite having failed multiple times in previous attempts. And, earlier this week, McConnell similarly announced plans to bring it up for a vote soon -- and, again in the context of the OPM hack. Here's McConnell being interviewed on Fox News by Bret Baier:

BAIER: Senator, you mentioned cybersecurity. Hackers broke into the U.S. Office of Personnel Management, stealing background investigation forms, fingerprint records, Social Security numbers for more than 22 million people....

[....]

MCCONNELL: This is a total mess. It's no wonder they had a hard time with the Web site which they launched Obamacare. These cybersecurity issues are enormously significant. What we're going to do is before August, take a step in the direction of dealing with the problem with information sharing bill that I think will be broadly supported. This is an administrative disaster that the president needs to get a hold of and get straightened out soon.

What no one asks McConnell (of course) is how CISA would have had any impact on the OPM hack. Or, hell, how it would help stop a single online attack anywhere. Because that's a question no one seems willing to answer. Because the answer was already made abundantly clear by Senator Ron Wyden in opposing this bill. It's not about cybersecurity at all. It's about surveillance.

Filed Under: cisa, cybersecurity, information sharing, john cornyn, mitch mcconnell, opm, opm hack, surveillance