Sunday, January 22, 2017

If you had a clearance, Chinese know everything about you thanks to OPM mismanagement

The Great Chinese Hack of the USG OPM



The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation - United States House Committee on Oversight and Government Reform

Why the OPM Hack Is Far Worse Than You Imagine - Lawfare

 What Is the Adversary Likely to Do with the Clearance Records for 20 Million Americans? | RAND
The OPM breach is very concerning for both national security and individual privacy. Former National Security Agency senior counsel Joel Brenner said the material contained in the breach is a “gold mine for a foreign intelligence service.”
The hackers who broke into the OPM security clearance database likely have in their possession highly detailed, comprehensive personal information about the majority of Americans who are serving as the custodians of America's secrets. According to the OPM website, OPM conducts more than 90 percent of the government's background investigations for more than 100 federal agencies. The stolen material, now in the hands of the hackers, likely has a high degree of accuracy and veracity because it is illegal to knowingly falsify or conceal material in the submission of these forms.
In addition to containing a wealth of personally identifiable information — such as Social Security numbers, passport numbers, birthdates, birthplaces and multiple modes of contact information — the information contained in the breach likely contains detailed information about the victims' residential, employment, travel, educational, criminal, financial, addiction and mental health history as well as detailed information on spouses, cohabitants, other family members and foreign contacts. The breach also likely included background investigator notes derived from interviews of the individuals listed on the forms.

Committee Releases Year-Long Investigative Report into OPM Data Breaches - United
States House Committee on Oversight and Government Reform


As a result of one the Committee’s findings, Chairman Chaffetz sent a letter to the Government Accountability Office (GAO) requesting an opinion on whether the Office of Personnel Management (OPM) violated the Anti-Deficiency Act (ADA) when it accepted services from a company without payment.

Key findings, recommendations and an excerpt from the letter are below:
Key Findings:
  • The OPM data breach was preventable.
  • OPM leadership failed to heed repeated recommendations from its Inspector General, failed to sufficiently respond to growing threats of sophisticated cyber attacks, and failed to prioritize resources for cybersecurity.
  • Data breaches in 2014 were likely connected and possibly coordinated to the 2015 data breach.
  • OPM misled the public on the extent of the damage of the breach and made false statements to Congress
Key Recommendations:
  • Reprioritize federal information security efforts toward zero trust.
  • Ensure agency CIOs are empowered, accountable, and competent.
  • Reduce use of social security numbers by federal agencies.
  • Modernize existing legacy federal information technology assets.
  • Improve federal recruitment, training, and retention of federal cybersecurity specialists
 Letter to GAO: “In brief, we believe OPM violated the ADA when the agency retained and deployed CyTech’s software following a product demonstration, and never paid.”


OPM | CyFIR Enterprise by CyTech Services, Inc.

Surprise! House Oversight report blames OPM leadership for breach of records | Ars Technica


Congressional Report Slams OPM on Data Breach — Krebs on Security

The massive data breach at the U.S. Office of Personnel Management (OPM) that exposed background investigations and fingerprint data on millions of Americans was the result of a cascading series of cybersecurity blunders from the agency’s senior leadership on down to
the outdated technology used to secure the sensitive data, according to a lengthy report released today by a key government oversight panel.

The 241-page analysis, commissioned by the U.S. House Oversight & Government Reform Committee, blames OPM for jeopardizing U.S. national security for more than a generation.


The report offers perhaps the most exhaustive accounting and timeline of the breach since it was first publicly disclosed in mid-2015. According to the document, the lax state of OPM’s information security left the agency’s information systems exposed for any experienced hacker to infiltrate and compromise.


“The agency’s senior leadership failed to fully comprehend the extent of the compromise, allowing the hackers to remove manuals and other sensitive materials that essentially provided a roadmap to the OPM IT environment and key users for potential compromise,” the report charges.

No comments:

Post a Comment