The OPM hack is bad but it’s not a ‘cyber Pearl Harbor’


The U.S.’s Office of Personnel Management wants you to know that it thwarts 10 million hack attempts a month. But it just takes one successful breach to undo all that successful thwarting. And last year, OPM’s network was breached by an attack it identified as coming from China. The government of China has denied any involvement but 4 million federal employees have been offered 18 months of credit report monitoring.

“Follow-up reports indicate that the breach may extend well beyond federal employees to individuals who applied for security clearances with the federal government,” Brian Krebs wrote, in an excellent summation of the hack. As many as 14 million people who’ve worked for or attempted to work for the government may be affected.

What kind of information did the hackers get access to?

F-Secure’s Chief Research Officer Mikko Hypponen tweeted this sample:

OPM Hack, OPM data, secret data

Knowing which federal employees have admitted to illegal drug use could be pretty valuable information, especially if there’s anyone who is actually honest about such behavior on these kinds of forms.

That the U.S. government has had networks containing secret data infiltrated is obviously a huge problem. Especially disturbing is the news that the files weren’t encrypted because the OPM’s systems were too antiquated. (UPDATE: Apparently, encryption wouldn’t have helped.)

Some are calling this hack a “cyber Pearl Harbor” and wondering why the Obama Administration isn’t retaliating more directly. But there’s a perfectly clear reason why “cyber Pearl Harbor” is not an accurate description, as much as critics of President Obama and those in favor of cybersecurity laws like CISPA might like it to be.

“Pearl Harbor metaphors should be restricted to war,” F-Secure Security Advisor Sean Sullivan told me. “This is espionage, and so the use of it is hyperbole.”

Also, Pearl Harbor — the famed “sneak attack” on the U.S. military installations by the Japanese that killed more than 2,5000 and drew America into World War II — suggests an unprovoked attack by a state. It’s unclear if this attack was entirely unprovoked or backed by a government.

The U.S. has been accused of its own hacking and launching its own cyber attacks. The Snowden revelations include claims of “large-scale, organized cyber theft, wiretapping and supervision of political figures, enterprises and individuals of other countries, including China.” And those claims are backed up by substantial evidence, leaving the U.S. in an awkward position as it reckons with its own security failings and potential response, especially when attributing the sources of attacks is increasingly difficult.

If nothing else, this attack shows that the U.S. government suffers from the same failings as many large corporations that have fallen prey to hacks in recent years. The costs of such breaches are escalating for businesses and states.

Still it’s important to keep perspective.

Pear Harbor was an aberrational act of war that triggered a global reaction. The OPM hack is perhaps an unprecedented act of espionage when it comes to a breach of U.S. government networks. But unfortunately it doesn’t seem indicative of something unusual, but rather an ominous hint of a new normal.

[Image by Jonathan Briggs | Flickr]


In general I agree with everything here, but I’d pose the question; What would type of cyber attack would equate to the act of war that was Pearl Harbor? Given the nature of cyber security as being primarily information and data driven, would there need to be an attack that does significant, tangible harm to a population in order for the magnitude to be considered so great? Or, is there a way to relate the level of attack to a data breach? I would think the first situation would probably need to occur, humans would have to be harmed, as in an act of war.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

You might also like