The U.S.’s Office of Personnel Management wants you to know that it thwarts 10 million hack attempts a month. But it just takes one successful breach to undo all that successful thwarting. And last year, OPM’s network was breached by an attack it identified as coming from China. The government of China has denied any involvement but 4 million federal employees have been offered 18 months of credit report monitoring.
“Follow-up reports indicate that the breach may extend well beyond federal employees to individuals who applied for security clearances with the federal government,” Brian Krebs wrote, in an excellent summation of the hack. As many as 14 million people who’ve worked for or attempted to work for the government may be affected.
What kind of information did the hackers get access to?
F-Secure’s Chief Research Officer Mikko Hypponen tweeted this sample:
Knowing which federal employees have admitted to illegal drug use could be pretty valuable information, especially if there’s anyone who is actually honest about such behavior on these kinds of forms.
That the U.S. government has had networks containing secret data infiltrated is obviously a huge problem. Especially disturbing is the news that the files weren’t encrypted because the OPM’s systems were too antiquated. (UPDATE: Apparently, encryption wouldn’t have helped.)
Some are calling this hack a “cyber Pearl Harbor” and wondering why the Obama Administration isn’t retaliating more directly. But there’s a perfectly clear reason why “cyber Pearl Harbor” is not an accurate description, as much as critics of President Obama and those in favor of cybersecurity laws like CISPA might like it to be.
“Pearl Harbor metaphors should be restricted to war,” F-Secure Security Advisor Sean Sullivan told me. “This is espionage, and so the use of it is hyperbole.”
Also, Pearl Harbor — the famed “sneak attack” on the U.S. military installations by the Japanese that killed more than 2,5000 and drew America into World War II — suggests an unprovoked attack by a state. It’s unclear if this attack was entirely unprovoked or backed by a government.
The U.S. has been accused of its own hacking and launching its own cyber attacks. The Snowden revelations include claims of “large-scale, organized cyber theft, wiretapping and supervision of political figures, enterprises and individuals of other countries, including China.” And those claims are backed up by substantial evidence, leaving the U.S. in an awkward position as it reckons with its own security failings and potential response, especially when attributing the sources of attacks is increasingly difficult.
If nothing else, this attack shows that the U.S. government suffers from the same failings as many large corporations that have fallen prey to hacks in recent years. The costs of such breaches are escalating for businesses and states.
Still it’s important to keep perspective.
Pear Harbor was an aberrational act of war that triggered a global reaction. The OPM hack is perhaps an unprecedented act of espionage when it comes to a breach of U.S. government networks. But unfortunately it doesn’t seem indicative of something unusual, but rather an ominous hint of a new normal.
[Image by Jonathan Briggs | Flickr]
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than…
July 12, 2018