Espionage Lessons from the OPM Hack

Uploaded on 2015-07-10 in NEWS-News Analysis, INTELLIGENCE--USA, GOVERNMENT-National, FREE TO VIEW

HACKED-office-of-personnel-management-monitor.jpg

Hackers stole Social Security numbers, health histories and other highly sensitive data from more than 21 million people

It has been a month since the Office of Personnel Management (OPM) infiltration was made public and shockwaves of the hack reverberates in Washington, DC and beyond.   While we continue to extract negatives from the story of the OPM hack, three lessons emerge that might give us hope for a secure future.

Lesson #1: Security is not assured in digital systems 

The incident should remind us that every networked system is vulnerable. Cyber espionage is a reality and a problem every institution will have to deal with. The events of the last few months only make this clear as the US government officials admitted the State Department was hacked, which then led to an intrusion that even included some of Obama’s personal emails. 

The Syrian Liberation Army hacked the mil.gov website and public relations portal. Of course, to top it off, records for 4 million (or possibly many more) federal workers were stolen from the OPM, likely by the Chinese. Included in this massive amount of information is the background form that every employee who seeks secret clearance must fill out and includes some of the most intimate details about one’s personal life.

Searching for someone to blame is not really the answer. Rethinking what is available and networked is since the Internet was never designed with security in mind. Yet we continue to trust it with our deepest and darkest secrets. Once the vulnerabilities and the weaknesses of our systems are made clear, we can move forward with fixing the problems and altering the nature of how we share information. The simple conclusion is that we have entered an era of cyber espionage, not necessarily cyber war.

Lesson #2: US human intelligence will need to adapt to the digital age

Some have gone so far as to call the OPM hack a failure larger than the Snowden affair. Make no mistake, the hack was large and comprehensive, but we also must move beyond the spy fantasies that pervade analysis of the OPM hack. The typical story is that this information could be used as a stepping-stone to siphon off state secrets. 

Using cheap and available data mining tools similar to the NSAs’, the opposition could use the information to build a profile of individuals susceptible to blackmail, such as a federal employee with a history of extra-marital affairs and ties with the Chinese nationals, information all in the SF86 form were  stolen. Once identified, these targets could be subject to honey traps, a threat that MI5 has previously warned about in other contexts.
The US has not lost all of its HUMINT capabilities because of the hack and information leak, but it will need to adapt to take into account OPM-style attacks in the future.

Lesson #3: The main vulnerability to security systems remains external to US government networks

The perpetrators hacked the OPM by stealing the credentials of an outside contractor. There are things being done to increase security in US government systems, yet vulnerability will remain through external contractors with access, like Edward Snowden. This is why it is important do more than monitor systems constantly, we must hunt those who already have access and are using it maliciously, or those that might do so. 

At the strategic level, the exploit of OPM’s four million records means very little. It has not and will not change how the United States conducts the business of foreign policy, but the entire intelligence community needs reevaluate how it might conduct its mission. It is important to keep the real issue of cyber espionage in mind as we debate the future of conflict. 
DefenceOne:  http://bit.ly/1NYIjZj

 

« Data Scientist: The Sexiest Job of the 21st Century
Security Engineer Location: Sao Paolo »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Concise Technologies

Concise Technologies

Concise Technologies provide specialist IT and telecoms solutions, support services, managed backup, disaster recovery, cyber security and consultancy to SME businesses across the UK and Europe.

Cyber 360

Cyber 360

Cyber 360 is a Cybersecurity contract and fulltime placement firm dedicated to identifying and hiring Cybersecurity professionals.

NATO Communications and Information Agency (NCIA)

NATO Communications and Information Agency (NCIA)

The NCIA Cyber Security Service Line is responsible for planning and executing all life cycle management activities for cyber security.

CyberPlat

CyberPlat

CyberPlat is an integrated broad-based multibank Internet payment system. It is the largest electronic payment system in Russia and CIS.

MSG Systems

MSG Systems

MSG are committed to intelligent IT and industry solutions and offer independent consulting on all aspects of information security.

EverC

EverC

EverC (previously EverCompliant) is a leading provider of cyber intelligence that allows acquiring banks and payment service providers (PSP) to manage cyber risk.

Remediant

Remediant

Remediant is the leader in Precision Privileged Access Management. We protect organizations from ransomware and data theft via stolen credentials and lateral movement.

Rwanda Information Society Authority (RISA)

Rwanda Information Society Authority (RISA)

RISA is at the forefront of all ICT project implementation, research, infrastructure and innovation within the ICT sector in Rwanda.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

Endian

Endian

Endian’s mission is to provide a secure platform that connects distributed people and things, simplifying the digitalization of businesses.

Cynterra

Cynterra

Cynterra is a next generation cloud cyber security and data analytical service provider offering cloud security compliance, data protection, visibility and threat protection services.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

Wolverhampton Cyber Research Institute (WCRI)

Wolverhampton Cyber Research Institute (WCRI)

Wolverhampton Cyber Research Institute builds on the strength of its members in the area of network and communication security, artificial intelligence, big data and cyber physical systems.

Psybersafe

Psybersafe

Psybersafe is a hands-on, behaviour-changing training system that keeps your people and your business cyber safe.

Narf Industries

Narf Industries

Narf Industries are a small group of reverse engineers, vulnerability researchers and tool developers that specialize in tailored solutions for government and large enterprises.

Pulsant

Pulsant

Pulsant is the UK’s premier digital edge infrastructure company providing next-generation cloud, colocation and connectivity services.