The U.S Is Losing the Cyber War

The huge theft from the Office of Personnel Management comes after years of Obama administration passivity despite repeated digital attacks.  The Obama administration has disclosed that for the past year China had access to the confidential records of four million federal employees.

This was the biggest breach ever, until the administration later admitted the number of hacked employees is at least 18 million. In congressional testimony it became clear the number could reach 32 million, all current and former federal workers.

The Chinese hackers managed to gain “administrator privileges,” allowing them full access to the computers of the US Office of Personnel Management. Among other things, they were able to download confidential forms that list “close or continuous contacts,” including those overseas—giving Beijing a new tool to identify and suppress dissenters.

That’s not the worst of it. The administration disclosed a separate intrusion that gave Beijing full access to the confidential background-check information on federal employees and private contractors who apply for security clearances. That includes the 4.5 million Americans who currently have access to the country’s top secrets. The potential for blackmail is chilling.
Since 1996 the Defense Department has considered 18,272 appeals from contractors whose security-clearance applications were denied. Decisions in these cases are posted, without names, on a Pentagon website under the heading “Industrial Security Clearance Decisions.” These are detailed case assessments on whether these individuals can be trusted or whether something in their background disqualifies them. China now knows who they are.

One man kept his security clearance despite admitting a 20-year affair with his college roommate’s wife, about which his own wife was unaware. Another accessed pornography on his work computer and didn’t tell his wife “because he feels embarrassed by his conduct.” Another admitted shooting his teenage son in the leg. Other cases detailed spousal abuse, drugs, alcoholism, tax evasion and gambling.

OPM director Katherine Archuleta tried to dodge blame for the security lapses. “I don’t believe anyone is personally responsible,” she told a Senate committee last week. “If there’s anyone to blame, it’s the perpetrators.”
That’s bunk. It’s normal for governments to spy on each other. “If I, as director of the CIA or National Security Agency, would have had the opportunity to grab the equivalent in the Chinese system, I would not have thought twice,” Michael Hayden, who has headed both agencies, told a Wall Street Journal conference recently. 

The Edward Snowden leaks distracted Washington from the pressing challenge of using intelligence better to prevent foreign hacking of Americans, a challenge only the NSA has the range of tools to meet.

The Obama administration passively endured years of cyber attacks leading to these most recent hacks. It only reluctantly named North Korea as the culprit in the hacking of Sony Pictures. A federal prosecutor indicted five Chinese military hackers, but the defendants remain safe in China. Mr. Obama got authority to order Treasury Department sanctions against anyone involved in a cyber attack that poses a “significant threat” against the US or an American company, but he has not used the power.

Mr. Clapper says it’s time for the US to get tougher by outlining in advance what the US response will be based on the seriousness of a hacking incident. He proposes specific punishments for crossing various hacking “red lines.” 
Americans expect their government to protect them in the digital, as much as the physical, world. The next president should accept the responsibility to fight back against cyber war before more is lost.

WSJ: http://on.wsj.com/1JsvPdL

« GCHQ Has Spied on Every Web User, Ever…
Xi Jinping At Seattle Tech Summit »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IP Performance

IP Performance

IP Performance Limited is a leading supplier of customised network infrastructure and security solutions.

Combitech

Combitech

Combitech is the Nordic region’s leading cyber security consultancy firm, with about 260 certified security consultants helping companies and authorities prevent and manage cyber threats.

Security Onion Solutions

Security Onion Solutions

Security Onion Solutions is the creator and maintainer of Security Onion, a free and open platform for threat hunting, network security monitoring, and log management.

UK Cyber Security Forum

UK Cyber Security Forum

UK Cyber Security Forum is a community interest group for cyber security companies in the UK.

KayHut

KayHut

KayHut is a young, innovative company engaged in cyber research and security solutions.

LightEdge Solutions

LightEdge Solutions

LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected.

Naoris

Naoris

Naoris is the world’s first holistic blockchain-based cybersecurity ecosystem, bringing a game-changing solution to address 35 years of industry similar practice.

RackTop Systems

RackTop Systems

RackTop Systems is the pioneer of CyberConverged data security, a new market that fuses data storage with advanced security and compliance into a single platform.

Amnesty Tech

Amnesty Tech

Amnesty Tech's Security Lab leads technical investigations into cyber-attacks against civil society and provides critical support when individuals face such attacks.

Vizius Group

Vizius Group

The Vizius Group are a think tank of cybersecurity consultants who understand the mechanics and business value of risk reduction.

Wazuh

Wazuh

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Digistor

Digistor

Digistor is a leading manufacturer of industrial-grade flash storage products, secure storage products, and Removable Secure Data Storage.

Drumz

Drumz

Drumz plc is an investment company whose investing policy is to invest principally but not exclusively in the technology sector within Europe.

Kodem Security

Kodem Security

Our mission is to make AppSec simple. Meet the world’s first dynamic software composition analysis platform. Only Kodem uses runtime intelligence to determine application risk.

Exacom

Exacom

Exacom is a leading provider of multimedia logging/recording solutions across public safety, government, DoD, energy, utilities, transportation, and security applications.

CloudBees

CloudBees

CloudBees is building the world’s first end-to-end automated software delivery system, enabling companies to balance governance and developer freedom.