Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

OPM: Negligent security practices
SECURITY SHELF

OPM: Negligent security practices 

OPM handles security clearances and U.S. government employee records. Security clearance information is particularly sensitive. Applicants are required to provide comprehensive personal information, and details about their immediate relatives including name, place and date of birth, current address, and employer.

A single security clearance file could lay the groundwork to steal the identities of a dozen people. Information from credit agencies, law enforcement, and intelligence databases is consulted prior to granting a clearance and may be included in the file.

Security clearance files provide information that is craved by foreign intelligence agencies and organized crime. They are obvious targets. Instead of investing significant resources investigating potential targets, they can simply use the information collected by the government.

If a foreign government breached OPM, it now has the ability to sift through the files, combine them with other open and closed-source intelligence, and target vulnerable employees in sensitive roles. Families of these employees may also be targeted. The effect could prove devastating to U.S. national security.

If criminals stole the data, it could be sold to hostile governments, terrorists, and a variety of criminals. It could be used to target U.S. employees, especially military, law enforcement, and intelligence. Criminals would likely use it for widespread identity theft.

U.S. government sources speaking anonymously to the media have been quick to point the finger at China. While it is certainly possible that China was involved, tracing the origin of sophisticated cyberattacks is incredibly difficult. Dozens of countries, including the United States, are engaged in global cyber warfare and it is not difficult for state-sponsored hackers to make attacks appear to originate from another country.

Blaming China is likely a tactic to deflect and distract attention away from the real problem. As the nation with greatest access to the Internet, and one of the world’s largest intelligence agencies, the United States should have foreseen this intrusion and taken decisive action to protect this trove of sensitive information. In the wake of the Snowden revelations, it is likely that the U.S. has at least considered targeting similar information.

Sean Gallagher, IT Editor at Ars Technica, summarized the dismal state of security at OPM: “According to an October 2014 OPM Inspector General report, issued a year after (Director) Archuleta took over at OPM, the agency’s adherence to relevant laws, policies, and best practices at that point was severely lacking. Systems related to EPIC and support of other OPM applications had long been operating without essential security certification required under the Federal Information Security Modernization Act of 2014 and its predecessor, the Federal Information Systems Management Act (FISMA). The Office of the Inspector General called on Archuleta to shut the systems down until they were given official ‘Authority to Operate’ (ATO), because they posed a risk to national security. Continuing to operate them was, essentially, breaking federal law.”

Governments have a obligation to protect personal information entrusted to them. Despite budgets that make private sector security officers green with envy, dozens of U.S. and Canadian government departments have been seriously compromised. Governments desperately need fresh talent to adopt far more effective approaches to cybersecurity.

Until they can demonstrate cybersecurity proficiency, government departments should immediately move sensitive information to closed networks. While online systems might make it easier to initiate and process security clearances, the current state of system and network security is obviously inadequate.

The massive theft of personal information from OPM was the result of an attack by a sophisticated adversary against a government department with negligent security practices.

Have a security question you’d like answered in a future column? Email eric.jacksch@iticonline.ca.

Related posts