OPM Response to Massive Breach Is Being Challenged by the Inspector General

The Office of Personnel Management’s response to their recent massive breach is once again being challenged by the Inspector General, who warns OPM is not doing enough corrective action to prevent future

It said that as a result, the process to identify existing systems, evaluate their technical specifications, determine requirements, and estimate costs of moving the data into a more secure environment still has not been completed. Nor is there support for OPM’s belief that some the cost of moving the data can be funded through discontinuing obsolete software, it said, calling OPM’s plan to find the rest of the funding from other accounts “inadequate and inappropriate.”

“Without this rigorous effort, we continue to believe that there is a high risk of project failure,” it said.

OPM also had rejected the IG’s recommendation to adopt industry best practices for planning such a project, saying it was following its own policies based on government standards. But the IG said that “based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy.”

It noted that since the first report, former OPM director Katherine Archuleta had resigned under pressure and a Senate committee rejected a bid to add funding for the project even while backing extending the services to the victims. “In such a turbulent environment, there is an even greater need for a disciplined project management approach to promote the best possibility of a successful outcome,” it said.

Knowing how the government responds in these types of situations, I cannot say I am surprised. This sounds like business as usual.

DNI Suggests Conducting Cyber Attacks Leads to Little to No Penalties for the Perpetrators

US Director of National Intelligence James Clapper suggests the current global norms around conducting cyber attacks leads to little to no penalties for the perpetrators:

James Clapper (pictured), the nation’s top intelligence official, told the House intelligence committee that a muted response to most cyberattacks has created a permissive environment in which hacking can be used as a tool short of war to benefit adversaries and inflict damage on the United States.

“Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue,” Clapper said, speaking specifically about the recently revealed hack of federal personnel information linked to China in which personal data Relevant Products/Services on some 22 million current and former U.S. government employees, contractors, job applicants and relatives was stolen. “We will continue to see this until we create both the substance and the psychology of deterrence.”

The administration has yet to act in response to the OPM hack.

Last May, the Justice Department issued criminal indictments against five Chinese military hackers it accused of cyberespionage against U.S. corporations for economic advantage. FBI director James Comey said at the time the spying was to benefit Chinese companies, but he neither named the companies nor took formal action against them.

Sounds like more deterrence talk, which as I discussed, is really pointless in cyber.

Likelihood of Cyber Norms Making a Difference During a Cyber Conflict Is Infinitesimal

Even though the United States hopes to make a case for them, the likelihood of cyber norms making a difference during a cyber conflict is infinitesimal (emphasis added):

As a general rule, states develop norms to promote their interests and a norm will only spread if other states perceive it to be in their interest to abide by it. Historical examples of this are plentiful. In the late 19th century, Russia pursued constraining norms against the possession and use of chemical and biological weapons as well as strategic bombing at the First Hague Conference. Russia had failed to master these new weapons and wanted to constrain potential adversaries. Britain, on the other hand, opposed a norm restricting strategic bombing because it saw bombing as a tool to offset the relatively small size of its ground forces. As a result, the conference agreed to prohibit the “discharge of projectiles and explosives from balloons or by other new analogous methods” for a temporary period of five years while prohibiting chemical and biological weapons indefinitely. These bans lasted until the powers of the day determined it was not in their self-interest to maintain them. Britain and Germany both used chemical weapons in World War I and strategic bombing was used throughout World War II by all parties.

The requirement that states perceive a norm to be in their self-interest means that norms containing offensive cyber activity are unlikely to work. Unlike other forms of weaponry, cyber weapons are stealthy, making it difficult for planners to determine whether cyber weapons will be useful in the future. Furthermore, some states rely more on cyberspace than others, making states that are less dependent on the Internet less vulnerable to an attack. These relatively immune states will struggle to determine if constraining norms are in their interest as many states did with strategic bombing and will want to keep their options open.

It is the same thing with cyber deterrence – it just does not work. There is no way to project cyber power in cyberspace in the same capacity as can be done with conventional kinetic warfare in the other war-fighting domains. Surely the threat of a kinetic response to a cyber attack can be a deterrent but I am talking specifically about deterrence via cyber capabilities. The possibilities exist but do not have the same affect.

US and China Doing a Lot of Cyber Attack Political Posturing

The US and China sure are doing a lot of political posturing over cyber attacks lately, especially within the US and a call for sanctions in retaliation for the OPM breach (emphasis added):

The idea that the U.S. would unleash sanctions on top Chinese officials or companies in the lead-up to a presidential summit was always a long shot, despite scattered administration leaks that the sanctions were under consideration. The advance meetings suggest the U.S. is still pushing for a diplomatic resolution to Chinese hacking, but the White House was tight-lipped in its statement about whether the advance meeting yielded any tangible results — a key indication of whether diplomacy may be working or if both sides have hit another brick wall. Publicly, President Barack Obama was still talking tough on cyber as the meetings went on.

State Department Cyber Coordinator Chris Painter rushed out of an international cyber cooperation conference in New York, hosted by the East West Institute, shortly after a panel he was speaking on concluded Sept. 9 — possibly to attend meetings with Meng. He also seemed to downplay the likelihood of cyber sanctions before departing, noting during his panel that “despite what you may read in the press, the sanctions have not been used.” He also noted the sanctions will be “used in the future to address significant cyber conduct … [when] other tools really just aren’t adequate.”

The consensus among other attendees at the East West conference? Sanctions are unlikely in advance of the Obama-Xi summit at the end of this month, a dozen or so experts opined to Joe, but that doesn’t mean they’re off the table.

There will be no sanctions against China. Doing so is like the pot calling the kettle black.

US Health Insurer Excellus BlueCross BlueShield Has Been Breached and 10 Million Records Exposed to Malicious Actors

Another week, another hack. This time US health insurer Excellus BlueCross BlueShield has been breached and 10 million records exposed to the malicious actors:

The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.

The hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.

Records may contain all or just some of that information, depending on the customer’s relationship with the company. The breach doesn’t affect just Excellus members, but also members of other Blue Cross Blue Shield plans who sought medical treatment in the upstate New York area serviced by the company.

The information was encrypted, but the attackers gained administrative privileges to the IT systems, allowing them to potentially access it, the company said on a website that was set up to provide information about the incident.

No evidence has been found yet that the data was copied or misused by the attackers.

Excellus will send breach notification letters via mail to all affected persons throughout the month and is offering free credit monitoring and identity protection services for two years through a partner.

Admiral Mike Rogers Believes the Cyber Security Danger Is Continuing to Grow and Will Only Get Worse

According to Director of National Security Agency, Admiral Mike Rogers believes the cyber security danger is continuing to grow and will only get worse before we start to see things begin to subside:

“Our nation is being challenged as never before to defend its interests and values in cyberspace,” Adm. Rogers said in a report made public this week. “Adversaries increasingly seek to magnify their impact and extend their reach through cyber exploitation, disruption and destruction.”

The four-star admiral is intent on moving quickly “to build our military capabilities” as the key element of “the nation’s war fighting arm in cyberspace,” according to the report, “Beyond the Build: Delivering Outcomes through Cyberspace.”

The Fort Meade, Maryland-based command, co-located with the National Security Agency that Adm. Rogers also directs, is integrating cyberwarfare capabilities into other war-fighting commands for use “when significant cyber attacks against the nation require DoD support,” Adm. Rogers stated in an introduction to the report.

The report says the United States is losing its technology edge to adversaries and competitors in cyberspace. Defense Secretary Ashton Carter confirmed the problem in a speech in St. Louis Wednesday.

“Nations like Russia and China are modernizing their militaries to try to close the technology gap and erode our superiority in every domain — air, land, sea, space and cyberspace,” Mr. Carter said in a speech. “And at the same time, our reliance on things like satellites and the Internet has led to real vulnerabilities that our adversaries are eager to exploit.”

Are we really supposed to believe the US is falling behind technologically? Surely this is propaganda designed to scare Congress into increasing NSA and USCC budgets?

US Department of Energy Successfully Compromised Over 150 Times Between 2010-2014

US Department of Energy, the agency overseeing the US power grid, nuclear arsenal, and national science labs, has been successfully compromised over 150 times between October 2010 and October 2014:

USA Today reports that 53 of the successful attacks were root compromises, meaning the attackers had administrator privileges on compromised DOE computer systems.

Of the 159 successful intrusions, 90 compromised the DOE Office of Science, which conducts energy research, and another 19 attacks compromised the National Nuclear Security Administration – the agency in charge of securing the nation’s stockpile of nuclear weapons.

The DOE disclosed a breach in July 2013 that compromised personal records of 104,000 past and current federal workers, contractors and their dependents.

But the DOE isn’t saying what data or systems may have been compromised in the other 158 breaches – that information has been redacted from the records.

A DOE spokesperson told USA Today that the agency can’t comment on investigations into the compromises or who might have been behind them.

But it’s quite possible that other nation states could be the culprits, as the US’s top cybersecurity official alluded to in a speech in Washington, DC this week.

US & Chinese Officials Meet to Discuss Cyber Security Issues

The US and China are playing cyber security politics in an attempt to solve the cyber attack issues currently plaguing both countries:

U.S. national security adviser Susan Rice had a “frank and open exchange about cyber issues” in her meeting this week with Meng Jianzhu, secretary of the Central Political and Legal Affairs Commission of the Chinese Communist Party, the White House said in a statement.

The Chinese delegation also had meetings with Federal Bureau of Investigation Director James Comey and representatives from the Justice, State and Treasury departments and the intelligence community, the statement said.

President Barack Obama said last month he would raise concerns about China’s cyber security behavior when he meets with Xi in Washington.

The Obama administration is considering targeted sanctions against Chinese individuals and companies for cyber attacks against U.S. commercial targets, several U.S. officials have said.

Chinese State Councilor: US and China Can Cooperate on Cyber Security Global Norms

According to Chinese State Councilor Yang Jiechi, the US and China can cooperate together and with other countries on cyber security global norms:

“China and the United States actually can make cyber security a point of cooperation between our two countries,” Yang said in an interview focused on Chinese President Xi Jinping’s upcoming state visit to America.

“We hope China, the United States and other countries could work together to work out the rules for cyber security in the international arena in the spirit of mutual respect, equality and mutual benefit,” said Yang, who outranks the foreign minister.

The Obama administration is considering targeted sanctions against Chinese individuals and companies for cyber attacks against U.S. commercial targets, several U.S. officials have said. Chinese hackers have also been implicated in the massive hacking of the U.S. government’s personnel office disclosed this year.

Clapper’s testimony added to pressure on Beijing over its conduct in cyberspace just weeks before Xi’s visit.

Yang noted, as Chinese officials regularly do, that China was itself a hacking victim and said suspected cases of hacking should be investigated and handled “on a solid, factual basis”.

Director of National Intelligence: Snowden Forced “Needed Transparency”

The Director of National Intelligence James Clapper admitted in a public forum the Snowden disclosures forced “needed transparency” even though he still believes it was the wrong way to go about it:

In comments after giving the opening plenary presentation of the Intelligence & National Security Summit, Director of National Intelligence James Clapper said that the disclosures made by former National Security Agency contractor Edward Snowden had driven the intelligence community to become more transparent to citizens about how it does business. In response to a question about the impact of Snowden’s disclosures on the intelligence community asked through moderator and former Director of National Intelligence Ambassador John Negroponte, Clapper said, “On one hand, it forced some needed transparency, particularly on programs that had an impact on civil liberties and privacy in this country. If that had been all he had done, I could have tolerated it.”

But, Clapper added, Snowden “exposed so many other things that had nothing to do with” civil liberties and privacy, including information about the US intelligence community’s operations that did tangible damage to operations. “He has [done] untold damage to our collection activities,” Clapper said, asserting that “terrorists have gone to school on what Snowden leaked.” And programs that had a real impact on the security of American forces overseas, including one program in Afghanistan, “which he exposed and Glenn Greenwald wrote about, and the day after he wrote about it, the program was shut down by the government of Afghanistan,” Clapper noted.

That statement was likely an allusion to the NSA’s monitoring of virtually all the phone calls in the Bahamas and one other country—a country that Wikileaks later outed as Afghanistan.