Breaking Defense discusses the recent Chinese cyber intrusion into OPM and how the US needs a strong cyber strategy before retaliating:
The Chinese plan seems to be to gather clearance information from the Office of Personnel Management, combine it with your next of kin, home phone, family members, etc. and suddenly they’ve got the cheat sheet for just about every “have you forgotten your password” question out there in IT land. With the answers to the “who am I?” questions, the Pandas can then delegate the rote work of actually being you to others with lesser technical skills who will use your identity online, try to access your other credentials, and use the large amount of information in the big data bin to gain access to any number of sensitive government, research, and financial systems.
We should be deeply concerned as a nation about this – millions of cleared individuals have had an enormous amount of personal information taken, their online identities made far more vulnerable, and secure accounts more easily compromised. We are seeing a nation-state moving with aplomb across our commercial and governmental networks gathering HUMINT (Human Intelligence) data with little resistance and — to date — no consequences. We have a governmental response that is hamstrung by turf and policy and befuddled by the speed of change in this newest of global commons (military speak for places we fight: Land, Sea, Air, Space, CyberSpace).
Combine all this with the Fed’s enormous loss of credibility in the “keep a secret” department resulting from Snowden, Manning, and the IRS online return scandal and you have the makings of tremendous barriers to sharing information within the government. Who wants to share information with an organization that can’t protect it? This is important because one of the lynchpins of the Fed’s strategy is to encourage, and in some industries mandate, information sharing on incidents for the greater good. The security world’s explosive reaction to DHS chief Jeh Johnson’s keynote at the RSA conference this year in which he said “Our inability to access encrypted information poses public safety challenges” as part of a larger theme of asking industry to help the government figure out how to break or weaken encryption set off the brouhaha.