Another week, another round of bad news about the OPM breach. This time we learn the fingerprints of 5.6 million US government employees was exfiltrated by the ostensible Chinese hackers:

The attack on the agency, which is the main custodian of the government’s most important personnel records, has been attributed to China by American intelligence agencies, but it is unclear exactly what group or organization engineered it. Before Wednesday, the agency had said that it lost only 1.1 million sets of fingerprints among the records of roughly 22 million individuals that were compromised.

“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a written statement. But clearly the uses are growing as biometrics are used more frequently to assure identity, in secure government facilities and even on personal iPhones.

The working assumption of investigators is that China is building a huge database of information about American officials or contractors who may end up entering China or doing business with it. Fingerprints could become a significant part of that effort: While a Social Security number or a password can be changed, fingerprints cannot.

Customs and immigration officials frequently fingerprint incoming travelers; millions of fingerprints in a Chinese database would help track the true identities of Americans entering the country.

“I am assuming there will be people we simply can’t send to China,” a senior intelligence official said this summer, before the most recent revelation. “That’s only part of the damage.”

The agency said that an “interagency working group,” with help from the F.B.I., the Department of Homeland Security and the intelligence agencies, “will review the potential ways adversaries could misuse fingerprint data now and in the future.”

The OPM breach is going to be studied for the next few years and will become the premier case study on how not to conduct cyber security. It is amazing they still have not increased their cyber defense capabilities since this all came to light a few short months ago.

In response to questions posed by Senator Ron Wyden, National Counterintelligence Executive William Evanina claims it is not the intelligence community’s job to warn OPM of cyber threats:

National Counterintelligence Executive William Evanina wrote a letter to Sen. Ron Wyden answering the Oregon Democrat’s questions about the landmark cyberattack, which has been blamed on the Chinese.

In the response to Wyden’s question of whether the intelligence community assessed the vulnerabilities of a database OPM maintained of highly sensitive background check information that OPM maintained or whether it offered any advice to OPM, Evanina pointed to bureaucracy.

“Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS),” Evanina wrote. “The statutory authorities of the National Counterintelligence Executive … do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems.”

In the short letter, Evanina also defended the decision to maintain a database of the background checks going back as far as 1985, saying it offers the advantage of being able to “assess the ‘whole person’ over a long period of time.”

The Office of Personnel Management’s response to their recent massive breach is once again being challenged by the Inspector General, who warns OPM is not doing enough corrective action to prevent future

It said that as a result, the process to identify existing systems, evaluate their technical specifications, determine requirements, and estimate costs of moving the data into a more secure environment still has not been completed. Nor is there support for OPM’s belief that some the cost of moving the data can be funded through discontinuing obsolete software, it said, calling OPM’s plan to find the rest of the funding from other accounts “inadequate and inappropriate.”

“Without this rigorous effort, we continue to believe that there is a high risk of project failure,” it said.

OPM also had rejected the IG’s recommendation to adopt industry best practices for planning such a project, saying it was following its own policies based on government standards. But the IG said that “based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy.”

It noted that since the first report, former OPM director Katherine Archuleta had resigned under pressure and a Senate committee rejected a bid to add funding for the project even while backing extending the services to the victims. “In such a turbulent environment, there is an even greater need for a disciplined project management approach to promote the best possibility of a successful outcome,” it said.

Knowing how the government responds in these types of situations, I cannot say I am surprised. This sounds like business as usual.

US Director of National Intelligence James Clapper suggests the current global norms around conducting cyber attacks leads to little to no penalties for the perpetrators:

James Clapper (pictured), the nation’s top intelligence official, told the House intelligence committee that a muted response to most cyberattacks has created a permissive environment in which hacking can be used as a tool short of war to benefit adversaries and inflict damage on the United States.

“Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue,” Clapper said, speaking specifically about the recently revealed hack of federal personnel information linked to China in which personal data Relevant Products/Services on some 22 million current and former U.S. government employees, contractors, job applicants and relatives was stolen. “We will continue to see this until we create both the substance and the psychology of deterrence.”

The administration has yet to act in response to the OPM hack.

Last May, the Justice Department issued criminal indictments against five Chinese military hackers it accused of cyberespionage against U.S. corporations for economic advantage. FBI director James Comey said at the time the spying was to benefit Chinese companies, but he neither named the companies nor took formal action against them.

Sounds like more deterrence talk, which as I discussed, is really pointless in cyber.

Although the Commander of US Cyber Command is dual-hatted as the Director of the National Security Agency, and although NSA likely has the greatest minds in cyber security on its payroll, they were not on the front-lines of the OPM hack. In fact, NSA did step in to thwart the ostensible Chinese hackers but it took a while for them to get to the battlefield:

After the intrusion, “as we started more broadly to realize the implications of OPM, to be quite honest, we were starting to work with OPM about how could we apply DOD capability, if that is what you require,” Rogers said at an invitation-only Wilson Center event, referring to his role leading CYBERCOM.

NSA, meanwhile, provided “a significant amount of people and expertise to OPM to try to help them identify what had happened, how it happened and how we should structure the network for the future,” Rogers added.

One of the command’s missions is to be prepared to defend key U.S. infrastructure, including the dot-gov domain — but only at the request of the affected organization and when directed by the president, a Defense official told Nextgov, adding that the top priority of CYBERCOM is to defend military networks.

Anyone surprised the NSA did not step in earlier on in the breach process does not know how the agency generally reacts to these types of events. As an intelligence gathering organization, it is more important to the NSA to learn about attackers trade-craft than actually preventing and defending against these types of breaches. NSA prefers to watch what the attackers are doing because it allows them to gain better insight into how the attacks happen, what vulnerabilities are being leveraged, and what tools they use once they do penetrate networks.

Long story short: if you were surprised the NSA did not prevent the OPM attack, don’t be – this is the NSA modus operandi.

Krebs has some sobering words for those who actually believe the forthcoming OPM credit monitoring contract will actually help prevent any form of identity theft (emphasis added):

No matter how you slice it, $133 million is a staggering figure for a service that in all likelihood will do little to prevent identity thieves from hijacking the names, good credit and good faith of breach victims. While state-sponsored hackers thought to be responsible for this breach were likely interested in the data for more strategic than financial reasons (recruiting, discovering and/or thwarting spies), the OPM should not force breach victims to pay for true protection.

As I’ve noted in story after story, identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name. Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.

Many of these third party services also induce people to provide even more information than was leaked in the original breach. For example, CSID offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.

The only step that will reliably block identity thieves from accessing your credit file — and therefore applying for new loans, credit cards and otherwise ruining your good name — is freezing your credit file with the major credit bureaus. This freeze process — described in detail in the primer, How I Learned to Stop Worrying and Embrace the Security Freeze — can be done online or over the phone. Each bureau will give the consumer a unique personal identification number (PIN) that the consumer will need to provide in the event that he needs to apply for new credit in the future.

The Office of Personnel Management is so far behind the power curve after their recent breach that they have yet to notify the vast majority of people affected by the cyber attack ostensibly perpetrated by China. Currently there remains 21.5 million people still waiting to hear from OPM about their data leakage and the free three years of credit monitoring OPM will be offering (emphasis added):

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future,” says Beth Cobert, who is serving as OPM’s acting director, following former director Katherine Archuleta resigning July 10, about one month after OPM first announced news of the data breach on June 4. “Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

Both OPM and the U.S. Department of Defense announced Sept. 1 that a $133 million contract has been awarded – by the U.S. General Services Administration, an independent agency that oversees about $500 billion in federal assets – to Identity Theft Guard Solutions, which does business as ID Experts. The company will offer prepaid credit monitoring, identity monitoring, identity theft insurance and identity restoration services to the 21.5 million affected individuals – as well as their dependent minor children who were under the age of 18 as of July 1, 2015 – for a three-year period.

The move to notify the 21.5 million individuals follows OPM already notifying 4.2 million victims of what the agency called a “separate but related” hack attack that compromised federal employees’ and contractors personnel records, which was first discovered in April, and which reportedly occurred in December 2014. The discovery of that incident led to the June 2015 discovery of the background-information theft, which reportedly began first with a May 2014 network intrusion, followed by attackers stealing massive amounts of data from July to August of that year. Many of the victims of the smaller breach were also victims of the background-investigation hack attack, OPM says.

Consider me one of the remaining 21.5 million who has yet to be notified.

Of course the US government is worried about cyber espionage leading to stolen sensitive data. However, another huge concern for the feds is the manipulation of that data so its integrity is called into question. This in turn leads to suspicion surrounding the legitimacy and accuracy of said data (emphasis added):

James Clapper, the director of national intelligence, told MSNBC last month “the next type of attack will involve deletion or manipulation of data as opposed to perhaps stealing it or denying service.” Jani Antikainen and Pasi Eronen, in an article on the Overt Action Web site, said that could result in the government not trusting its own personnel data, and therefore not its people.

Nothing is worse than the loss of trust.

“Suddenly, cleared personnel would have different relatives and some suspicious names in their ‘who do you know’ networks,” they wrote. “These unauthorized changes would thus deliver a massive blow to the trustworthiness of all data in the system….maliciously manipulating official forms and records on a large scale would turn them toxic and into a source of great mistrust.”

Clapper’s office has warned employees they could be hit by various social engineering tools “bad actors” could use “to gain your trust and extract further information or manipulate you to take actions you would not otherwise take.”

The social engineering tools include phishing (for example, using an e-mail attachment to install malicious software), social media deception and human targeting.

Let me repeat that: nothing is worse than the loss of trust. Forget ever handling classified material again once that trust is broken.

DoD has tasked the Navy with finding a contractor capable of protecting OPM hack victims from identity theft (emphasis added):

NAVSEA expects to award the immediate contract for protection services related to the hack of background investigations data by the end of August, Leshak said. GSA originally planned on selecting a contractor by Aug. 21, though an OPM spokesman has said that schedule was “notional.”

The delays in finding a contractor to deliver protection services to hack victims has angered potential bidders and hack victims, with the latter group complaining members of the federal and contractor community are anxiously awaiting information if they were affected.

Even after the contracting process is finalized and all the notifications are sent out, Congress could further complicate the situation through its own intervention. A Senate committee has unanimously backed a provision to give hack victims 10 years of credit monitoring and identity theft protection services. A bipartisan pair of House lawmakers introduced a similar measure last week, while a Democratic leader in the lower chamber has endorsed lifetime credit monitoring.

Always remember: DoD uses lowest bidder.

The Obama Administration has finally come to the realization it can no longer hide its head in the sand since every media outlet has reported on China being the culprit behind the massive OPM breach. It is at this crossroads the US has decided to retaliate against China for hacking but the officials remain uncertain on the exact method to be used:

But in a series of classified meetings, officials have struggled to choose among options that range from largely symbolic responses — for example, diplomatic protests or the ouster of known Chinese agents in the United States — to more significant actions that some officials fear could lead to an escalation of the hacking conflict between the two countries.

That does not mean a response will happen anytime soon — or be obvious when it does. The White House could determine that the downsides of any meaningful, yet proportionate, retaliation outweigh the benefits, or will lead to retaliation on American firms or individuals doing work in China. President Obama, clearly seeking leverage, has asked his staff to come up with a more creative set of responses.

“One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,” said one senior administration official involved in the debate, who spoke on the condition of anonymity to discuss internal White House plans. “We need to disrupt and deter what our adversaries are doing in cyberspace, and that means you need a full range of tools to tailor a response.”

In public, Mr. Obama has said almost nothing, and officials are under strict instructions to avoid naming China as the source of the attack. While James R. Clapper Jr., the director of national intelligence, said last month that “you have to kind of salute the Chinese for what they did,” he avoided repeating that accusation when pressed again in public last week.

But over recent days, both Mr. Clapper and Adm. Michael S. Rogers, director of the National Security Agency and commander of the military’s Cyber Command, have hinted at the internal debate by noting that unless the United States finds a way to respond to the attacks, they are bound to escalate.

Mr. Clapper predicted that the number and sophistication of hacking aimed at the United States would worsen “until such time as we create both the substance and psychology of deterrence.”

ADM Mike Rogers, the US Cyber Command Commander and Director of the National Security Agency, stated the millions of personnel data records stolen in the OPM breach will be used in big data analytics to determine both nation state and criminal cyber attacks (emphasis added):

Additionally, nation states and criminal groups are gathering up vast amounts of data and analyzing it to identify “insights about people as individuals,” Rogers said.

The goal is “to tailor products in the form of emails, that seem to you as a user so appropriate that you would receive it, [and suspect] it’s from somebody I know. It’s a topic that I really care about. It’s an issue that I’ve been really focused on for a long time,” the four-star admiral said.

Those custom-tailored emails are designed “as a vehicle to actually get you to open an email, click on an attachment, click on a video link.”

“Perhaps [it’s] unrelated that in the last nine months I am watching huge spear phishing campaigns coming out of several nations around the world directed against U.S. targets,” Rogers said, adding that the big data cyber attacks and the increase in spear phishing attacks are “not unrelated to me.”

Only a few years ago, intelligence and cyber security officials tended to focus on the potential theft of intellectual property, as well as research and development information, that could provide market advantages.

“And we really hadn’t come to a conclusion that perhaps not only is that of concern, but you combine the power of Big Data analytics, and the fact that today, the ability to bore through huge amounts of data and find seemingly disconnected and unrelated data points and bring coherent meaning and insight, [is] something that wasn’t there in the past,” Rogers said.

As a result of the trend in cyber attacks over the past two years involving large-scale downloads of personal data and personnel information, the Pentagon has shifted the focus of its cyber defenses and now regards Big Data as a major new target.

As a result of the recent OPM breach, the CIA is considering preventing a large number of its American spies from working overseas ever again because of the potential danger they face (emphasis added):

The C.I.A. and other agencies with undercover officers would be cautious about immediately withdrawing spies from China because that would raise suspicions among Chinese counterintelligence operatives. A C.I.A. spokesman declined to comment.

The C.I.A. and other agencies typically post their spies in American embassies, where the officers pose as diplomats working on political affairs, agricultural policy or other issues. The American Embassy in Beijing has long housed one of the largest C.I.A. stations in the world, with intelligence officers gathering information on China’s political maneuvering, economic development and military modernization.

Several current and former officials said that even if the identities of the agency officers were not in the personnel office’s database, Chinese intelligence operatives could run searches through the database on everyone granted visas to work at American diplomatic outposts in China. If any of the names are not found in the stolen files, those individuals could be suspected as spies by a process of elimination.

The director of the National Security Agency, Adm. Michael S. Rogers, alluded to that problem Thursday night during an interview at the Aspen Security Forum in Colorado.

“From an intelligence perspective, it gives you great insight potentially used for counterintelligence purposes,” Admiral Rogers said. “If I’m interested in trying to identify U.S. persons who may be in my country — and I am trying to figure out why they are there: Are they just tourists? Are they there for some other alternative purpose? — there are interesting insights from the data you take from O.P.M.”

As I keep saying, the OPM breach is one of the worst in the history of the US government and will have unintended consequences for years to come.

Even though various members of the government are claiming China is responsible for the OPM breach, it is highly unlikely the Obama administration will officially acknowledge China’s culpability:

US government bodies, including spy agencies, also spy on foreign governments and conduct sweeping data-collection. This includes, for example, tapping into undersea telecommunications cables, as exposed in documents leaked by former National Security Agency contractor Edward Snowden.

Some US government sources said Washington would prefer to avoid engaging with China and other governments in public spats over activities that the United States itself pursues. They fear this could provoke foreign spies either to step up intelligence collection or tighten security measures, or both.

There was some support in Congress for publicly naming China.

“I think there is a lot of deterrence value in showing that you know who the adversary is,” said Republican Senator Susan Collins, a member of the Senate Intelligence Committee, as she introduced legislation to boost government cyber-security.

US officials said the Obama administration had not totally ruled out retaliatory measures against China for the hacking.

Even if new sanctions or other actions were undertaken, it was also possible Washington would not publicly link this to the hacking attacks, but rather advise China privately that the penalties are related to hacking, they said.

As upset as people are about this hack, they should direct their anger where it belongs: at the United States, and OPM specifically. We should expect China to engage in this type of behavior just as we expect the US to perform similar intelligence collection activities against other nations. At its basic core, this was spying at its finest, thanks to the terrible cyber security OPM employed.

This should be a huge lesson learned for the US government and a catalyst for it to finally get its act together.

After being hit with the largest breach in the US government history, OPM is “incrementally” restarting its security clearance management system e-QIP (emphasis added):

Shut down in late June for “security enhancements,” the Office of Personnel Management’s e-QIP system was back on line, OPM spokesman Sam Schumach said in a statement.

He said, however, that the system would only “incrementally” be re-opened to users so as to “resume this service in an efficient and orderly way.”

OPM was sorely criticized after it reported in April and May that computer breaches had compromised job and security clearance personal data related to more than 22 million people. The e-QIP system was shut down two weeks ago as a precaution.

Bringing e-QIP back up incrementally means that, at first, only clearance applicants who had already started submitting data to the system for their clearance applications would be invited to start using it again.

New applicants would be unable to use the system for an unspecified time period, an official said.

OPM’s statement said that it had turned off e-QIP “proactively” and that there was no evidence that a “vulnerability” discovered in the system had been “exploited” by hackers.

As if having personally identifiable information stolen was not bad enough, the US Navy now says fingerprint records were also compromised in the recent devastating OPM breach:

The Department of the Navy (DON) has sent a notice to more than 436,000 active duty personnel and reservists, as well as over 195,000 civilian employees, warning that data compromised in the recent breach at the Office of Personnel Management (OPM) also included fingerprint records.

“The interagency team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases,” said Thomas W. Hicks in performing the duties of the Under Secretary of the Navy.

“This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million included fingerprints.”

Late last week, OPM announced the results of the interagency forensics investigation into the second known security breach at the agency involving federal background investigation data, increasing the confirmed number of current, former, and prospective federal employees, military members, and contractors impacted by the breach.

“If an individual underwent a background investigation through OPM in 2000 or afterwards, it is highly likely that the individual is impacted by this cyber breach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely,” Hicks said.

As more forensics and analysis is completed on this attack, expect further bad news before we start hearing anything good come out of this breach.