Office of Personnel Management – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 Experts say retaliation over OPM cyber attacks may be misguided http://nationalsecurityzone.medill.northwestern.edu/blog/2015/09/03/experts-say-retaliation-over-opm-cyber-attacks-may-be-misguided/ Thu, 03 Sep 2015 23:59:43 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=23117 Continue reading ]]> WASHINGTON — With cyber attacks grabbing the public’s attention, calls for retaliation, especially against suspected state-sponsored intrusions, have escalated.

Critics argue that a passive approach by the U.S. government only emboldens perpetrators. Draw a red line, they urge; the massive Office of Personnel Management breach, in particular, warranted a decisive response by the government.

But on the other side, some experts warn that retaliation, in any form, would be shortsighted, simplistic, and unrealistic, potentially undermining America’s interests. The rules of engagement, even informal guidelines, have yet to be written, they say.

Those advocating hacking back say the OPM breach should have been the final straw. But where to strike? The Obama administration has not openly accused the Chinese government,or any government, of being behind the OPM cyber attack.

The OPM, which handles security clearance for federal government employees, discovered in June that the agency had been hacked. The latest figures reveal that records of 22 million workers were compromised.

But Robert Knake, former head of cybersecurity policy at the National Security Council, said those advocating for hacking back are overreacting.

“It’s bad. But it’s not devastating,” said Knake of the names and Social Security numbers exposed by the breach. “The reason it’s not devastating is that we know about it.”

Speaking at an Atlantic Council panel last week debating the consequences of retaliating for cyberattacks, Knake said identifying the breach offers the opportunity to mitigate the damage. Once armed with this knowledge, the government can use the hack to its advantage, he argued.

For example, in the unlikely event that China uses information gleaned from the breach to identify Americans involved in sensitive activities, Knake said the U.S. could respond with misdirection by changing personnel.

Knake said the leaking of classified National Security Agency information by NSA contractor Edward Snowden, changed the norms in cyberspace.

“We are in the post-Snowden period where the whole world knows the U.S. engages in this kind of [surveillance] activity,” said Knake. “That we have a very strong program. And we got through all those disclosures without … Angela Merkel or anyone else declaring that it was an act of war.”

Fighting cyber espionage requires a different skillset than defending against pre-Internet, traditional Cold War espionage, said Austin Berglas, former head of the FBI’s New York Cyber Branch. “Whatever country is trying to steal our state secrets or international property doesn’t have to have a physical body. They can do it from their own home. There is a cloak of anonymity that people can hide behind to deny the actions.”

Unlike the Cold War when the adversary was clear, there are many more nations engaged in cyber espionage. China, Russia North Korea and Iran have all been suspected as culprits.

Jason Healey, senior fellow, at the Atlantic Council’s Cyber Statecraft Initiative, said that in the Cold War, there was a set of unwritten “Moscow rules” illuminating red lines that would not be crossed.

“It wasn’t a treaty, but there was this sense of where each side could go and if they overstep that, than there might be repercussions,” Healey said at the Aug. 19 panel discussion. “We would never kill a Russian. They will never kill an American spy.”

In contrast, Healey said no set of unifying standards exist for resolving cyber espionage conflicts.

“We have had some cyber espionage cases going back to 1986 where the KGB was spying,” said Healey.

In a telephone interview, Daniel Garrie, founder and editor in chief of the Journal of Law and Cyber Warfare, said countries’ varying attitudes towards cyber warfare make it harder to establish standards between the U.S. and other countries.

“Not only is there no playbook for countries and companies looking to respond to a cyberattack,” said Garrie, “but there are arguably a hundred different play-books, for each country, making the appropriate and permissible response all the more challenging, assuming your legal team understands what sort of action you are seeking to take,”
In some countries, Garrie said hacking is “not per-se illegal and it is certainly not taboo or shameful, in fact, it appears in some countries that such activity is encouraged.”

While it would seem tempting to fighting back against perpetrators aggressively, a tit-for-tat approach in the OPM affair, risks giving rise to many more problems than it would solve.

]]>
Seeking better government cybersecurity, before and after the OPM data breach http://nationalsecurityzone.medill.northwestern.edu/blog/2015/08/10/seeking-better-government-cybersecurity-before-and-after-opm-data-breach/ Mon, 10 Aug 2015 20:59:49 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22852 Continue reading ]]> WASHINGTON – After personnel data held by the Office of Personnel Management was compromised by hackers, the dispute over the improvement and possible reform of federal government’s cybersecurity system has become heated.

The OPM data breach resulted from a compromise of a highly privileged user’s credential, which also gave them access to the data center of the Department of Interior. Although no data was stolen from within DOI’s system, it triggered a large concern about the department’s computer network protection system.

According to the Federal Information Security Management Act, each deferral agency should develop, document and implement an agency-wide program to provide information security. But in reality, many federal agencies are using information protection services provided by other departments, such as DOI. The reason behind it is for economy purposes, according to Sylvia Burns, chief information officer of DOI. “You can gain economy from the scale. So it’s less expensive and more efficient for a customer to consume services from a provider like that.”

In 2005, OPM first became a customer of DOI’s data hosting service. DOI offers its IT infrastructure and host information, ensures the connection between DOI and OPM, and encrypts the connection between the two agencies.

“Shared service is a concept of creating a more robust, centralized point of service around specific activities,” Burns said, explaining the origin of this concept. According to Burns, a 2001 data breach in DOI resulted in disconnecting five DOI bureaus from the Internet for about six and half years. For the fear of being disconnected again, all the bureaus and offices in the department created separate protections for themselves. In that state, cooperation became hard because they were trying to protect themselves from being associated with trust data. In 2008, DOI reconnected those organizations back to Internet, and it turned out that they had difficulty just doing day-to-day work because of the security controls. That’s when the department began to create the segmented system.

Although this time’s data breach was not a result of technical failure, DOI hasn’t seriously treated the 3,000 critical vulnerabilities in its hundreds of publicly accessible computers that were identified by the Office of Inspector General. But viewing this issue from a broader perspective, OPM fell into a trap of an outdated model of cybersecurity system, which we call “line of sight governance.” This is a belief that I can walk down a corridor to where everybody is working and then I have the control of the security surrounding them. In the era of Internet when everyone is connected with the outside world, it’s just impossible to ensure their security by believing that internal system is absolutely secure.

The new model, called the BeyondCorp initiative, assumes that the internal network is as dangerous as the Internet. Using authentication, authorization and encryption, trust is moved from the network level to the device level. For example, Google staff are required to use a security key when connecting their computers to the Internet. When the security key is plugged into the USB portal, it automatically generates a one-time password. With this one-time password and the staff’s own username and password, the Internet is accessible.

“It’s relatively easy to get online in the company, but it can be very hard to access to the internal system when you are at home because a VPN is needed. And not everyone can get it unless you are at certain rank,” said Jiasong Sun, a Google employee. Some companies including Coca-Cola Co., Verizon Communications Inc. and Mazda Motor Corp. are taking a similar approach.

Several questions about DOI’s role in the breach remain unanswered, including whether or not other agencies may have been compromised, how many breaches took place at DOI and whether or not the attackers are still in the system. But this two factor authentication system is a possible solution that the DOI is considering to take after the data breach.

Rep. Will Hurd (R—TX) urges federal agencies and their CIOs to review past IG reports and address the vulnerabilities that have been identified. “We know what needs to be done, we just need to do it,” Hurd said.

]]>