Enough time has passed since the known OMP hacks for some of the commentary to become less breathless and morally outraged. As I pointed out in The New ‘China Syndrone’ – Saving Face By Blaming China (June 6, 2015), the hack of OPM could have been by anybody given the state of its security.
Kristen Eichensehr points out in The OPM Hack and the New DOD Law of War Manual that even assuming that China was behind the hack, this was just day-to-day espionage, which is no prohibited by international law.
I have been meaning to post about the new DOD Law of War Manual just to call it to your attention so consider that done. Bearing in mind the laws of war are drafted to favor current “conventional” tactics. Another example of law having its thumb on the scale of justice.
Benjamin Wittes quotes Dennis Hayden (former NSA and CIA chief) as saying:
The episode, he says, “is not shame on China. This is shame on us for not protecting that kind of information.” (Michael Hayden: “Those Records are a Legitimate Foreign Intelligence Target”)
How much “shame on us?”
Ken Dilanian reports in Fed Personnel Agency Admits History of Security Problems:
An Office of Personnel Management investigative official said June 16, 2015, the agency entrusted with millions of personnel records has a history of failing to meet basic computer network security requirements. Michael Esser, assistant inspector general for audit, said in testimony prepared for delivery that, for years, many of the people running the agency’s information technology had no IT background. He also said the agency had not disciplined any employees for the agency’s failure to pass numerous cyber security audits.
…
I suspect it will take months of testimony to drag out the sorry tale of cyberinsecurity at OPM. But in a calmer atmosphere, it is clear that all fault for the breach lies with the Office of Personnel Management.
The some of the remaining questions are:
- How to fix a fundamentally broken IT system (that hasn’t been fully accounted for)?
- How to hold staff accountable for failures to maintain cybersecurity?
I can give you a hint on the first question: Don’t use traditional the traditional prime, sub-primes, etc. infrastructure. Hire contractors to write requirements (who won’t be bidding on fulfillment), with built-in milestones and then ask several of the larger IT services companies to bid.
The second question is easier. Fire everyone with managerial responsibilities and keep the other staff. Blacklist the fired staff from any future government service or employment with a government contractor. Then freeze all their benefits until their liability for damages from the data breaches can be assessed.
Think of it as a “teaching moment” that will encourage greater diligence when it comes to cybersecurity in government offices.
PS: In terms of a likely timetable for improvement of cybersecurity at OMP and other federal offices, see my: Cybersecurity Sprint or Multi-Year Egg Roll?