Slashdot Mirror
China Denies Responsibility For US Government Data Breach
schwit1 writes: On Friday, Beijing responded to allegations from Washington that China was responsible for a cyberattack on the U.S. Office of Personnel Management that compromised the personal data of some 4 million government employees. The accusations, China's foreign ministry said, are "irresponsible" and "groundless." The OPM breach is the latest in a string of cyber 'incidents' that have coincidentally occurred in the wake of the Pentagon's new cyber strategy.
ZeroHedge argues, "Whether or not the most recent virtual attack on the U.S. did indeed emanate from China or one of Washington's other so-called "cyberadversaries" (the list includes Iran, Russia, and North Korea) will likely never be known the public, but rest assured the blame will be placed with a state actor so as to ensure the DoD has some precedent to refer to when, for whatever reason, the Pentagon decides it's time to deploy an "offensive" cyberattack later on down the road."
Irrespective of where the attack originated, it appears obsolete technology was ultimately to blame, because as Bloomberg reports, "Einstein" wasn't much help in preventing the intrusion: "It's behind schedule, the result of inter-agency fights over privacy, control and other matters, and only about half of the government was protected when the hackers raided OPM's databases last December. It's also, by the government's own admission, already obsolete. Over the last several months, U.S. officials have said that perimeter-based defenses such as Einstein, even backed by the National Security Agency's own corps of hackers, can never prevent break-ins."
ZeroHedge argues, "Whether or not the most recent virtual attack on the U.S. did indeed emanate from China or one of Washington's other so-called "cyberadversaries" (the list includes Iran, Russia, and North Korea) will likely never be known the public, but rest assured the blame will be placed with a state actor so as to ensure the DoD has some precedent to refer to when, for whatever reason, the Pentagon decides it's time to deploy an "offensive" cyberattack later on down the road."
Irrespective of where the attack originated, it appears obsolete technology was ultimately to blame, because as Bloomberg reports, "Einstein" wasn't much help in preventing the intrusion: "It's behind schedule, the result of inter-agency fights over privacy, control and other matters, and only about half of the government was protected when the hackers raided OPM's databases last December. It's also, by the government's own admission, already obsolete. Over the last several months, U.S. officials have said that perimeter-based defenses such as Einstein, even backed by the National Security Agency's own corps of hackers, can never prevent break-ins."
Furthermore, this is nothing new. In fact, it's been a known issue for a long time. The NSA is not only responsible for signals intelligence, but also has the responsibility of securing U.S. Government communications, i.e. Information Assurance. In the past, this meant coming up with strong codes and encryption systems of our own, while the other part of NSA worked on breaking enemy systems (like the WW2 Japanese Naval and Diplomatic codes for instance). The problem with that today is that there's no longer a difference. Everyone is using the same hardware and software platforms. The same systems that the US Government uses are also the ones used by cybercriminals in Krasnovia, terrorists hiding in caves in Dirka-Dirkastan, and other governments around the world, not to mention our own citizens. In theory that means the NSA would have to balance between using flaws it finds to exploit its targets, and making sure the flaws get patched so we're not vulnerable. If the results we see are the only measure, then they're perhaps tilting badly towards the intelligence/exploit side. I would note though that this isn't the only factor. Overall I'd say that the executives in charge, whether we're talking about the corporate world C*O types or Government SES types, put far too much value on accessibility, availability, and ease of use, and don't take the risks seriously enough. It's either that or they're bullshitting us about how damaging it was when the breach does occur, because if it was truly unthinkably bad then they should've taken it more seriously in the first place.
I saw something about the Navy considering a BYOD policy with the Navy's computer systems.
I mean... what the fuck? These idiots should just get a custom US government smartphone and anyone that asks for an iphone should get a black bag thrown over their head
Have to be a little careful how I respond to this... let's just say that the last thing you want is the Federal government (or at least the DoD and the Intel community) picking out your cellular technology for you. The world of cell phones has evolved in less than a decade from dumb phones that couldn't even text to portable supercomputers; GPS-enabled dog collars and pill bottles; and increased worldwide coverage at (inflation adjusted) equal or lower prices to what you got 10 years ago. In the US Federal government, 10 years has brought you the F-35 Joint Strike Fighter at billions over budget and years behind schedule. Let's please never think that the US government is compatible with cutting edge technology in anything that does not evade radar, blow things up, or do so simultaneously.
In the US government world, in a SCIF (Sensitive Compartmented Information Facility, anywhere where SECRET/TOP SECRET/SCI information is shared), you can't even bring a cell phone into the facility. Think about this: everyone at the NSA, DISA, CIA Langley etc. misses your phone call unless they are sitting at their desk. Forget that "Homeland" or "24" bulls**t about people using their Droid Razrs in CIA headquarters or wherever the hell Jack Bauer is supposed to be (Federal Secret Counter-Non Existent Surveillance Footage - Large Screen TV and Fake Hologram Agency?). This is how forward thinking the government is about mobility.
Additionally, in 2008 the government (NSA and DISA) got together to decide to do exactly what you suggested. The result? The Secure Mobile Environment - Portable Electronic Device (SME-PED) initiative, which began with a forward looking technology initiative, and by the time it had run the gantlet of DoD/Intel requirements and Federal acquisition policies, had turned into a gigantic brick of a device - running Windows CE - that cost multiple thousands of dollars. This was launched shortly after the iPhone hit the market.
I can't share the detailed results for a variety of reasons, but I can say that adoption was very poor. Real-world users decided to either stick with earlier, cheaper secure dumb phones; or just risk things and make phone calls about secret information on the mobile phones that they actually carried every day and wanted to use. At any rate, the lesson learned was that 1.) people love cell phones because they are cheap and people have lots of choices; and 2.) when the US government gets involved to pick a "secure" cell phone that all its employees should use, nobody actually uses it.
"95% of all Slashdot