Slashdot Mirror
China Denies Responsibility For US Government Data Breach
schwit1 writes: On Friday, Beijing responded to allegations from Washington that China was responsible for a cyberattack on the U.S. Office of Personnel Management that compromised the personal data of some 4 million government employees. The accusations, China's foreign ministry said, are "irresponsible" and "groundless." The OPM breach is the latest in a string of cyber 'incidents' that have coincidentally occurred in the wake of the Pentagon's new cyber strategy.
ZeroHedge argues, "Whether or not the most recent virtual attack on the U.S. did indeed emanate from China or one of Washington's other so-called "cyberadversaries" (the list includes Iran, Russia, and North Korea) will likely never be known the public, but rest assured the blame will be placed with a state actor so as to ensure the DoD has some precedent to refer to when, for whatever reason, the Pentagon decides it's time to deploy an "offensive" cyberattack later on down the road."
Irrespective of where the attack originated, it appears obsolete technology was ultimately to blame, because as Bloomberg reports, "Einstein" wasn't much help in preventing the intrusion: "It's behind schedule, the result of inter-agency fights over privacy, control and other matters, and only about half of the government was protected when the hackers raided OPM's databases last December. It's also, by the government's own admission, already obsolete. Over the last several months, U.S. officials have said that perimeter-based defenses such as Einstein, even backed by the National Security Agency's own corps of hackers, can never prevent break-ins."
ZeroHedge argues, "Whether or not the most recent virtual attack on the U.S. did indeed emanate from China or one of Washington's other so-called "cyberadversaries" (the list includes Iran, Russia, and North Korea) will likely never be known the public, but rest assured the blame will be placed with a state actor so as to ensure the DoD has some precedent to refer to when, for whatever reason, the Pentagon decides it's time to deploy an "offensive" cyberattack later on down the road."
Irrespective of where the attack originated, it appears obsolete technology was ultimately to blame, because as Bloomberg reports, "Einstein" wasn't much help in preventing the intrusion: "It's behind schedule, the result of inter-agency fights over privacy, control and other matters, and only about half of the government was protected when the hackers raided OPM's databases last December. It's also, by the government's own admission, already obsolete. Over the last several months, U.S. officials have said that perimeter-based defenses such as Einstein, even backed by the National Security Agency's own corps of hackers, can never prevent break-ins."
What matters is that the ongoing incompetence of the federal government permitted it to happen.
I'll say again, instead of getting the NSA to anally probe your own people utterly violating the 4th amendment... why don't you task your teams of tamed hackers to strengthen security throughout the government's computer systems?
They know how to breach systems so they know how to secure them. All they have to do is make the system so tough that even they couldn't get into them. And task a few of them to literally try to emperically test whether the security has literally arrived advanced to that point.
This is not an unreasonable standard.
If the NSA can breach your systems than so can the chinese probably. So if you want to keep the chinese out... make it tough enough that the NSA can't get in.
Any excuses should be met with summary executions. Just pistol to the temple and a query for any further questions?
Seriously though... the bad security is not acceptable. And without some drastic changes in culture, the systems will remain open books to any nation or even many criminal organizations that want in for any reason.
That's pathetic.
And a big part of the issue is that we're not putting technical people in charge of security.
Look, you wouldn't a guy without experience running warships in charge of the Navy would you? Would you put someone with no experience flying airplanes in charge of the air force? Then why are we putting non-computer experts in charge of computer systems?
They don't know what the fuck they're doing. Its like putting an accountant in charge of the Marines or putting the Marines in charge of a law firm. It doesn't make any sense. Stop doing that.
If you're having a hard time finding someone with command chops in the technical fields, then do what you do in every other branch of the government when you encounter that exact problem. Have a training program where in your people can get promoted into management. Why is this rocket science? The government understand this everywhere else in largely flawlessly. You need someone to run some aspect of the justice department? You promote someone with skills from within the department that understands LAW and law enforcement.
The ongoing idiocy of my entire culture... forget the government because the corporations are little better in most cases... it is shocking. They almost never put people that understand the tech in charge of the actual f'ing machines.
They understand they need to hire a lawyer to run the legal department. They understand they have to hire an accountant to run the Accounting department. They understand they have to hire a marketing guy to run the marketing department. But when it comes to IT? Well you can use anyone apparently. Put an accountant in charge... or a lawyer... or a marketing guy... or whatever. A fucking bag of dead kittens would appear to be sufficient.
The governments and big corps will say "but it will be really expensive to fix our problems"... it is only expensive because you've deferred maintenance for a million years. That like saying you can't fix the roof that has rotted out because that will be expensive. You fix that roof. You maintain that roof. You do not fuck with the roofing guys when they're telling you what has to happen. Because you know and understand that failing to do it means you get rained on.
The computer systems are the same thing. Only you only notice there is a problem if you know enough to notice or if there is a huge fucking disaster. If neither applies then people can be oblivious. WHich is possibly the attraction of people that don't know what they're doing... they can be oblivious.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Their denial by itself doesn't mean much, since as you say they would deny it if they were responsible or not. However in this case it's quite possible they had nothing to do with it. Cyber criminals living in China != government of PRC
What would the Chinese gov't possibly want with the data stolen from Office of Personnel Management? Use the employee names and social security numbers to make stolen credit card purchases? Commit identity theft and take the employees' tax refund checks?
The type of data stolen here doesn't mesh with the stuff Chinese gov't usually steals: high tech industry data to help their domestic industry, military secrets like plans to the F-22, etc. It seems unlikely they would use up a zero-day exploit to break into a employee database and steal social security numbers.