China Denies Responsibility For US Government Data Breach

schwit1 writes: On Friday, Beijing responded to allegations from Washington that China was responsible for a cyberattack on the U.S. Office of Personnel Management that compromised the personal data of some 4 million government employees. The accusations, China's foreign ministry said, are "irresponsible" and "groundless." The OPM breach is the latest in a string of cyber 'incidents' that have coincidentally occurred in the wake of the Pentagon's new cyber strategy.

ZeroHedge argues, "Whether or not the most recent virtual attack on the U.S. did indeed emanate from China or one of Washington's other so-called "cyberadversaries" (the list includes Iran, Russia, and North Korea) will likely never be known the public, but rest assured the blame will be placed with a state actor so as to ensure the DoD has some precedent to refer to when, for whatever reason, the Pentagon decides it's time to deploy an "offensive" cyberattack later on down the road."

Irrespective of where the attack originated, it appears obsolete technology was ultimately to blame, because as Bloomberg reports, "Einstein" wasn't much help in preventing the intrusion: "It's behind schedule, the result of inter-agency fights over privacy, control and other matters, and only about half of the government was protected when the hackers raided OPM's databases last December. It's also, by the government's own admission, already obsolete. Over the last several months, U.S. officials have said that perimeter-based defenses such as Einstein, even backed by the National Security Agency's own corps of hackers, can never prevent break-ins."

It doesn't matter matter who did it

[Karmashock]

What matters is that the ongoing incompetence of the federal government permitted it to happen.

I'll say again, instead of getting the NSA to anally probe your own people utterly violating the 4th amendment... why don't you task your teams of tamed hackers to strengthen security throughout the government's computer systems?

They know how to breach systems so they know how to secure them. All they have to do is make the system so tough that even they couldn't get into them. And task a few of them to literally try to emperically test whether the security has literally arrived advanced to that point.

This is not an unreasonable standard.

If the NSA can breach your systems than so can the chinese probably. So if you want to keep the chinese out... make it tough enough that the NSA can't get in.

Any excuses should be met with summary executions. Just pistol to the temple and a query for any further questions?

Seriously though... the bad security is not acceptable. And without some drastic changes in culture, the systems will remain open books to any nation or even many criminal organizations that want in for any reason.

That's pathetic.

And a big part of the issue is that we're not putting technical people in charge of security.

Look, you wouldn't a guy without experience running warships in charge of the Navy would you? Would you put someone with no experience flying airplanes in charge of the air force? Then why are we putting non-computer experts in charge of computer systems?

They don't know what the fuck they're doing. Its like putting an accountant in charge of the Marines or putting the Marines in charge of a law firm. It doesn't make any sense. Stop doing that.

If you're having a hard time finding someone with command chops in the technical fields, then do what you do in every other branch of the government when you encounter that exact problem. Have a training program where in your people can get promoted into management. Why is this rocket science? The government understand this everywhere else in largely flawlessly. You need someone to run some aspect of the justice department? You promote someone with skills from within the department that understands LAW and law enforcement.

The ongoing idiocy of my entire culture... forget the government because the corporations are little better in most cases... it is shocking. They almost never put people that understand the tech in charge of the actual f'ing machines.

They understand they need to hire a lawyer to run the legal department. They understand they have to hire an accountant to run the Accounting department. They understand they have to hire a marketing guy to run the marketing department. But when it comes to IT? Well you can use anyone apparently. Put an accountant in charge... or a lawyer... or a marketing guy... or whatever. A fucking bag of dead kittens would appear to be sufficient.

The governments and big corps will say "but it will be really expensive to fix our problems"... it is only expensive because you've deferred maintenance for a million years. That like saying you can't fix the roof that has rotted out because that will be expensive. You fix that roof. You maintain that roof. You do not fuck with the roofing guys when they're telling you what has to happen. Because you know and understand that failing to do it means you get rained on.

The computer systems are the same thing. Only you only notice there is a problem if you know enough to notice or if there is a huge fucking disaster. If neither applies then people can be oblivious. WHich is possibly the attraction of people that don't know what they're doing... they can be oblivious.

Re:It doesn't matter matter who did it

[Fire_Wraith]

Furthermore, this is nothing new. In fact, it's been a known issue for a long time. The NSA is not only responsible for signals intelligence, but also has the responsibility of securing U.S. Government communications, i.e. Information Assurance. In the past, this meant coming up with strong codes and encryption systems of our own, while the other part of NSA worked on breaking enemy systems (like the WW2 Japanese Naval and Diplomatic codes for instance). The problem with that today is that there's no longer a difference. Everyone is using the same hardware and software platforms. The same systems that the US Government uses are also the ones used by cybercriminals in Krasnovia, terrorists hiding in caves in Dirka-Dirkastan, and other governments around the world, not to mention our own citizens. In theory that means the NSA would have to balance between using flaws it finds to exploit its targets, and making sure the flaws get patched so we're not vulnerable. If the results we see are the only measure, then they're perhaps tilting badly towards the intelligence/exploit side. I would note though that this isn't the only factor. Overall I'd say that the executives in charge, whether we're talking about the corporate world C*O types or Government SES types, put far too much value on accessibility, availability, and ease of use, and don't take the risks seriously enough. It's either that or they're bullshitting us about how damaging it was when the breach does occur, because if it was truly unthinkably bad then they should've taken it more seriously in the first place.

Re:It doesn't matter matter who did it

[Karmashock]

They put an emphasis on accessibility because they're personally clueless.

I saw something about the Navy considering a BYOD policy with the Navy's computer systems.

I mean... what the fuck? These idiots should just get a custom US government smartphone and anyone that asks for an iphone should get a black bag thrown over their head and sent via CIA cargo plane to a black site.... where upon pictures of their electrified genitals are leaked onto the internet...

Not really... Just... there's stupid and there's so stupid that it should be classified as treason to promote that person above latrine digger.

this is the government and the military... and if the idiots running these systems can't be bothered to take security seriously than we need another group of idiots.

Re:It doesn't matter matter who did it

[penix1]

First off let me start this by saying I work in Homeland Security for my state and used to work for the feds doing the same thing. I received my notice about the breach at a staff meeting. The word is it wasn't a hack into the computer but it was malware installed on a computer at OPM. It was installed in December and wasn't noticed until April.

Now the question I have is was the individual that brought it in disciplined?

Re:It doesn't matter matter who did it

[schnell]

I saw something about the Navy considering a BYOD policy with the Navy's computer systems.

I mean... what the fuck? These idiots should just get a custom US government smartphone and anyone that asks for an iphone should get a black bag thrown over their head

Have to be a little careful how I respond to this... let's just say that the last thing you want is the Federal government (or at least the DoD and the Intel community) picking out your cellular technology for you. The world of cell phones has evolved in less than a decade from dumb phones that couldn't even text to portable supercomputers; GPS-enabled dog collars and pill bottles; and increased worldwide coverage at (inflation adjusted) equal or lower prices to what you got 10 years ago. In the US Federal government, 10 years has brought you the F-35 Joint Strike Fighter at billions over budget and years behind schedule. Let's please never think that the US government is compatible with cutting edge technology in anything that does not evade radar, blow things up, or do so simultaneously.

In the US government world, in a SCIF (Sensitive Compartmented Information Facility, anywhere where SECRET/TOP SECRET/SCI information is shared), you can't even bring a cell phone into the facility. Think about this: everyone at the NSA, DISA, CIA Langley etc. misses your phone call unless they are sitting at their desk. Forget that "Homeland" or "24" bulls**t about people using their Droid Razrs in CIA headquarters or wherever the hell Jack Bauer is supposed to be (Federal Secret Counter-Non Existent Surveillance Footage - Large Screen TV and Fake Hologram Agency?). This is how forward thinking the government is about mobility.

Additionally, in 2008 the government (NSA and DISA) got together to decide to do exactly what you suggested. The result? The Secure Mobile Environment - Portable Electronic Device (SME-PED) initiative, which began with a forward looking technology initiative, and by the time it had run the gantlet of DoD/Intel requirements and Federal acquisition policies, had turned into a gigantic brick of a device - running Windows CE - that cost multiple thousands of dollars. This was launched shortly after the iPhone hit the market.

I can't share the detailed results for a variety of reasons, but I can say that adoption was very poor. Real-world users decided to either stick with earlier, cheaper secure dumb phones; or just risk things and make phone calls about secret information on the mobile phones that they actually carried every day and wanted to use. At any rate, the lesson learned was that 1.) people love cell phones because they are cheap and people have lots of choices; and 2.) when the US government gets involved to pick a "secure" cell phone that all its employees should use, nobody actually uses it.

Re:It doesn't matter matter who did it

[Rich0]

If the NSA can breach your systems than so can the chinese probably. So if you want to keep the chinese out... make it tough enough that the NSA can't get in.

Good luck with that. When there is no cost for mounting an attack, an attacker will almost always have an advantage over a defender.

This is like arguing that if random hoodlums keep breaking into your house you should simply upgrade the security of your house until they're unable to break in. If criminals can attempt to breach your house without any risk of punishment, then you've lost. There isn't a wall built by man which can't be breached by man. Sure, you can invest enough that it isn't worth their trouble but we'd all be broke if we actually did it that way. Instead we hire police, and instead of letting people hammer away at our doors all night long with construction equipment, we call the cops and they haul the criminals off to jail.

The problem with the internet is that we treat it differently from everything else. If you're in a nation that turns a blind eye to hacking (or sponsors it), then you can hack away at targets all day long without any real risk of punishment.

Re:The only way to stop this

[smittyoneeach]

You'd have to be prepared for the fertilizer to hit the air circulator before a stunt like that.
I'm not surmising that #OccupyResoluteDesk has either the sack to order such an attack, or the sack content to deal with the fallout.
If a crisis involves doing more than showing up and delivering a speech in his Barry-tone(TM) voice, BHO just hasn't proven himself up to the task.

Re:rotfl

[phantomfive]

While you can't just blindly throw money at a problem, it is part of the issue.

You are right, but increasing the budget by $32million in 2016 was not relevant to this break in.
Politicians are merely looking for excuses to blame each other, they aren't presenting actual solutions.

Re:Surprise, Surprise!

[penix1]

I tend to agree with your evaluation but want to add...

Why on Earth doesn't the government simply drop all packets coming form or going to their infamous lists? What is the reason to allow an IP originating from China to access OPM? Don't get me wrong. From what I read earlier this thing was malware installed in December and not found until April. Still, any packets coming or going to a Chinese IP address should be dropped at the router. Black hole them in other words.

Stop using Facebook

[koan]

http://www.zerohedge.com/news/...
     

Defense Secretary Ashton Carter spoke to technology leaders in Palo Alto, California, in April, tossing around ideas for recruiting engineers for temporary missions in government and meeting with Facebook's Mark Zuckerberg.

Why is the defense sec talking to Zuckerberg? How long until you have to have a FB account to log onto the "Internet".