China Denies Responsibility For US Government Data Breach

schwit1 writes: On Friday, Beijing responded to allegations from Washington that China was responsible for a cyberattack on the U.S. Office of Personnel Management that compromised the personal data of some 4 million government employees. The accusations, China's foreign ministry said, are "irresponsible" and "groundless." The OPM breach is the latest in a string of cyber 'incidents' that have coincidentally occurred in the wake of the Pentagon's new cyber strategy.

ZeroHedge argues, "Whether or not the most recent virtual attack on the U.S. did indeed emanate from China or one of Washington's other so-called "cyberadversaries" (the list includes Iran, Russia, and North Korea) will likely never be known the public, but rest assured the blame will be placed with a state actor so as to ensure the DoD has some precedent to refer to when, for whatever reason, the Pentagon decides it's time to deploy an "offensive" cyberattack later on down the road."

Irrespective of where the attack originated, it appears obsolete technology was ultimately to blame, because as Bloomberg reports, "Einstein" wasn't much help in preventing the intrusion: "It's behind schedule, the result of inter-agency fights over privacy, control and other matters, and only about half of the government was protected when the hackers raided OPM's databases last December. It's also, by the government's own admission, already obsolete. Over the last several months, U.S. officials have said that perimeter-based defenses such as Einstein, even backed by the National Security Agency's own corps of hackers, can never prevent break-ins."

Re:Surprise, Surprise!

[penix1]

I tend to agree with your evaluation but want to add...

Why on Earth doesn't the government simply drop all packets coming form or going to their infamous lists? What is the reason to allow an IP originating from China to access OPM? Don't get me wrong. From what I read earlier this thing was malware installed in December and not found until April. Still, any packets coming or going to a Chinese IP address should be dropped at the router. Black hole them in other words.

Re:It doesn't matter matter who did it

[schnell]

I saw something about the Navy considering a BYOD policy with the Navy's computer systems.

I mean... what the fuck? These idiots should just get a custom US government smartphone and anyone that asks for an iphone should get a black bag thrown over their head

Have to be a little careful how I respond to this... let's just say that the last thing you want is the Federal government (or at least the DoD and the Intel community) picking out your cellular technology for you. The world of cell phones has evolved in less than a decade from dumb phones that couldn't even text to portable supercomputers; GPS-enabled dog collars and pill bottles; and increased worldwide coverage at (inflation adjusted) equal or lower prices to what you got 10 years ago. In the US Federal government, 10 years has brought you the F-35 Joint Strike Fighter at billions over budget and years behind schedule. Let's please never think that the US government is compatible with cutting edge technology in anything that does not evade radar, blow things up, or do so simultaneously.

In the US government world, in a SCIF (Sensitive Compartmented Information Facility, anywhere where SECRET/TOP SECRET/SCI information is shared), you can't even bring a cell phone into the facility. Think about this: everyone at the NSA, DISA, CIA Langley etc. misses your phone call unless they are sitting at their desk. Forget that "Homeland" or "24" bulls**t about people using their Droid Razrs in CIA headquarters or wherever the hell Jack Bauer is supposed to be (Federal Secret Counter-Non Existent Surveillance Footage - Large Screen TV and Fake Hologram Agency?). This is how forward thinking the government is about mobility.

Additionally, in 2008 the government (NSA and DISA) got together to decide to do exactly what you suggested. The result? The Secure Mobile Environment - Portable Electronic Device (SME-PED) initiative, which began with a forward looking technology initiative, and by the time it had run the gantlet of DoD/Intel requirements and Federal acquisition policies, had turned into a gigantic brick of a device - running Windows CE - that cost multiple thousands of dollars. This was launched shortly after the iPhone hit the market.

I can't share the detailed results for a variety of reasons, but I can say that adoption was very poor. Real-world users decided to either stick with earlier, cheaper secure dumb phones; or just risk things and make phone calls about secret information on the mobile phones that they actually carried every day and wanted to use. At any rate, the lesson learned was that 1.) people love cell phones because they are cheap and people have lots of choices; and 2.) when the US government gets involved to pick a "secure" cell phone that all its employees should use, nobody actually uses it.