Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Lawmakers Demand Federal Encryption Requirements After OPM Hack

Posted by Soulskill on from the polls-have-shown-that-not-getting-hacked-is-good dept.

Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.

The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.

7 of 91 comments (clear)

  1. Back Doors Are Like Anal Sex by MightyMartian · · Score: 4, Insightful

    Back doors are line anal sex. Once you've lubed up, anyone can enter.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
    1. Re:Back Doors Are Like Anal Sex by MobSwatter · · Score: 4, Insightful

      While true, many governments are coming together to say outlaw encryption. In the case that has already been proven that we can't use it responsibly (ie: back doors) I agree, then there really isn't a really expensive black budget allocation care of the NSA. Of course credit card fraud would go up, but then again, has the government itself been responsible with credit? Being that they are printing money every six months to keep the doors open and still attacking the people for money I'd say no and with the example provided by government to the people, then the people shouldn't have credit either so no credit card fraud. In the case the government tries to use encryption but denies it to the people, then I'd say they should probably do away with the other parts of the constitution they haven't yet wiped their ass with yet, that being taxation. The constitution is in whole a contract of citizenship to a government, it has to be taken as a whole or not at all, they can't pick and choose which rights they want to stomp on and keep the parts they like.

  2. funny... by ganjadude · · Score: 5, Insightful

    Since they have been telling us how encryption makes the government weaker (in the hands of americans) yet NOW they want to keep it all to themselves????

    yeah.... too bad

    --
    have you seen my sig? there are many others like it but none that are the same
  3. An alternative... by Anonymous Coward · · Score: 2, Insightful

    You know, they could just collect and hoard less data...

    (Or as the Russians apparently have done, revert more sensitive systems back to paper and typewriters.)

  4. Re:Just use OpenBSD, for crying out loud! by ihtoit · · Score: 4, Insightful

    no, the first step is to airgap sensitive information. NEVER let it onto any sort of network. EVER. Then start worrying about what operating system you're using. *BSD has had security problems in the past and more will be discovered in the future. If you do not believe this to be the case, then you're living in a fantasy world.
    Even with the default settings on a vanilla install (which basically don't let you do ANYTHING productive) there are vulnerabilities ranging from minor annoyances on the window manager to showstoppers in the TCP stack. Let's not even go into the simple fact that the second you start services, or install and run software from the ports repository, you are introducing vulnerabilities to your setup, hence *BSD is NOWHERE NEAR as secure as you're apparently making out. It becomes every bit as vulnerable to hackers/worms/whatever as OSX, Linux, any other UNIX, or Microsoft Windows.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  5. The IRS can reorganize its internal spending by perpenso · · Score: 5, Insightful

    If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.

    Not true. The agency can cut spending elsewhere to implement the requirement. Which is what Congress wants the IRS to do, while the IRS want to use the excuse of no new funding to maintain things as they are. It all just theatre.

  6. Republicans: Hypocrit Much? by Required+Snark · · Score: 3, Insightful
    So now the Republican Congress is screaming about government cyber security, and demanding that the ebil imcompotent burocrats DO SOMETHING RIGHT NOW!!!

    The trouble is, those same Republicans have derailed national cyber security regulations since Obama has been in office. It's all been channeled through the US Chamber of Commerce.

    Comprehensive cybersecurity regulatory reform failed for the second time this year in the U.S. Senate, increasing the prospects that the White House will implement some of the bill’s provisions through an executive order.

    The Cybersecurity Act of 2012 failed to get the 60 votes needed under Senate rules to bring the bill up for passage Nov. 14, 2012, most likely dashing any chance that cybersecurity policy would be addressed in the lame-duck session.

    “Whatever we do for this bill is not enough for the Chamber of Commerce,” Senate Majority Leader Harry Reid, D-Nev., said on the floor immediately after the failed cloture vote. “Cybersecurity is dead for this Congress,” he added. Republicans blocked the same measure in August 2012, saying it would lead to more government regulation of business.

    So that was pretty much the end of it. The Obama administration declared some executive orders, but that clearly did not have much impact. Up until this latest incident the Party of Ignorance (R) got what they wanted: keep you hands off my bidness.

    So no one should be very surprised that this happened. There is no bright line between big government and big business when it comes to matters like cybersecurity. Particularly with the amount of outsourcing going on. Don't forget that the OPM breach was not simply in a government network, but at security contractor USIS.

    A background investigation firm with OPM, DHS, and other federal agency contracts notified the government that it identified an unlawful breach of its network. In a statement posted on the website today, USIS noted that it was working with the government to determine the ‘nature and extent’ of the attack. They acknowledged that it appeared to be a state-sponsored attack.

    The firm is already under fire for allegations of contractor misconduct. The Justice Department sued the company earlier this year for poor oversight of security clearance investigations, and a White House panel investigated bonuses received by USIS executives.

    The DHS/OPM/whatever are doing everything they can to cover up what really happened, so the trail to the contractors has been rather effectively hidden. They primarily want to keep evidence of their vast incompetency out of the public eye. That is taking precedence over remedial action to address the breach. This is why they are leaving the roughly 4 million government employees at risk just hanging in the breeze. If they were to do the responsible thing and help the victims it would reveal how extensively they failed.

    Remember, horribly incompetent government security contractors are the new normal: Blackwater in Iraq, the TSA meatheads who infest airports, and now this. No one should be surprised. And they should be even less surprised when no one is held accountable and nothing changes.

    --
    Why is Snark Required?