US Lawmakers Demand Federal Encryption Requirements After OPM Hack

Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.

The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.

Oh please, not another law for them to ignore

[Bruce66423]

As the revelations about the failure of the IRS to fulfil the requirements of email archiving law showed, the executive branch doesn't do things just because it's told to. Let's hope this one's got teeth; a breach of a system that has not been secured according to the regulations will result in the loss of pension of all those in the chain of command above the person responsible? Sadly, hanging, drawing and quartering isn't allowed any more...

Re:Oh please, not another law for them to ignore

The problem with security is that under normal circumstances it delivers zero value to an organization and basically just shores up against bad publicity. The best security in the world isn't enough and you can spend $ridiculous on it and still only be 99% secure. You're basically trying to outspend your competition in the hopes that they won't hire the guy that knows where the bad sprintf() is.

To any corporation, or any department, this is just a pure money-sink with no returns on investment. It's cheaper to cover up the breaches.

Re:Back Doors Are Like Anal Sex

[tsotha]

They could probably ban encryption for the little people the same way the ban child porn (which is ultimately, after all, just data). Make possessing encryption tools a crime subject to harsh penalties, as well as dissemination of techniques and practices. Actively infiltrate and destroy groups seeking to break the law. Monitor external web sites and arrest anyone who seems to be actively searching for ways to encrypt his data. They could never completely stamp it out, but they could certainly make encryption tools difficult and risky to get ahold of.

Of course the infrastructure to support the prohibition would be huge and a foot in the door to banning all sorts of other things, but to FBI-types that's a feature, not a bug.

Re:Just use OpenBSD, for crying out loud!

[ihtoit]

oh, I do agree that there are circumstances (such as specific use cases as you mention) where rapid access to data would be required, but in that case, what about a compromise? Keep the airgap, just extract the data as needed and send it on a closed feed such as eDX (which has end to end encryption using a key the enquirer supplies). The enquirer doesn't even need to access the database. This can be done by an operator with local access. The legal profession uses something a bit less fanciful, DX in this case involves a courier (as in one single person who's basically surgically attached to the pouch to which he has no internal access) travelling nonstop from source to sink. A DX courier could make across the States from LA to NYC in a day.

As for data entry: this has to be done anyway, and depending on the sensitivity, varying clearances have to be met anyway so keeping that in-house shouldn't be a problem if the data is that important.

Sources: been there, done that, never had a breach. Disclosure: I (still) handle thousands of pages worth of legal documentation having previously represented in courts across England. I've come across solicitors firms who send documents via email(!) and even Facebook(!!). I've also dealt with some of the worst offenders one of whom sent me an entire case file on the WRONG CLIENT, by REGULAR MAIL.

Still shaking my head over that one.

Re:Back Doors Are Like Anal Sex

[Kozar_The_Malignant]

I'm not really clear on how you ban encryption. Do you lock up all the mathematicians?

Ask Phil Zimmerman about that. The US didn't lock him up, but it wasn't for lack of trying.