Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Lawmakers Demand Federal Encryption Requirements After OPM Hack

Posted by Soulskill on from the polls-have-shown-that-not-getting-hacked-is-good dept.

Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.

The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.

19 of 91 comments (clear)

  1. Back Doors Are Like Anal Sex by MightyMartian · · Score: 4, Insightful

    Back doors are line anal sex. Once you've lubed up, anyone can enter.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
    1. Re:Back Doors Are Like Anal Sex by MobSwatter · · Score: 4, Insightful

      While true, many governments are coming together to say outlaw encryption. In the case that has already been proven that we can't use it responsibly (ie: back doors) I agree, then there really isn't a really expensive black budget allocation care of the NSA. Of course credit card fraud would go up, but then again, has the government itself been responsible with credit? Being that they are printing money every six months to keep the doors open and still attacking the people for money I'd say no and with the example provided by government to the people, then the people shouldn't have credit either so no credit card fraud. In the case the government tries to use encryption but denies it to the people, then I'd say they should probably do away with the other parts of the constitution they haven't yet wiped their ass with yet, that being taxation. The constitution is in whole a contract of citizenship to a government, it has to be taken as a whole or not at all, they can't pick and choose which rights they want to stomp on and keep the parts they like.

    2. Re:Back Doors Are Like Anal Sex by MightyMartian · · Score: 2

      I'm not really clear on how you ban encryption. Do you lock up all the mathematicians?

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:Back Doors Are Like Anal Sex by ihtoit · · Score: 2

      So much this:

      While true, many governments are coming together to say outlaw encryption.

      It's a familiar line. When guns are outlawed, only criminals will have guns and the State will have monopoly on violent coercion.

      Or:

      When encryption is outlawed, only criminals will have encryption and the State will have the monopoly on secrets. ...Which brings the whole secrecy vs transparency thing to the foreground as well, but that's as equally a vast debate as this one and the twain should never meet.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    4. Re:Back Doors Are Like Anal Sex by tsotha · · Score: 3, Interesting

      They could probably ban encryption for the little people the same way the ban child porn (which is ultimately, after all, just data). Make possessing encryption tools a crime subject to harsh penalties, as well as dissemination of techniques and practices. Actively infiltrate and destroy groups seeking to break the law. Monitor external web sites and arrest anyone who seems to be actively searching for ways to encrypt his data. They could never completely stamp it out, but they could certainly make encryption tools difficult and risky to get ahold of.

      Of course the infrastructure to support the prohibition would be huge and a foot in the door to banning all sorts of other things, but to FBI-types that's a feature, not a bug.

    5. Re:Back Doors Are Like Anal Sex by Kozar_The_Malignant · · Score: 5, Interesting

      I'm not really clear on how you ban encryption. Do you lock up all the mathematicians?

      Ask Phil Zimmerman about that. The US didn't lock him up, but it wasn't for lack of trying.

      --
      Some mornings it's hardly worth chewing through the restraints to get out of bed.
    6. Re:Back Doors Are Like Anal Sex by mlts · · Score: 2

      Easy fix: Have the ISP have a root cert one must put in their keystore, and the ISP uses a device like a BlueCoat appliance for real time MITM-scanning of all traffic.

      Add an in-transit ad injector, and it will be a money maker for the ISP as well.

  2. Oh please, not another law for them to ignore by Bruce66423 · · Score: 3, Interesting

    As the revelations about the failure of the IRS to fulfil the requirements of email archiving law showed, the executive branch doesn't do things just because it's told to. Let's hope this one's got teeth; a breach of a system that has not been secured according to the regulations will result in the loss of pension of all those in the chain of command above the person responsible? Sadly, hanging, drawing and quartering isn't allowed any more...

    1. Re:Oh please, not another law for them to ignore by Anonymous Coward · · Score: 4, Interesting

      The problem with security is that under normal circumstances it delivers zero value to an organization and basically just shores up against bad publicity. The best security in the world isn't enough and you can spend $ridiculous on it and still only be 99% secure. You're basically trying to outspend your competition in the hopes that they won't hire the guy that knows where the bad sprintf() is.

      To any corporation, or any department, this is just a pure money-sink with no returns on investment. It's cheaper to cover up the breaches.

    2. Re:Oh please, not another law for them to ignore by The+Grim+Reefer · · Score: 3, Informative

      Let's hope this one's got teeth; a breach of a system that has not been secured according to the regulations will result in the loss of pension of all those in the chain of command above the person responsible?Â

      That's a good one. Probably the worst that will happen is that someone higher up will be forced to retire earlier than planned, at full pension of course.

      It's not as good as the multi-million dollar golden parachute that a CEO gets for running a company into the ground, but they'll be comfortable.

    3. Re:Oh please, not another law for them to ignore by Saanvik · · Score: 3, Informative

      You're right in a way, but not the way you intended.

      The IRS requested funding to support the archiving requirement. Congress, instead, cut their budget. Even after the archiving issue became known, Congress refused to up the funding.

      If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.

      Breaches like this aren't a question of "what if" they are a question of "when" until Congress ends the chronic underfunding of government IT departments.

  3. funny... by ganjadude · · Score: 5, Insightful

    Since they have been telling us how encryption makes the government weaker (in the hands of americans) yet NOW they want to keep it all to themselves????

    yeah.... too bad

    --
    have you seen my sig? there are many others like it but none that are the same
  4. Will their encryption be designed with backdoors? by overshoot · · Score: 2

    I mean, if it's good for us plebes and all ...

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
  5. An alternative... by Anonymous Coward · · Score: 2, Insightful

    You know, they could just collect and hoard less data...

    (Or as the Russians apparently have done, revert more sensitive systems back to paper and typewriters.)

  6. Re:Just use OpenBSD, for crying out loud! by ihtoit · · Score: 4, Insightful

    no, the first step is to airgap sensitive information. NEVER let it onto any sort of network. EVER. Then start worrying about what operating system you're using. *BSD has had security problems in the past and more will be discovered in the future. If you do not believe this to be the case, then you're living in a fantasy world.
    Even with the default settings on a vanilla install (which basically don't let you do ANYTHING productive) there are vulnerabilities ranging from minor annoyances on the window manager to showstoppers in the TCP stack. Let's not even go into the simple fact that the second you start services, or install and run software from the ports repository, you are introducing vulnerabilities to your setup, hence *BSD is NOWHERE NEAR as secure as you're apparently making out. It becomes every bit as vulnerable to hackers/worms/whatever as OSX, Linux, any other UNIX, or Microsoft Windows.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  7. Re:Just use OpenBSD, for crying out loud! by ihtoit · · Score: 3, Interesting

    oh, I do agree that there are circumstances (such as specific use cases as you mention) where rapid access to data would be required, but in that case, what about a compromise? Keep the airgap, just extract the data as needed and send it on a closed feed such as eDX (which has end to end encryption using a key the enquirer supplies). The enquirer doesn't even need to access the database. This can be done by an operator with local access. The legal profession uses something a bit less fanciful, DX in this case involves a courier (as in one single person who's basically surgically attached to the pouch to which he has no internal access) travelling nonstop from source to sink. A DX courier could make across the States from LA to NYC in a day.

    As for data entry: this has to be done anyway, and depending on the sensitivity, varying clearances have to be met anyway so keeping that in-house shouldn't be a problem if the data is that important.

    Sources: been there, done that, never had a breach. Disclosure: I (still) handle thousands of pages worth of legal documentation having previously represented in courts across England. I've come across solicitors firms who send documents via email(!) and even Facebook(!!). I've also dealt with some of the worst offenders one of whom sent me an entire case file on the WRONG CLIENT, by REGULAR MAIL.

    Still shaking my head over that one.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  8. The IRS can reorganize its internal spending by perpenso · · Score: 5, Insightful

    If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.

    Not true. The agency can cut spending elsewhere to implement the requirement. Which is what Congress wants the IRS to do, while the IRS want to use the excuse of no new funding to maintain things as they are. It all just theatre.

  9. The horse named Elvis has left the building! by Hartree · · Score: 2

    And the horse seems to be happily running free somewhere thousands of miles beyond the barn door.

    If this works like many IT security efforts, we'll spend millions replacing the barn door with a bank vault door. And then leave the window next to it open

  10. Republicans: Hypocrit Much? by Required+Snark · · Score: 3, Insightful
    So now the Republican Congress is screaming about government cyber security, and demanding that the ebil imcompotent burocrats DO SOMETHING RIGHT NOW!!!

    The trouble is, those same Republicans have derailed national cyber security regulations since Obama has been in office. It's all been channeled through the US Chamber of Commerce.

    Comprehensive cybersecurity regulatory reform failed for the second time this year in the U.S. Senate, increasing the prospects that the White House will implement some of the bill’s provisions through an executive order.

    The Cybersecurity Act of 2012 failed to get the 60 votes needed under Senate rules to bring the bill up for passage Nov. 14, 2012, most likely dashing any chance that cybersecurity policy would be addressed in the lame-duck session.

    “Whatever we do for this bill is not enough for the Chamber of Commerce,” Senate Majority Leader Harry Reid, D-Nev., said on the floor immediately after the failed cloture vote. “Cybersecurity is dead for this Congress,” he added. Republicans blocked the same measure in August 2012, saying it would lead to more government regulation of business.

    So that was pretty much the end of it. The Obama administration declared some executive orders, but that clearly did not have much impact. Up until this latest incident the Party of Ignorance (R) got what they wanted: keep you hands off my bidness.

    So no one should be very surprised that this happened. There is no bright line between big government and big business when it comes to matters like cybersecurity. Particularly with the amount of outsourcing going on. Don't forget that the OPM breach was not simply in a government network, but at security contractor USIS.

    A background investigation firm with OPM, DHS, and other federal agency contracts notified the government that it identified an unlawful breach of its network. In a statement posted on the website today, USIS noted that it was working with the government to determine the ‘nature and extent’ of the attack. They acknowledged that it appeared to be a state-sponsored attack.

    The firm is already under fire for allegations of contractor misconduct. The Justice Department sued the company earlier this year for poor oversight of security clearance investigations, and a White House panel investigated bonuses received by USIS executives.

    The DHS/OPM/whatever are doing everything they can to cover up what really happened, so the trail to the contractors has been rather effectively hidden. They primarily want to keep evidence of their vast incompetency out of the public eye. That is taking precedence over remedial action to address the breach. This is why they are leaving the roughly 4 million government employees at risk just hanging in the breeze. If they were to do the responsible thing and help the victims it would reveal how extensively they failed.

    Remember, horribly incompetent government security contractors are the new normal: Blackwater in Iraq, the TSA meatheads who infest airports, and now this. No one should be surprised. And they should be even less surprised when no one is held accountable and nothing changes.

    --
    Why is Snark Required?