The Office of Personnel Management was
recently hacked by what is believed to be Chinese hackers. The scope of the
breach was breathtaking in the amount and value of data that was obtained by
the hackers. In addition to gaining access to OPM systems, a database that holds the sensitive security clearance
information on millions of federal employees and contractors, which goes back
for decades, was compromised. It is understood that this information
could be used in numerous ways including stealing identities and even targeting
of the cleared workforce for espionage (Nakashima, 2015) .
According to National
Security Presidential Directive 54, cyber security is defined as “Prevention of damage to, protection of, and
restoration of computers, electronic communications systems, electronic
communications services, wire communication, and electronic communication,
including information contained therein, to ensure its availability, integrity,
authentication, confidentiality, and nonrepudiation” (Trulio, 2008) . Obviously, the federal government is
coming up short of these lofty goals and there are numerous cyber security issues
that are still being addressed by the federal government.
The ongoing method to standardize
cyber security across the federal government and Department of Defense (DoD) has
been via National Institute of Standards and Technology (NIST) Special
Publication guidelines. The guidelines are mostly contained within the 800
series and are avaialbe at the NIST website (NIST, 2015) . While other guidelines
are in use across the federal government, the NIST guidelines are increasingly serving
as the primary source and will be the focus of most of the effort in addressing
cyber security moving forward.
The above hack exposed significant
weaknesses in several areas of cyber security at OPM. Despite the database
being hacked the previous year (Nakashima, 2015) , the systems were still
not secured from the most recent hack even knowing it was a high value target. Attack
vectors that could allow access were not closed. It took quite a while for this
breach to be reported so detection mechanisms were certainly not optimal. One
would wonder why on earth these were not addressed. However, having worked in
the industry for some time, it is highly probable that steps were taken to
address the issue but the shear size of large departments such as OPM make it
very difficult to close all attack vectors a hacker may utilize. High value
systems are slow to be updated for fear of causing disruptions. Additionally, there
are over 170 guidelines listed in the NIST special publications, which do not
include other governing policies (there are many) or vendor guidelines so
implementation can be daunting. The bottom line is that the federal government
will take a lot longer than most of us think (or hope) to improve cyber
security. We can therefore expect to see many more breaches across the federal
government over the next few years. So, if you work in the federal government,
it may be a good idea to purchase identity protection in advance since your
data will most likely be stolen and there is not guarantee that the government
will let the public know in a timely manner.
Works Cited
Nakashima, E. (2015, June 12). The Washington Post.
Retrieved June 13, 2015, from WashingtonPost.com:
http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html
NIST. (2015, June 13). National Institute of
Standards and Technology. Retrieved June 13, 2015, from NIST.org:
http://csrc.nist.gov/publications/PubsSPs.html
Trulio, D. (2008, January 9). National Security
Presidential Directive 54. Washington DC: The White House.
No comments:
Post a Comment