Outsourcing is the rage these days and the US businesses, chasing cheaper labour in perpetual pursuit of efficiency/savings/greater profits, are at the head of the field. US government agencies have followed suit, trying to make do with the limited budgets they have, and the Office of Personnel Management (OPM) is no exception.
The OPM is a somewhat obscure US federal agency which, among other things, conducts 90+% of background checks for personnel applying for sensitive jobs in the military and security agencies. Just as with large corporations, the cost and staff requirements of maintaining their IT infrastructure led them to seek savings by hiring outside talent for the job. What OPM did was't any different than what many US corporations do.
♦ Outsourcing
As it goes, outsourcing functions one can easily end up outsourcing the related know-how and the judgement acquired by experience (all the stuff you can't put into an SLA). Which savings just were not worth it usually becomes apparent only in hindsight. Given that there are things that are irreversible, lack of foresight results in a self-inflicted wound.
Obviously, with outsourcing knowledge retention becomes a real problem. Staff tends to run away when they see the writing on the wall and the best leave quickly in pursuit of more rewarding employment and to escape the terminal boredom administering to Whatnot in Mumbai or worse, having to train their replacement before being given the boot. That is to say, those who remain are usually not the creme de la creme.
♦ Security Breach
I'm guessing, but perhaps that was why the OPM hired the wrong people. That they did so is clear. I wonder whether the OPM will heed the sage advice Dr. Watson dispensed to the hapless pawn shop owner in the Jermey Brett adaptation of the The Red-Headed League: "Next time you engage an assistant, pay him the proper wage!" ... but I digress.
As it went, OPM came to hire apparently chinese hackers - and gave them root access. This would have been bad for a company, but became something else entirely when it came to government data. Here, the hackers were able to steal the senstitive personnel records of federal employees working in military and security agencies. Businessinsider reports (links below):
"Specifically, the hackers reportedly acquired SF86 forms, which detail sensitive background information."Security-wise, this may be the worst breach of personally identifying information ever," Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday.
"[The] OPM is responsible for administering the SF 86, which is one of the most extensive national security questionnaires that exists."
"Federal employees and contractors who want government-security clearance have to disclose virtually every aspect of their lives via an SF 86 questionnaire, which is then stored on OPM's largely unencrypted database. ..."
"In fact, the breach was unprecedented in its breadth and scope: "Security-wise, this may be the worst breach of personally identifying information ever," Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday."
The time the hackers had to sift through all that data likewise was unprecedented:
"The average time Chinese hackers have access to a compromised system is 356 days and the longest recorded was 4 years and 10 months"
♦ Dimension of the breach
This has a potential to severely compromise US personnel and more, and here I hand over to TTG who is better able to explain what it means:
"When I heard of this data breach, my first thought was that here was another reason to watch my credit card and bank accounts very closely. What more could I lose after the news of the Anthem Blue Cross data breach discovered back in February. Then when the loss of the security files of up to 14 million Federal employees, retirees and contractors was announced, I knew this was a lot worse than the temporary loss of a credit card or two.
I have seen opinions that the information lost in this data breach poses a danger to U.S. personnel operating overseas in sensitive and covered positions. Fortunately, most people operating in those kinds of positions do not have records stored at OPM. I didn’t have contact with OPM until I retired from DIA. However, a lot of people who work with those in sensitive positions do go through the OPM for their security clearances. That includes a slew of support personnel and contractors. Those working under cover could be discovered through their associations with those support personnel and contractors.
The loss of the information contained in the SF86s and background investigations of these people is a treasure trove to China or whoever has this information. Filling out an SF86 is a laborious and time consuming task for anyone. It can take weeks to gather the detailed information requested in the form. The information in the OPM’s database of SF86s represents decades of man-years of detective work.
With that information and a halfway decent data mining tool, one can easily construct an accurate and detailed model of the vast national security structure of the USG. This model would include all the myriad government and contractor offices, the leadership structure along with detailed contact information, what they think of each other, and everyone’s dirty laundry. This model would also show how this national security structure evolved over time, at least since 9/11. With additional inputs, this model may even be predictive. This is indeed a serious data breech."
Links:
- http://uk.businessinsider.com/the-us-agency-plundered-by-chinese-hackers-made-one-of-the-dumbest-security-moves-possible-2015-6?r=US
- http://uk.businessinsider.com/level-of-damage-omp-hack-2015-6?r=US
- http://uk.businessinsider.com/opm-hack-was-classic-espionage-on-a-scale-weve-never-seen-before-2015-6?r=US
- http://abcnews.go.com/US/feds-feared-tens-millions-impacted-opm-hack-internal/story?id=31950577
- http://www.govexec.com/pay-benefits/2015/06/size-opm-hack-quadruples-18-million/116011/
- http://www.ibtimes.com/deep-panda-group-wasnt-behind-massive-opm-hack-other-chinese-hackers-were-fireeye-1975658
TTG & CP:
This breached data, together with the data this either freely available - such as in Facebook or LinkedIn or other WWW social sites - and data that is available at certain nominal costs (for a state or country) enables all these people and their extended families and relations to be identified, mapped, and tracked.
Using such relationship, one may then find personal, financial, medical vulnerabilities that could then be exploited.
Facebook should have been banned long time ago - in my opinion.
Posted by: Babak Makkinejad | 23 June 2015 at 02:07 PM
> For example, would the SF86 information be useful in selecting US humint targets?
It'd be a pretty good starting point. (Though, as has been pointed out, there are other security systems that don't depend on OPM.)
Posted by: Allen Thomson | 23 June 2015 at 02:16 PM
WRC,
"... cultivation of those junior in rank but potentially leaders of their organization in some way [or others?} might well be of current and future interest."
The Chinese (and/or others) now have all the ammunition they need to recruit or coerce any of these future leaders or their families. Congratulations to the Obama administration. At least we'll get that pesky flag removed and did you hear the latest about Caitlyn??
Posted by: Fred | 23 June 2015 at 02:35 PM
[QUOTE]With that information and a halfway decent data mining tool, one can easily construct an accurate and detailed model of the vast national security structure of the USG.[EOQ]
[Bitter Sarcasm Alert]
I recall a story some years back that the national security structure had become so vast that no one in the USG had any idea how big it was, who it employed, and what security clearances they had. Maybe the hackers can sell this model back to the USG so they can get a handle on it.
[End of Sarcasm]
This is beyond words. Thanks to CP and TTG for the post.
Posted by: Patrick D | 23 June 2015 at 04:04 PM
Some savvy managers in organizations where highly expert skills are central to its mission solve the problem by cultivating a 'specialist relationship" with a person of excellent qualifications and personal integrity. He may be at a one of the 17 national research facilities, at a preferred contractor like DIA, an academic, or other. That person has established a track record of competence and credibility - therefore is trustworthy. In some respects, he may also serve as a de facto consultant on consultants. I have know a couple of instances in the nuclear export area where such an arrangement has worked out very well.
Of course, it requires a manager who has the ability to identify such a person, to know how to use him, and to value dispassionate judgment. Unfortunately, that is not Sibelius or the guys who have been running the NSA empire.
An ideal candidate to serve in this capacity on matters of electronic warfare defense is Edward Snowden. He pointed out to his superiors many of the weaknesses in their systems; they ignored him - preferring to rely on the many phoneys among the 831,000 with the highest grade security clearances to do whatever to keep the budget robust. which afterall is the NSA leadership's top priority.
Posted by: mbrenner | 23 June 2015 at 04:04 PM
I've worked in IT all my life, and I can tell you one thing - once a system is rooted it can never be trusted again. Software or hardware. Data can be recovered, but it must be done very carefully.
Posted by: HankP | 23 June 2015 at 04:23 PM
You have the same large, inefficient bureaucracies choosing which contractors to hire. A lot of potential to make things even worse.
Posted by: steve | 23 June 2015 at 04:46 PM
I was a senior manager at an IT outsourcing firm for a few years (Group General Manager - System Integration), CP and TTG have it right.
Our mission was to totally lobotomise our clients, making them utterly reliant on our goodselves. To that end, we:
(A) After a suitable interval of months, reminded the customers project sponsor ("project champion") that her future career prospects depended on the outsourcing being perceived as successful by her Board.
(B) Hired the best of the customers IT staff ourselves, the low level staff were simply fired.
© Identified potential technical critics within the customers organisation who wouldn't leave. We arranged for these potential troublemakers to be fired using the leverage of (A).
So now we have complete control of one of the customers core competencies. We control their IT strategy and execution and hence exert influence on their entire business plan. There is no one technically competent to quibble over our pricing. We know their innermost thoughts if they commit them to email. We know their business plan, profitability and future ideas. As long as our project sponsor/mole is believed and in the ascendant within the customer, nothing can touch us.
This situation produces a very ugly hangover at Board level when they realise they have lost control of their core technical competency and then they have to simultaneously reacquire technical nous and prise our fingers from their keyboards.
My guess is that there is/was an "Outsourcing Project Champion" at OPM who drove this project with great enthusiasm, surmounting all hurdles and vanquishing anyone who sounded a warning. They must be feeling suicidal by now if they have the ability to feel remorse, which I doubt.
Posted by: walrus | 23 June 2015 at 04:58 PM
The story line of the OPM and related hacks, as presented to us by the MSM & most commentators, strikes me as being remiss - in its portrayal of the main protagonists and in its plot. The US is represented as the victim of unprovoked cyber aggression by the Chinese, coming out of the blue. This seen as a potentially major blow in an assumed contest for global dominance between the two powers. But is any of this true? Frankly, we haven't even seen the proof that the PRC was behind all the attacks - nothing except the word of people who record is one of serial lying. But let's assume that it was the Chinese.
Let us recall that it the United States that launched the first cyber attacks - some years ago by the NSA. This history is detailed in the Snowden documents whose authenticity never has been questioned. We succeeded in trespassing on the computer networks of several PRC agencies and individuals. We boasted about our success in intra-governmental communications. Those occurred at a time when related documents now in the public realm revealed the NSA's ambition to tap into every electronic communications network in the world and laid out a program for achieving that goal.
Simultaneously, the United States was launching offensive assaults on Iran. The targets there included not just their nuclear research facilities but also critical centers for the oil and gas industry. These are acts of war. Yet there was never a mandate from any international body for doing so, nor a casus belli. We did it in collaboration with the Israelis because we made the unilateral judgment that aggression was in our national interest. Now we are outraged that others are doing what we have done. This is rank hypocrisy - it also is not very bright. For the initial actions made the casual assumptions that the US would always have an advantage; therefore, the setting of norms and rules was unnecessary and undesirable. The same logic operated in regard to drones and targeted assassinations.
Conditions now have changed and the US is vulnerable to attack. The option of negotiations international rules of the road and perhaps formal regulations is slipping away. We will have to live with the chaotic mess that we have created.
Whatever thinking the NSA did on the subject (and perhaps other agencies) bears an uncanny resemblance to Curtis Lemay's attitude toward nuclear strategy. An emphasis on offense because it played to our advantage; defense only in the form of "massive retaliation" which - for Lemay - was the strategic cover for massive first strike; and a conviction that this was an unavoidable zero-sum game played for the highest stakes. In other words, cowboy strategy. And it is cowboy strategic thinking that has ruled in the NSA.
The most revealing article on this appeared in WIRED a while back. In the piece written by James Bamford ( 21.07.14), General Keith Alexander, since retired, revealed the full scope of his ambition in an article by Here are some of its more noteworthy quotes; “For years, U.S. General Keith Alexander has been amassing a secret cyber army. Now it’s ready to attack….Alexander’s forces are formidable – thousands of NSA spies, plus 14,000 cyber troops….Endgame hunts for hidden security weaknesses that are ripe for exploitation.” Plans included a ‘launch on warning” doctrine whereby massive cyber retaliation would be directed automatically at whomever made a strategic attack on sensitive U.S. computers. Its code name is MonsterMind. Preparations for the Great Cyber War evidently left no time to keep track of smaller attacks. (See also THE INTERCEPT 10/10/14 "Core Secrets: NSA Saboteurs in China and Germany" By Peter Maass and Laura Poitras
CONCLUSION: There is no substitute for brains at the top. As of now, there aren't any there. The record speaks for itself.
Posted by: mbrenner | 23 June 2015 at 05:19 PM
scary story and well worth reflection.
Clearly the Champion received a fat private bonus and an offer of employment at the outsourcing company.
Corruption is the death of all endeavors as the logic response, rules - regulations - inspectors, defeats the rationale of the organization.
Once key people lose their self-imposed loyalty to the project then the project fails.
Key example being the vulcans/neocons.
Just by chance this morning saw an article in the Guardian on Iraq
http://www.theguardian.com/world/2015/jun/23/iraq-war-worth-the-fight-chaos-gertrude-bell
with this quote
“Outside these walls (museum), you’ll find nothing that has been built since British rule that commemorates the country like all of the things within these walls.”
no cohesion, no strength.
Posted by: wisedupearly | 23 June 2015 at 05:53 PM
Walrus- I don't think I've ever read s more succinct description of how IT consulting operates. This was exactly how we operated. The TV show " House of Lies" provides the same information about consulting guided as entertainment.
Posted by: Richard Armstrong | 23 June 2015 at 06:36 PM
On a very bright note the TPP (v2) has passed the House and now the Senate. Congratulations! At least we got that flag down, which is appropriate given the loss of sovereignty.
Posted by: Fred | 23 June 2015 at 06:41 PM
My pleasure - glad to contribute something useful. Schneier always has the goods.
Posted by: DeWitt | 23 June 2015 at 07:26 PM
It should be noted that Kaspersky Labs was hacked (purportedly by the Israelis), who used Duqu, a variant of Stuxnet, to penetrate and inhabit Kaspersky's servers for several weeks or months. When one of the top private computer security firms in the world can be pwnd, it would seem to add some color to this discussion.
http://www.computerworld.com/article/2934593/security0/duqu-2-0-kaspersky-israel-itbwcw.html
Posted by: DeWitt | 23 June 2015 at 07:38 PM
If I did not know any better, I would have started shedding tears for the Poor Customer.
Customers can and do fire IT Outsourcers; look at how GM fired HP.
In many instances, HP staff knew the business better than the GM guys.
This is just another phase in the same old - same old pattern:
Out source today - in source later - however the wind/fashion blows
Do a merger today, go through a divestiture tomorrow - merge again...
Posted by: Babak Makkinejad | 23 June 2015 at 08:26 PM
Mr Brenner
Speaking of Gen K Alexander, this brings me to the thread of 2010 about Lani Kass and Cyberspace and warfare :
http://turcopolier.typepad.com/sic_semper_tyrannis/2010/04/dr-lani-kass.html
Interesting bits and pieces back then,such as :
"Her brainchild really never took off. All DOD "cyber" activities are being merged into the joint CYBERCOMMAND and will be official once DIRNSA, Gen Alexander, is confirmed by the Senate for a fourth star. DISA and NSA will be the two biggest players, not the Air Force. And those two agencies are driving the boat right now not the individual military components."
Posted by: The Beaver | 23 June 2015 at 08:57 PM
Thanks, Beaver, interesting.
The technical system security context looks like a real horror scenario, even without the larger outsourcing problem.
Have you taken a look at the Nov 2014 report? From Page 9 onward you find the chronology from the "material weakness" in 2007 to the upgrade to "significant deficiencies" in Nov. 2014, within limits or based on clearly defined strictures.
"Material weakness related to security governance upgraded to significant deficiency."
While limited tangible improvements have been made to the security management structure in FY 2014, the ISSO positions that have been planned, approved and funded represent significant improvements over prior years. Therefore, we are upgrading the material weakness to a significant deficiency for FY 2014 due to the imminently planned improvements. However, we will reinstate the material weakness in FY 2015, if the OCIO fails to adequately implement the approved changes."
ISSO = Information System Security Officer
OCIO = Office of the Chief Information Officer
*******
I took a look at USIS and KeyPoint too. Here is USIS history from Wikipedia:
"USIS was founded in 1996 after the investigative branch of the OPM was privatized. Its creation was due to an effort of Vice President of the United States Al Gore's effort to reduce the size of the civil service. Originally known as U.S. Investigations Services Inc.,[3] it was at first an employee-owned company. Around 2000 the Carlyle Group invested in USIS and in 2003 Welsh, Carson, Anderson & Stowe committed capital to them. In 2007 Carlyle announced that it would sell USIS to Providence Equity Partners, a private equity firm, for US$1.5 billion.[4] In the fiscal year 2012 the company received $253 million for the contract work of the OPM, 67% of the OPM's contract spending for the fiscal year.[3]"
Unexpected consequences? ... Although, looks as if they never really took security seriously.
The chatter among insiders and people inquiring about work conditions in the two entities are interesting.
*********************
But strictly I find it much worse that there is no central IT department in control of system and security, not even after 7 years in Nov. 2014, and apparently over the years largely no documentation.
Imagine people completely untrained in the field work as DSO's (designed security Officers) in addition to their actual job. STILL in Nov. 2014.
***********
Ars:"Unfortunately, many other small federal agencies may be just as vulnerable to attacks. Two decades of bad security practices, a long decline in internal information technology experience within civilian agencies, and a tendency to contract out critical parts of IT to private companies without a great deal of technical oversight have created ripe attack conditions. To boot, DHS's efforts to provide a first line of defense against network attacks is based on an approach rooted in security strategies more than a decade old—and even that strategy is only now being fully put into place."
**********
Strictly none of the arguments convince me completely as far as suspects and the supposed detected suspect are concerned.
But then:
"The greatest trick the Devil ever pulled was convincing
the world he didn't exist"
--- Verbal Kint
Posted by: LeaNder | 23 June 2015 at 11:01 PM
"the UK's recent Snowden accusation is a political football."
thanks, that was my impression too, when I stumbled across it.
"as the Sunday Times reported an anonymous source saying, “we have now seen our agents and assets being targeted,” the NSA and GCHQ should first take a look into their mirrors"
Forgot about him. Someone linked to him before, good man.
Wasn't it a blog? Yes, here it is:
https://www.schneier.com/
Posted by: LeaNder | 24 June 2015 at 12:20 AM
Federal personnel chief: ‘I don’t believe anyone is personally responsible’ for Chinese hack
Katherine Archuleta blamed "legacy" computer systems on the failure to upgrade cyber security.
Posted by: mbrenner | 24 June 2015 at 12:33 AM
"We did it in collaboration with the Israelis because we made the unilateral judgment that aggression was in our national interest. Now we are outraged that others are doing what we have done. This is rank hypocrisy - it also is not very bright. For the initial actions made the casual assumptions that the US would always have an advantage; therefore, the setting of norms and rules was unnecessary and undesirable. The same logic operated in regard to drones and targeted assassinations."
Yes, the US has yesterday set the precedent for what it complains about today. America's conduct since Clinton is notable for lack of observable self-restraint and foresight.
It's "Yes, we can!" ever since, and as for why "Because!" has always sufficed as a justification.
It will have come full circle when the US freak out at some country conducting a targeted assassination, or perhaps a drone strike, against an enemy on US soil.
I guess a hegemon is fond to think it can scoff at all this folksy old realist stuff like rule of law, sovereignty, reciprocity, the fact that others can retaliate and that international actors set legal precedents.
The Izzies are just as dumb in that their by conduct likeweise sets precedents for behaviour they themselves would find threatening and unacceptable if they ever found themselves in a position of actual (as opposed to professed) weakness. Alas, they are strong for now so they do what they want while their neighbours suffer what they must. The point is, they won't forget.
I wonder for how long that merry state of affairs can endure.
The US for their part has begun to realise, alebeit penny by penny and still well short of a dime, that there actually are limits to the utility of coercion and force. If threats, bombs don't work, more threats, bombs won't work either? Puzzling!
Posted by: confusedponderer | 24 June 2015 at 01:03 AM
All,
We (the USG) have been having our ass handed to us by the Chinese fro at least a decade. In the earlier days, there was no finesse to the attacks in the early days. They would suck down so much information from an installation that the installation's network would crash. I've seen other things just as bad. Our networks are massive, often patched together with outmoded hardware and software. There aren't near enough top notch network security people to defend this.
The only good news is that the Chinese are in the same predicament. Our guys are damned good and their networks aren't any better protected than ours. The cyber world consists of inter-networked bad neighborhoods and battlefields where no one or no data is truly safe. We can do better, but it take government acceptance of the hacker-sysadmin mentality. We need digital versions of Professor Van Helsing... lots of them. We also need to embrace ubiquitous strong encryption.
Posted by: The Twisted Genius | 24 June 2015 at 01:04 AM
A series of brilliant responses today, Dr. Brenner. ;)
May I add the links? Actually Cyberwar caught my attention too a lot post 911, but it didn't seemed to be widely discussed, only in expert and Geek circles.
Maas/Poitras
https://firstlook.org/theintercept/2014/10/10/core-secrets/
Bramford - NSA Snooping Was Only the Beginning. Meet the Spy Chief Leading Us Into Cyberwar 06.12.13
http://www.wired.com/2013/06/general-keith-alexander-cyberwar/
Two of the six Bramford presents, some not publicly recognized:
JFCC-NW
(Joint Functional Component Command for Network Warfare) Created in 2005 as part of US Strategic Command, which controls the nation’s nuclear arsenal, it played a lead role in promoting the idea of thwarting Iran’s own nuclear ambitions with a cyberattack. Folded into Cybercom in 2010.
USCYBERCOM
(US Cyber Command) Established by the Department of Defense in 2009 to deter cyberattacks—”proactively.” In March, Alexander gave a hint of the command’s mandate to the House Armed Services Committee: “I would like to be clear that this team, this defend-the-nation team, is not a defensive team.”
In May 2010, a little more than a year after President Obama took office and only weeks before Stuxnet became public, a new organization to exercise American rule over the increasingly militarized Internet became operational: the US Cyber Command. Keith Alexander, newly promoted to four-star general, was put in charge of it. The forces under his command were now truly formidable—his untold thousands of NSA spies, as well as 14,000 incoming Cyber Command personnel, including Navy, Army, and Air Force troops. Helping Alexander organize and dominate this new arena would be his fellow plebes from West Point’s class of 1974: David Petraeus, the CIA director; and Martin Dempsey, chair of the Joint Chiefs of Staff.
The Edward Snowden Story with a correction on 22, August 2014.
http://www.wired.com/2014/08/edward-snowden/#ch-2
Posted by: LeaNder | 24 June 2015 at 02:45 AM
US consular services to non-citizens was shut down from 8th of June till yesterday. No visa's could be delivered due to security concerns. Apparently the they have been resumed for limited number of applicants as of today. Does this have anything to do with the hack? http://london.usembassy.gov/niv/
Posted by: Amir | 24 June 2015 at 02:55 AM
Indirect predation. It was invented ages ago by women and courtiers.
Posted by: rjj | 24 June 2015 at 05:32 AM
Ever see the Pinter/Losey film "The Servant" ??? It's a parable.
Posted by: rjj | 24 June 2015 at 05:41 AM