OPM IT Outsourced to Foreigner Contractors, with Root Access, Working from their Home Country. In this Case, Oh Yeah, ChinaPosted: June 17, 2015
Encryption ‘would not have helped’ at OPM, says DHS official: Attackers had valid user credentials and run of network, bypassing security
Sean Gallagher reports: During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.
But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.
Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”
When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM’s systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, “I would be glad to discuss that in a classified setting.” That was Archuleta’s response to nearly all of the committee members’ questions over the course of the hearing this morning.
At least we found it
Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM’s security, centralizing the oversight of IT security under the chief information officer and implementing “numerous tools and capabilities.” She claimed that it was during the process of updating tools that the breach was discovered. “But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government,” she read from her prepared statement. Read the rest of this entry »
Neutralized by Legal Setbacks, Obama Administration Appears to Stop Work on its Illegal Illegal Immigration ProgramPosted: June 8, 2015
Jerry Markon reports: A series of legal setbacks have halted the government’s intensive preparations to move forward with President Obama’s executive actions shielding millions of illegal immigrants from deportation, even as community organizations continue a rapid push to get ready for the programs, according to U.S. officials and immigrant advocacy groups.
“After Texas and 25 other states sued the administration, calling the moves unconstitutional, a federal judge in Texas in February put them on hold until the case is resolved. A federal appeals court recently upheld that injunction, with legal observers now saying the court fight could last until late in Obama’s term.”
Since a federal judge first blocked the new programs in February, the Department of Homeland Security has suspended plans to hire up to 3,100 new employees, most of whom would be
housed in an 11-story building the government has leased for $7.8 million a year in Arlington, Va. That building, in the Crystal City area, is now sittig mostly unused, DHS employees say.
“The legal battle highlights the explosive nature of the immigration debate, which has emerged as an early issue in the 2016 presidential race even as immigration legislation remains stalled in Congress.”
Yet inside and outside the Beltway, community groups are mobilizing, educating immigrants and training volunteers to help them apply for relief, even though it remains unclear whether the program will ever begin. Most recently, a foundation headed by billionaire George Soros, undaunted by the court rulings, pledged at least $8 million to that effort.
“We’re full speed ahead,” said Josh Hoyt, executive director of the Chicago-based National Partnership for New Americans, a coalition of pro-immigrant groups that have held more than 700 information sessions on the new programs and trained more than 2,000 volunteers to aid immigrants in applying for them.
Obama announced in November that up to 5 million illegal immigrants would be eligible to be shielded from deportation — including undocumented parents of U.S. citizens and legal permanent residents — as long as they met certain criteria. One of the signature initiatives of his presidency, the plan also expands a 2012 program that has deferred the deportations of more than 600,000 immigrants brought to the United States illegally as children and has granted most of them work permits.
“The fate of Obama’s executive action benefiting immigrant parents, known as Deferred Action for Parents of Americans and Lawful Permanent Residents, or DAPA, will resonate into the next administration.”
But after Texas and 25 other states sued the administration, calling the moves unconstitutional, a federal judge in Texas in February put them on hold until the case is resolved. A federal appeals court recently upheld that injunction, with legal observers now saying the court fight could last until late in Obama’s term. The 2012 program remains unaffected.
“As soon as Obama took his actions on Nov. 20, U.S. Citizenship and Immigration Services ‘immediately began efforts to implement those initiatives,’ said Marsha Catron, a DHS spokeswoman. The next day, the agency leased a 280,000-square-foot building on Crystal Drive in Crystal City to house DAPA employees, according to DHS documents sent to Congress.”
The legal battle highlights the explosive nature of the immigration debate, which has emerged as an early issue in the 2016 presidential race even as immigration legislation remains stalled in Congress. The fate of Obama’s executive action benefiting immigrant parents, known as Deferred Action for Parents of Americans and Lawful Permanent Residents, or DAPA, will resonate into the next administration. Most Republican presidential candidates have pledged to overturn Obama’s immigration actions, while leading Democratic candidate Hillary Rodham Clinton has strongly endorsed them.
“The building came fully furnished but required about $26 million in start-up costs, including $2.7 million for workstation and desktop equipment, documents show.”
As soon as Obama took his actions on Nov. 20, U.S. Citizenship and Immigration Services “immediately began efforts to implement those initiatives,’’ said Marsha Catron, a DHS spokeswoman. The next day, the agency leased a 280,000-square-foot building on Crystal Drive in Crystal City to house DAPA employees, according to DHS documents sent to Congress.
“Most recently, a foundation headed by billionaire George Soros, undaunted by the court rulings, pledged at least $8 million to that effort.”
The building came fully furnished but required about $26 million in start-up costs, including $2.7 million for workstation and desktop equipment, documents show. Those costs were to be funded with fees collected from immigrants who had applied for other government programs, and DHS says DAPA would have no impact on any existing programs. Read the rest of this entry »
China hacked into the federal government’s network, compromising four million current and former employees
Ellen Nakashima reports: China is building massive databases of Americans’ personal information by hacking government agencies and U.S. health-care companies, using a high-tech tactic to achieve an age-old goal of espionage: recruiting spies or gaining more information on an adversary, U.S. officials and analysts say.
“This is part of their strategic goal — to increase their intelligence collection via big data theft and big data aggregation. It’s part of a strategic plan.”
— U.S. government official, on condition of anonymity
Groups of hackers working for the Chinese government have compromised the networks of the Office of Personnel Management, which holds data on millions of current and former federal employees, as well as the health insurance giant Anthem, among other targets, the officials and researchers said.
“We wish the United States would not be full of suspicions, catching wind and shadows, but rather have a larger measure of trust and cooperation.”
— Chinese Foreign Ministry spokesman Hong Lei
“They’re definitely going after quite a bit of personnel information,” said Rich Barger, chief intelligence officer of ThreatConnect, a Northern Virginia cybersecurity firm. “We suspect they’re using it to understand more about who to target [for espionage], whether electronically or via human recruitment.”
The targeting of large-scale databases is a relatively new tactic and is used by the Chinese government to further its intelligence-gathering, the officials and analysts say. It is government espionage, not commercial espionage, they say.
“They would leverage this data to get to diplomatic, political, military and economic intelligence that they typically target.”
“This is part of their strategic goal — to increase their intelligence collection via big data theft and big data aggregation,” said a U.S. government official, who, like others, spoke on condition of anonymity to discuss a sensitive topic. “It’s part of a strategic plan.”
One hack of the OPM, which was disclosed by the government Thursday, dates at least to December, officials said. Earlier last year, the OPM discovered a separate intrusion into a highly sensitive database that contains information on employees seeking or renewing security clearances and on their background investigations.
“So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese.”
Once harvested, the data can be used to glean details about key government personnel and potential spy recruits, or to gain information useful for counterintelligence. Records in OPM’s database of background investigations, for instance, could contain a complete history of where an individual has lived and all of his or her foreign contacts in, say, China. “So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese,” a China cyber and intelligence expert said.
“For bigger data storage, for bigger data theft. And when you can gain it in bulk, you take it in bulk.”
— China cyber and intelligence expert
The data could help Chinese analysts do more effective targeting of individuals, said a former National Security Agency official. “They can find specific individuals they want to go after, family members,” he said. Read the rest of this entry »
WASHINGTON — The Obama administration is scrambling to assess the impact of a massive data breach involving the agency that handles security clearances and employee records, U.S. officials said Thursday.
A congressional aide familiar with the situation, who declined to be named because he was not authorized to discuss it, said the Office of Personnel Management and the Interior Department were hacked. A second U.S. official who also declined to be identified said the data breach could potentially affect every federal agency.
The White House was considering a public announcement of the breach Thursday night or Friday morning, the second official said.
The Office of Personnel Management is the human resources department for the federal government, and issues security clearances….(developing)