On Friday, Beijing responded to allegations from Washington that China was responsible for a cyberattack on the US Office of Personnel Management that compromised the personal data of some 4 million government employees.
The accusations, China’s foreign ministry said, are “irresponsible” and “groundless.”
The OPM breach is the latest in a string of cyber ‘incidents’ that have coincidentally occurred in the wake of the Pentagon’s new cyber strategy. Here’s a recap:
Since the announcement by Defense Secretary Ash Carter, the following cyber ‘events have occurred’: Penn State reports hackers have been stealing data from the university’s DoD-affiliated engineering department for years (blamed on Chinese hacker spies), the IRS says at least 10,000 tax returns have been compromised (blamed on “Russian organized crime syndicates”), and, on Thursday evening, Washington reportswhat may end up being the largest data breach in history (blamed on China). As noted last month, these events represent a remarkable step up the cyber attack accusation ladder compared to Washington’s attempt to blame North Korea for cyber-sabotaging James Franco and Seth Rogen last year.
Whether or not the most recent virtual attack on the US did indeed emanate from China or one of Washington’s other so-called “cyberadversaries” (the list includes Iran, Russia, and North Korea) will likely never be known the public, but rest assured the blame will be placed with a state actor so as to ensure the DoD has some precedent to refer to when, for whatever reason, the Pentagon decides it’s time to deploy an “offensive” cyberattack later on down the road.
Irrespective of where the attack originated, it appears obsolete technology was ultimately to blame, because as Bloomberg reports, “Einstein” wasn’t much help in preventing the intrusion.
The hackers who stole personal data on 4 million government employees from the U.S. Office of Personnel Management sneaked past a sophisticated counter-hacking system called Einstein 3, a highly-touted, multimillion-dollar and mostly secret technology that’s been years in the making.
It’s behind schedule, the result of inter-agency fights over privacy, control and other matters, and only about half of the government was protected when the hackers raided OPM’s databases last December.
It’s also, by the government’s own admission, already obsolete..
Over the last several months, U.S. officials have said that perimeter-based defenses such as Einstein, even backed by the National Security Agency’s own corps of hackers, can never prevent break-ins.
Like banks and technology companies, government agencies must move to a model that assumes hackers will always get in, specialists said. They’ll need to buy cutting-edge technologies that can detect intruders inside networks and eject them quickly, before the data is gone.
Of course that likely won’t be possible, because after all, no self-respecting bureaucracy processes important initiatives expeditiously and no modern US lawmaking body actually legislates.
Given the slow pace of government acquisition, the inter-agency rivalries and budget fights, though, the initiative may take several years or more to implement, leaving the possibility that the new technology will be old by the time it’s installed.
Congress has yet to act on the personnel agency’s Feb. 2 request for a $32 million budget increase for fiscal 2016, said Senator Angus King, a Maine independent, in an interview.
“Most of the funds,” the agency said, “will be directed towards investments in IT network infrastructure and security.”
The latest intrusion points to the need for Congress to pass a cybersecurity bill, White House Press Secretary Josh Earnest said. He stopped short of saying whether the measure would have prevented the OPM breach.
That looks a bit like an attempt on the administration’s part to put the blame on an ineffectual Congress, which would seem to be counterproductive at a time when there is clearly a need for less pettiness and more compromise. Some lawmakers were quick to acknowledge this and moved swiftly to rise above Presidential finger-pointing by ... pointing fingers back at the President.
“It’s too early to determine at this point what precisely would have prevented this particular cyber-intrusion,” Earnest said Friday at a press briefing. “What is beyond argument is that these three pieces of legislation that the president sent to Congress five months ago would significantly improve the cybersecurity of the United States, not just the federal government’s cybersecurity, but even our ability to protect private computer networks”..
“Where is the leadership?” said Cory Fritz, a spokesman for House Speaker John Boehner, an Ohio Republican. “The federal government has just been hit by one of the largest thefts of sensitive data in history, and this White House is trying blame anyone but itself. It’s absolutely disgusting.”
As you can see, everyone appears to be on the same page here as both the Executive and Legislative branches look set to work together on a comprehensive, bipartisan approach to preventing cyber intrusions.
Defense Secretary Ashton Carter spoke to technology leaders in Palo Alto, California, in April, tossing around ideas for recruiting engineers for temporary missions in government and meeting with Facebook's Mark Zuckerberg.