Earlier this month, news emerged that the US government had suffered its worst cyberattack ever.
On June 4, the Office of Personnel Management (OPM) revealed that hackers had penetrated its networks, possibly for many months. The data thieves stole personal information of up to 18 million current and former federal government applicants and employees.
There’s a good chance the attack is even worse than what you’ve read about. The OPM hack included a database holding security clearance information on hundreds of thousands of federal employees and contractors. This database contains details of applicants’ financial and investment records, family members, and even names of neighbors and close friends.
Another database that may have been breached includes criminal history, psychological records, and information about past drug use. The hackers might even have acquired detailed personal and sexual profiles obtained through lie detector tests.
With all the talk of Edward Snowden and the supposed “irreparable” damage he did to US interests, this theft is a lot worse. While OPM doesn’t hold personnel records for the CIA, it does for other US intelligence agencies. The hackers now know the identity of hundreds of thousands of federal employees with security clearances. Not only that, they also have sensitive background information on each of them, which they could easily use for blackmail.
Oh, and get this – the breach wasn’t actually discovered by the OPM. It was only uncovered during a sales demonstration by a security company named CyTech Services.
So what does the Obama administration want to do to solve the problem?
For starters, it’s proposed “economic sanctions” against China, which it holds responsible for the attack. We’ve seen how effective those were against Russia after the US imposed them last year in the wake of its takeover of Crimea. There’s no reason to think that sanctions against China will be any more effective.
Obama administration officials, led by the FBI, also want to force US companies to insert “back doors” into their encryption products that the government can unlock with the appropriate key. That’s a horrible idea, because strong encryption is really the only certain way to protect sensitive databases from this type of attack. And of course, there’s a very real prospect that hackers might discover the back door. That’s happened on numerous occasions in the past.
And Obama wants Congress to pass a bill to strengthen federal cybersecurity legislation. In April, the House passed its version of the bill and sent it to the Senate. Only a few days after the OPM hack, Senate leaders tacked on the Cybersecurity Information Sharing Act (CISA) to a defense bill to avoid debate on the measure. It didn’t work – the Senate failed to advance the legislation.
It’s no wonder they didn’t want a debate. CISA provides liability protection for businesses that voluntarily share “cyberthreat” data with the government. But it also creates a back-door channel for government agencies to retrieve, analyze, and store enormous volumes of personal data. And since information sharing would be voluntary, the government would be able to obtain all of this information without a warrant. Think of it as an “e-PATRIOT Act.”
Is there a better way? Yes.
The biggest change needed is that both private companies and the feds should encrypt all data – everything. And they should use strong, peer-reviewed encryption protocols – not the watered-down variety with back doors that the Obama administration wants them to adopt.
Sure, this will make life more difficult for the likes of the NSA and other spy agencies to carry out domestic surveillance. But investigators can still seize domestic phone records, email header data, and much more, without a warrant. Encrypting everything won’t affect access to this data.
In the meantime, what can you do to protect your own data from cybersecurity breaches? As is often the case, some of the best solutions are outside the politically charged atmosphere of the US.
First, subscribe to a robust virtual private network (VPN) to encrypt the data stream on your smartphone and your PC. I use one called “Cryptohippie.” The company’s only US presence is to authenticate connections to Cryptohippie servers in other countries. None of Cryptohippie’s servers are in the United States.
Second, use an email program that facilitates transmission of encrypted messages. My personal choice is Thunderbird, along with a free plug-in called Enigmail. Once you exchange encryption keys with the people you correspond with, Enigmail automatically encrypts and decrypts your messages.
Third, if you use webmail services, ditch US providers such as Gmail and the online version of Microsoft Outlook (formerly Hotmail). Use a non-US service that is serious about security and encryption. I use a company called Century Media, which has its servers in Switzerland, for this purpose, but there are many other choices.
A good time to begin securing your electronic life would be today. The US government certainly isn’t going to do it for you.