The House Oversight Committee’s hearings on the massive OPM data breach have been absolutely astounding. The rank incompetence on display at this agency was mind-boggling.
The government knew security was wide open for years, and did nothing. It’s a wonder they weren’t hacked before now. As committee chair Rep. Jason Chaffetz (R-UT) put it, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”
Much of this horror show has consisted of OPM Director Katherine Archuleta – the new face of utter indifference to staggering Big Government failure – insisting that she can’t answer questions because everything is classified. Ars Technica put together a lengthy article full of observations gleaned from the questions that were answered, including this stunner about the lack of much-needed data encryption on the OPM system:
Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
“Social engineering?” Presumably that means the Chinese raiders were able to cadge valid credentials from system users through some variety of human-intelligence and phishing tactics. Once good user names and passwords were in hand, there was basically nothing to stop the intruders, because the interior of the OPM system is a time capsule back to Nineteen Seventy Something. It was revealed in testimony that they’re still running legacy systems more than 20 years old processing COBOL code, so there’s essentially no way to update them to anything resembling modern security standards for remote access.
The “social engineering” task of pilfering user credentials doesn’t sound like it was much of a strain on the resources of the Chinese intelligence apparatus. Consider this jaw-dropping paragraph from the Ars Technica account:
Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”
Sweet mother of COBOL! It might not have been necessary for the Chicoms to “steal” any user names and passwords at all.
There will be no “accountability” for any of this. The Obama Administration doesn’t like to concede any sort of error by collecting scalps from inept high-level employees, and it worries a great deal about what some of them might say in whistleblower interviews or tell-all books. Failure on a historic scale is not a big problem. Before Archuleta, the undisputed queen of failure was Kathleen Sebelius, the Health and Human Services secretary who presided over the greatest managerial debacle of the Information Age, the ObamaCare rollout. She retired with a smile, to applause and congratulations.
No, it’s far more likely that the upshot of the OPM breach will involve Big Government once again using its screw-ups to get bigger. There will be loud demands for more money, accusations that the root cause of the problem was penny-pinching Republicans who didn’t give this poor, malnourished Leviathan State enough money to spend.
On the contrary, the perpetual state of numb intoxication brought about by endless billions of dollars is a big part of the reason no one is ever held accountable for anything, and we get one insane cluster-fark after another, from the Department of Veterans Affairs to this nightmare.
The federal government had more than enough money to adequately protect the personal data of its employees and contractors. It just decided to spend that money elsewhere, and since nobody gives a damn about anything in an era where billions of dollars vanish without a trace, no one felt particularly concerned that people with Chinese passports had the keys to their data kingdom.