During Tuesday’s House Oversight hearing probe on the Office of Personnel Management (OPM) hack, Director Katherine Archuleta was repeatedly asked by Chairman Jason Chaffetz why the systems had not been protected with encryption prior to the discovery of the breach.
Archuleta hemmed and hawed, finally answering that “t is not feasible to implement on networks that are too old” but adding that the agency is now working to encrypt data within its networks.
According to ARS Technica, encryption wouldn’t have made much difference. Why? Because the attackers may have been accessing the system from within.
Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
Keep in mind that China is being blamed for the intrusion.
Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”
Meanwhile, via AoSHQ, No Drama Obama is standing by the OPM’s wise Latina.
President Obama is standing by Office of Personnel Management (OPM) Director Katherine Archuleta despite a series of massive data breaches that have shaken the federal government, the White House said Wednesday.
“The president does have confidence that she is the right person for the job,” spokesman Josh Earnest told reporters.
Of course! Nothing to see here.
How about we talk about what REALLY matters?