The Congressional hearing about how OPM managed such stupendous incompetence that highly confidential security clearance data was stolen was utterly predictable. OPM officials, who are political appointees with little apparent grasp of technical issues, said the theft was very sad and they need more money to fix antiquated systems. Congresscritters got angry. OPM was penitent. Nothing will change.
OPM Director Katherine Archuleta has little background in computer security and is a political apparatchik who moves from job to job in the government. Her official bio says nothing about any expertise in computer and data technology and ends with this perky drivel.
As the Director of OPM, Archuleta is committed to building an innovative and inclusive workforce that reflects the diversity of America. As a long-time public servant, she is a champion of Federal employees.
Gosh, that’s just wonderful. Except when it comes to protect highly classified data, maybe the first criteria should be competence, then diversity? OPM rank and file may be competent. Management clearly is not.
Our government is  now implementing a “30-day Cybersecurity Sprint” to fix all these danged problems. Their bold plan is basically what any competent sysadmin in the private sector handling important data would already have done.
These steps include immediately patching any vulnerabilities; restricting privileged user access to sensitive information; requiring multi-factor authentication procedures to access federal networks; and employing electronic “indicators” provided by the Department of Homeland Security to highlight when attacks happen.
Here is what passes for any explanation of the data theft. We didn’t encrypt because it’s just do darned complicated and even if we had, the hackers had top-level access anyway, so encryption wouldn’t have helped. Wow. They paid over $100,000 a year to show they’ve risen to their level of incompetence.
Encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
OPM isn’t the only data breach. Keypoint, who provides background checks for the government, was also hacked. They got data on upwards of 390,000 HSA employees.
So let me get this straight: The government wants backdoors to allow access to encrypted data by the organization that had all its security clearance data stolen last September, and which is only just notifying people now?