back to article Read the damning dossier on the security stupidity that let China ransack OPM's systems

The congressional investigation into the hacking of the US Office of Personnel Management has shown how a cascade of stupidity that allowed not one but two hackers access to critical government secrets. The 227-page report [PDF] details how two hacking teams, both thought to be state-sponsored groups from China, managed to …

  1. Ole Juul

    The real news

    recommendations include . . . investing in better security systems, and increasing the amount it pays security staff, so that it can get the best talent

    This has got to be the first time I've heard that.

    1. Anonymous Coward
      Anonymous Coward

      Re: The real news

      This has got to be the first time I've heard that.

      .. especially in the context of a government organisation.

      Personally, I think the OPM hack was unforgivable as it put a stupid amount of people personally at risk. It means people with a high clearance will get targeted as foreign intelligence now knows for a fact who they are. Worse, it may now also know weaknesses to exploit.

      Given that they were given enough warning, I reckon whoever was in charge of security (on C-level) should be facing severe consequences.

      1. webhead

        Re: The real news

        The cio was new and hired after the hackers were inside the house. I saw published memo that she was improving the situation. I really thing it was more of case of not enough staff to keep up with the infrastructure care, feeding, maintenance and protection than simply amount of salary. Especially, considering the news about issues at nasa.

  2. elDog

    Uh - how about a bonus of 20% of net pay after 5 years without a hack?

    Of course, this is the gummint and it can't use inventive plans. And real merit bonuses?

    1. dan1980

      Re: Uh - how about a bonus of 20% of net pay after 5 years without a hack?

      Merit bonuses are great, except governments have rather different ideas about what constitutes 'merit'.

    2. Version 1.0 Silver badge

      Re: Uh - how about a bonus of 20% of net pay after 5 years without a hack?

      That's a great incentive to cover up any hack.

    3. gzuckier

      Re: Uh - how about a bonus of 20% of net pay after 5 years without a hack?

      You mean "without detecting a hack". That's a lot easier.

    4. Tom Paine

      Re: Uh - how about a bonus of 20% of net pay after 5 years without a hack?

      It's nothing to do with the government, it's the state. Americans seem to be congenitally unable to distinguish these two entirely separate and distinct entities, "with hilarious consequences" especially among the mouth-breathing capslock brigade.

  3. Anonymous Coward
    Anonymous Coward

    What on earth was going on over there?

    Benghazi was a ludicrous witch-hunt concocted by Republicans trying to attack Hillary Clinton. This is the real deal. People in dangerous parts of the world, doing good work, will die because of this.

    I have some sympathy with an org that gets hacked -- there but for the grace of god, and all-- but OPM were warned again and again by their agency peers (NSA, CERT etc) that they were exposed and they did sweet FA.

    I'm also disturbed by the note on page viii of the report about how they screwed over a supplier, CyTech, by having them work for two weeks, not pay them, and then (!!!) wiped all the evidence that the supplier had collected, so that the congressional oversight committee could not see it. Smells --no, reeks-- of a grade A, ass-covering, nuclear panic meltdown.

    1. IvyKing

      Re: What on earth was going on over there?

      Unfortunately this has been very typical of the Obama administration. In OPM's case, the top management was more focused on "diversity" than doing their job. In HRC's case, the Benghazi mess could also be traced to HRC not focusing on her job as SoS, which in itself is not criminal. OTOH, there is very good evidence that she mishandled classified material in violation of the law on such material, and many sections of the laws she violated do not require "intent" for connection.

      1. Alister

        Re: What on earth was going on over there?

        @IvyKing

        Unfortunately this has been very typical of the Obama administration.

        Did you actually read the article, at all? The roots of this go back way before the current administration, and have absolutely nothing to do with who is the current President.

        But you seem to have a problem with Obama, so it must be personally all his fault.

        I suppose you blame him for the fact I had a shit summer this year, as well.

      2. Version 1.0 Silver badge

        Re: What on earth was going on over there? (offtopic)

        I would appear that HRC's mail server was a lot more secure than the official government systems. Frankly this whole aspect of the 'merican presidential race is baffling - we're supposed to hate HRC because she ran a mail server and love DT because he doesn't even read e-mail, let alone run a mail server.

        1. Anonymous Coward
          Anonymous Coward

          Re: What on earth was going on over there? (offtopic)

          love DT because he doesn't even read e-mail, let alone run a mail server

          Given the quality of some of his utterings it's worth checking if he can actually read..

          1. Anonymous Coward
            Trollface

            Re: What on earth was going on over there? (offtopic)

            Actually, I think the problem is that he has NEVER seen a working computer.

            Every time he gets near one, a static discharge from his nylon hair kills it.

        2. gzuckier

          Re: What on earth was going on over there? (offtopic)

          That would be Mr. Trump, who was personally "going to see Bill Gates" and get him to "shut down the Internet" "maybe in certain areas" as the answer to the digital security problems of the modern era, if you recall.

        3. webhead

          Re: What on earth was going on over there? (offtopic)

          Security thru obscurity is good. ? Lol. I would tend to agree with your statement about her server but heard only that the data was turned over and not the system files. Considering the state department mail system was having drama, I do wonder why not the private system. Perhaps, she was simply smart /lucky enough to not click on phish.

      3. Tom Paine

        Re: What on earth was going on over there?

        Obama??? have you chaps STILL not come up with the idea of civil servants??

    2. Nunyabiznes

      Re: What on earth was going on over there?

      Benghazi wasn't a ludicrous witch hunt. It was an abject failure on HRC's part personally. There are other endemic issues with US embassy security that stretch back well before this administration, but that specific attack's eventual success was a direct result of HRC's leadership. Part of her remit was embassy security worldwide. There were too many issues for any one SOS to fix, but she could have at least started.

      HRC's email server issues will never be fully known. There could well have been hackers running rampant on it (and the available evidence suggests there were) but her staff did their best to dispose of anything incriminating - which is incriminating in itself.

      Also, OPM was warned well before Pres. Obama took office and he knew of at least some of the issues when he appointed Katherine Archuleta (after other directors had failed). I won't lay the blame on Pres. Obama because he at least tried to appoint someone to houseclean. He might have been a little naïve about the bureaucracy in OPM however. Now would be a good time to sack the whole lot of OPM leadership including the head of IT. It won't be done because the bureaucracy controls DC and even an administration that reflects the values of the majority of the members of said bureaucracy can't fix it.

      1. Tom Paine

        Re: What on earth was going on over there?

        If the Secretary of State has ANYTHING WHATSOEVER to do with specific security arrangements at foreign embassies and the like, you're doing it wrong at a far more fundamental level than having the wrong politicians in power. This is how you end up with insanity like politicall elected judges and police chiefs. No wonder the US is so fucked...

    3. ShiftedParadigm

      Re: What on earth was going on over there?

      What the Republicans did after the fact doesn't change that the Benghazi attacks was a ludicrous arms deal in a very dangerous part of the world that went very wrong.

      No less than 3 people died "doing good work" trying to keep the ambassador Stevens from getting killed. That no air support came from NAS Sigonella or Aviano Air Force base in Italy tells me that someone higher up in the chain of command hung Ambassador Stevens out to dry along with everyone else at the consulate and the annex.

      Why they didn't send even one F-16 or F/A-18 the 1,000 or so miles from Aviano to Benghazi or the 500 or so miles from Sigonella to Benghzi to help is anyone's guess but they could have been scrambled when the attack started and arrived before it ended.

  4. lukewarmdog

    "increasing the amount it pays security staff, so that it can get the best talent"

    Surely firing all the current staff first however as they've proven to be incredibly incompetent.

    Also find it a bit weird that the NSA merely warns you that you are riddled with malware. I'd have thought maybe they'd have popped round for a chat, turned your servers off and purged them. Unless it was somehow in their best interest to allow a massive hack like this to take place of course..

    1. Anonymous Coward
      Anonymous Coward

      Of course it's important the NSA allow hacks to happen. How else are they going to scare up enough money to keep up the massive surveillance on its own population and also use these hacks as a source of malware and exploits for its own use.

  5. frank ly

    Personality test

    "... it had been attacked, but said that only computer manuals had been stolen and no personal information was missing."

    Did you laugh or did you cry when you read that statement?

  6. Omar Smith

    Chinese hackers stole documents

    What evidence is there that it the hack was done by state-sponsored groups from China Who decided to put such confidential personal records on a computer connected to the Internet. Assuming that OPM was aware of a breech since 2005, why were 'fingerprint files' still doing on a computer accessible to the Internet right up to 2015.

    1. Version 1.0 Silver badge

      Re: Chinese hackers stole documents

      Omar - you have to be new here - have you never read the BOFH?.

      Stuff like this happens all the time - upper manglement orders middle manglement to make their life easier and fix it so that they can run the office from their phone. Middle manglement tell the techs what they want. The techs say, "but this is a security risk" and the middle manglement tell them to do it anyway because the PHB has ordered it.

      But maybe they just outsourced the whole project to the lowest bidder ...

  7. Captain Badmouth
    FAIL

    Katherine Archuleta

    America's answer to Dido Harding?

  8. Captain Badmouth
    Devil

    A million years ago....

    well 2007 then, I received the following reply to my complaint that the application for an NHS post was not via a secure channel :

    "Thank you for your email.

    The site is secure, in that it is in a secure

    data centre with several layers of network

    access security. Your data is stored in a

    protected database server, only available to you

    when you log in with your username and password

    and, where applications are completed, available

    for viewing by the employer that advertised the

    vacancy that you submitted the application for.

    Your data is not 'sent' anywhere, but is

    viewable through the web browser by you and the

    employer for which the application was intended

    once you or they have logged in to the site.

    Making an application online without encryption

    is in line with normal practice on jobs and

    recruitment sites. However, more importantly,

    all aspects of the service and how it operates

    have been the subject of a review by an

    independent security consultant and by the Dept

    of Health security officer before the service

    went live.

    I hope that this has addressed your concerns. "

    Plus cá change eh? Names redacted to protect the guilty.

    1. Alan Brown Silver badge

      Re: A million years ago....

      "2007 then, I received the following reply"

      My response to that turd would have been to forward it to the ICO and Cc a few tech media types on the complaint - and no, I wouldn't have redacted any names.

  9. Anonymous Coward
    Anonymous Coward

    p229 - wow. Security spending on Agriculture NINE times more than that of human cattle. Heck even housing /urban development spent nearly twice as much as OPM.

  10. Nocroman

    Same Old Government Ways.

    Yup It's the same old government way of doing things. Extend the contracts, increase the pay so it costs more tax dollars, and you can't fire the rejects that can't do the job.

    Hire and give our hackers a good paying job as they are better than what you are going to find out of some college where the professor is teaching skills from the last generation. Put the person ( a Hacker) whom they respect the most as the best in the top position, and listen to what he says. DO NOT put some pompous AHOLE in charge. Set up your teams with the best equipment money can buy. That's the way to efficiently spend our tax dollars.

  11. Nocroman

    Yup It's the same old government way of doing things. Extend the contracts, increase the pay so it costs more tax dollars, and you can't fire the rejects that can't do the job.

    Hire and give our hackers a good paying job as they are better than what you are going to find out of some college where the professor is teaching skills from the last generation. Put the person ( a Hacker) whom they respect the most as the best in he top position, and listen to what he says. DO NOT put some pompous AHOLE in charge. Set up your teams with the best equipment money can buy. That's the way to efficiently spend our tax dollars.

  12. JLV

    In hindsight and foresight

    Given the specific nature of this data it should have been extremely well protected. I mean you hear how some F35 design data might have gone missing. Big deal, potentially, if there is a hot war with someone who got that data. This stuff is presumably highly defended.

    However, OPM info is not just _potentially_damaging. Anyone who has it wanting to coerce or turn US govt employees can use it right away, no need for a war. Think back about the Cold War and all the spying going on in those days. This would have been the jackpot, for decades. In a fallback they can always turn it loose for identity theft - for profit or destabilization.

    People up and down OPMs IT org should be _fired_ over this. Not _just_ top managers, also any techies/mgmt in a position to remediate/mitigate but incompetent enough to let it happen. The only real excuse if points where it can truly be shown to be a flagged budget/resource shortfall - then that axe should chew its way up the relevant management, from the levels where spending authority starts, going up.

    Not scapegoating, no, but rooting out incompetence, yes. "Pour encourager les autres"

    1. Charles 9 Silver badge

      Re: In hindsight and foresight

      And then you just end up with worse and a shoestring budget.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021