It seems the Chinese plundered the United States Office of Personnel Management (OPM) at will for at least a year. Here is my original blog post about this nightmare.
If you’re a CEO of a major organization and you still think Internet security is abstract and doesn’t apply to you, I hope you have a nice retirement package set aside. Don’t believe me? Just watch the ongoing revelations about the OPM data breach. The news just keeps getting worse. The latest tally is 22 million people. It’s the biggest and maybe the worst data breach in US Government history and it cost Director Katherine Archuleta her job. I imagine a few more heads will roll over the next few days. Here is a link to a NY Times article with details.
Want to see one of the best examples of government CYA in action? Take a look at this press release from a company named Cytech. PDF here in case the original link goes bad. Apparently, a Cytech April 2015 demo uncovered a set of unknown processes on some Windows systems. I’m guessing they were Windows systems – none of the reports overtly mention it. Cytech worked with OPM to chase down those processes and the rest is history.
But wait – a sales demo uncovering the worst data breach in US Government history makes high government officials look bad. Spokespeople to the rescue. Here is a Fortune article with the response from OPM spokesman Sam Schumach. PDF here in case the link goes bad. I’ll quote Sam’s first sentence:
“The cyber intrusion announced last week affecting personnel records for approximately 4 million current and former federal employees was discovered through enhanced monitoring and detection systems that OPM implemented as part of an aggressive effort in recent months to strengthen our cybersecurity capabilities. …”
You can read the rest in the Fortune article.
Pause for a minute. Beyond CYA posturing, what are the real-world consequences of this debacle? Well, for one thing, personal information for everyone who applied for a US Government security clearance since 2000 is now compromised. If you applied for a US Government clearance and you contacted somebody in a hostile country who helped the United States, it’s likely the Chinese learned about it back in 2014. Do I need to connect any more dots? Still think IT security is abstract and doesn’t apply to you? Real, flesh and blood people who wanted to help the good guys may have died because the United States Federal Government only paid lip service to taking your security seriously.
Now back to CYA posturing.
I’m not sure I would want to be in Cytech CEO Ben Cotton’s shoes right now. Imagine this scenario. A large government agency invites your company to do a sales demo for your flagship product. You spend days, weeks, maybe months and a fortune in investor private sector money preparing. You put it all at risk because that’s what we do in the private sector.
And it seems to pay off when you unexpectedly uncover a huge mess. And then you help remediate the problem because it’s the right thing to do. Word leaks out, speculation runs rampant, and you feel forced to do a press release in response because everyone is naming your company anyway. But now the people running the agency that invited you in look bad and they put out their own statements contradicting you. What are the odds you’ll earn a sale from your hard work? No good deed goes unpunished.
And there’s more.
After the news about the breach came out, OPM offered free credit monitoring for victims. The questionable value of this free credit monitoring is well documented, and once the monitoring period ends, then what? But forget about that – how did OPM notify victims? By sending an email with a “click here” link. To millions of Federal employees.
Why is that significant? Because that’s how phishing schemes operate. “Dear customer. We at your bank found an irregularity. Please click here to make it all better.” Bla bla bla. Except the email didn’t come from your bank, it came from a con artist on the other side of the planet who wants to plunder any information in your computer. It’s one of the oldest and most well known con-jobs on the Internet. And people still fall for it. See my blog post, “How to spot a phishy email,” for more.
So guess what? Almost immediately after OPM sent its “click here” email, scammers and spammers duplicated it and sent identical emails with their own “click here” links pointing to their own shady websites. Take a look at these articles, here and here. Talk about rubbing salt in the wound.
Now take a look at this link. It’s the National Institute of Standards’ cybersecurity framework. That’s right. The United States Federal Government literally wrote the book on cybersecurity. And keeps it updated. It’s a shame the leaders at the United States Federal Government HR office apparently didn’t read it.
Finally, if you’re mystified and curious how these breaches happen at the grass roots, and if you’re not, you should be, take a look at my new book, Bullseye Breach. Here is a link. It’s a story about how a fictional large Minneapolis retailer named Bullseye Stores loses 40 million credit card numbers to some Russian crooks. I used fiction as a vehicle because the world already has enough how-to books that nobody reads. So I used fiction and a compelling story to hopefully keep your attention. Every CEO should read this book – it might save you from putting out a press release explaining how you take security seriously after a major breach.