This will certainly comfort the 18 million Americans now believed to have risk of identity theft or worse from the year-plus intrusion into the Office of Personnel Management. That, by the way, is about six percent of the entire US population. Despite the fact that OPM literally handed over the root password to the intruders and may never have found out about it except for a potential security contractor’s accidental discovery, OPM director Katherine Archuleta says no one at her agency is responsible for what some call the Pearl Harbor of cyberwarfare. Blame the criminals, not the victims, Archuleta argued today at a Senate hearing (video via Grabien):
The federal personnel chief said Tuesday that she does not believe “anyone is personally responsible” for the massive hack of federal employee data and security clearance files and instead blamed the breach on old computer systems and the hackers themselves.
“We have legacy systems that are very old,” Katherine Archuleta, director of the Office of Personnel Management, told Senate lawmakers at a hearing on the intrusion. “It’s an enterprise-wide problem. I don’t believe anyone is personally responsible.”
She then told Sen. Jerry Moran (R-Kan.), who pressed her repeatedly to take responsibility for failing to shore up the agency’s computer security, that the attackers are the ones to blame.
“If there’s anyone to blame, it’s the perpetrators,” Archuleta said. “Their concentrated, very well-funded efforts to come into our system are what we’re concerned about.”
Ahem.That argument works for those who blame society for specific crimes committed by individuals, or those who would impute criminal guilt for a specific act to a class or group of people. Of course, the criminal responsibility lies with the criminal.
That argument does not apply to the assignment of responsibility to people for data that requires secure safekeeping in this instance. The very premise of network and data security rests on the knowledge that entities want to get their hands on proprietary or classified information, knowledge which is supposed to motivate those responsible for taking adequate steps to protect it. The federal government — OPM in this case — demands this information as a condition of employment, forcing those who want to enter into an employment relationship to give up a portion of their privacy to their employer, and sometimes very large portions. The employer then has a legal and moral duty to perform due diligence to protect that information.
Did OPM exercise due diligence? Hardly. They handed over the root password to a consultancy whose operatives worked in China, one of the biggest threats to American data security in the world. Archuleta’s OPM didn’t police its own networks enough to even discover the intrusion on their own. The attitude expressed in Archuleta’s attitude in this Senate hearing goes a long way in explaining how a federal agency could have been caught with their pants down for so long. It was no one’s responsibility.
But hey, President Obama has “full confidence” in Archuleta. That says something … about Obama.
Meanwhile, ZDNet reports that not only did OPM get robbed blind for more than a year, their message to federal employees ended up being the object of a phishing attack too, emphasis mine (via ConservativeLA):
The OPM began sending out these email notifications on Monday, June 8 using the vanilla email address (). These initial messages told recipients to click on an embedded link to register for their credit monitoring services. Of course no one should open links embedded in emails that are not digitally signed and/or come from unknown senders, but that doesn’t stop people.
This, as The Washington Post reported, alarmed many security-savvy federal employees. They were afraid that those first real messages were actually phishing e-mails.
And, why shouldn’t they? The OPM hack had already put their Social Security numbers, addresses and other personal information into hackers’ hands.
It turned out they had every reason to be afraid. According to multiple Federal government sources, phishing messages appeared almost immediately after the real messages were sent. …
One senior official said that Department of Defense (DoD) security believes the original OPM hackers obtained a copy of the real CSID announcement e-mail and modified it for their own criminal purposes. It was because of this actual attack, and the e-mail notification’s poor design, that on June 15 over internal networks, the DoD announced, “THE DEPARTMENT OF DEFENSE, WITH OPM AND CSID SUPPORT, HAS SUSPENDED FURTHER NOTIFICATIONS TO DOD PERSONNEL UNTIL AN IMPROVED, MORE SECURE NOTIFICATION AND RESPONSE PROCESS IS IN PLACE.”
It’s incompetents all the way down, and all the way up. But don’t worry … in Archuleta’s OPM, no one is responsible.
Note: In the last sentence, I’m referring to multiple incompetents — people who are incompetent — and not just the quality of incompetence. A reader on Twitter wondered whether I had meant the latter, but no; the people themselves are personally incompetent.
Update: Video added, courtesy of Grabien.