Cybersecurity

Instapundit: What If a Cyber-Pearl Harbor Happened and Nobody Noticed?

|

Writing in USA Today, Glenn Reynolds, the Interweb's Instapundit, makes the provocative case that the massive Chinese hacks of U.S. government personnel records and related material is akin to Pearl Harbor:

Aside from regular federal personnel records, which provide a royal route to blackmail, intimidation and identity theft for present and retired federal workers, the hackers also stole a trove of military and intelligence records that could be even more valuable. The forms stolen were Standard Form 86, in which employees in sensitive positions list their weaknesses: past arrests, bankruptcies, drug and alcohol problems, etc. The 120 plus pages of questions also include civil lawsuits, divorce information, Social Security numbers, and information on friends, roommates, spouses and relatives.

The result? About 14 million current and former federal employees are in a state of collective panic over the loss of their information. Former State Department employee Matthew Palmer was quoted as saying, "Who is in danger? I listed friends on those forms and my family members. … Are some hackers going to start going after them?"

And yet, Reynolds says, nobody seems to really give a hoot.

So far the federal government is offering free identity-theft protection to its employees, but that response is like putting a Band-Aid on a severed limb — so pathetic it's not even cosmetic. This isn't like a broken code, where we can just change things around and be almost as good as new. Once out, this information will remain current for years, and there's no easy or effective way of doing much about that.

reddit

Reynolds makes one odd (IMO) suggestion, which is that certain federal records should only be maintained in paper form (inefficient but incapable of being hacked as easily as digital copies, he claims), but this is certainly true:

The lesson is that we should probably think twice before entrusting the federal government with our own information. Because if the feds can't protect their own sensitive data, on behalf of people who work for the federal government, how good a job are they likely to do on behalf of the rest of us mere citizens?

Whole thing here.

LifeLock for the federal government? Sure, why not.

Oh, and there's this, via Investor's Business Daily:

Last July, the Department of Homeland Security discovered that hackers had breached OPM's [Office of Personnel Management] network and "appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances."

Less than a month later, USIS, a major federal contractor that does background checks for security clearances, reported that its network had been breached.

Then, in December, the OPM had to alert 48,000 federal employees about a cyberattack on KeyPoint Government Solutions, another private contractor that does background checks on federal employees.

Didn't it occur to anybody in this administration that maybe, just maybe, these attackers would keep trying?

NEXT: Sheldon Richman Reflects on Magna Carta

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Or maybe we should stop using SSN’s as universal identifiers on every damned thing we fill out.

    How many people have lost their jobs over this at OPM?

    1. How many people have lost their jobs over this at OPM?

      Bwahahaha! Like all government agencies, their failure will be rewarded with a bigger budget and more power.

      1. It’s nobody’s fault. I mean, they are only paid slightly more than their private sector counterparts.

      2. “Mistakes were made; we have updated our policies and provided more training.”

        Do I do it right?

        1. Bollocks; “Did*”

    2. The abuse/misuse of SSNs is particularly rampant within the target demographic of the article. Want to go visit a different outfit? Email your SSN. Want to go to a building other than one you usually do? Email your SSN.

      There are special ways to transmit some of the special info but for a huge number of people, including average citizens who might have a need to go visit a government building, their SSNs are in flight.

  2. Didn’t a lot of people die at Pearl Harbor? Wouldn’t that lead one to believe this is simple hyperbole?

    However, wouldn’t the solution to this problem be for the government to possess much less data that would be worth hacking?

    I know… Pie in the sky…

  3. Florida’s bid for world domination just advanced another giant leap. Behold and tremble, future slaves of Florida!

    1. what you don’t know is the racoon is from Texas and he is just asserting his natural dominance based on geography of birth.

      1. Yeah, right. Texas doesn’t even have wild pythons.

        1. That’s ’cause we killed them all… with our bare hands and hunting dogs.

          1. Texas is all talk when it comes to dangerous fauna. What do you have, rattlesnakes? Bees? Armadillos? Bah. Now if you were Australian, that would be a different story.

            1. The packs of mean tempered wild pigs with sharp tusks aren’t much fun.

              1. And I never saw any fiddlebacks in FL, although I’ve seen black widows in both states.

                1. I can’t take a state seriously that thinks beef, not pork, is the meat to barbecue.

                  1. Pork is great. In sausage. On the side. Beef ribs and brisket is barbeque. Pulled pork is tasty, but not barbeque.

                    1. Really, if you’re going to be delusional, how can we have a serious conversation?

            2. What do you have…

              Fire ants.

            3. Dangerous Fauna of Texas:

              Rattlesnakes.

              Water Moccasins.

              Copperheads.

              Coral Snakes.

              Border Patrol.

              Killer Bees.

              Feral Hogs.

              Mountain Lions.

              Black Widows.

              Brown Recluse.

              1. Which is different from Florida how? Plus we have more. Lame.

                1. I’m so jack up for Python hunt 2016.

                  1. Hope it goes better than the last one, where the living envied the dead.

              2. Oh Crap!

                Except for two of the snakes, we have all that in CT.

  4. I have a great deal of difficulty finding any reason at all to care that millions or tens of millions of government employees are in a state of ‘collective panic’.
    It’s the least they deserve. It’s less than they’ve inflicted.
    And it just might distract them from doing more inflicting while they fret.

    1. I’m rather concerned about a government that undoubtedly holds a crapload of data about me having such vulnerabilities.

      1. Ding ding ding!

    2. Here’s the thing though. GOV employees have non-GOV friends. Those people are put down as contacts on this form. Their SSNs aren’t included but names, addresses, and phone numbers are. A lot more than 14M people just got hosed. On a related note, can anyone recommend (seriously) a credit protection agency for me?

      1. Well, there are loads of credit protection agencies, and I’ve tried three or four, and I’m not awfully impressed. Horse, barn door etc.

        What I have been doing is using a credit freeze. They’re not heavily publicized, but if you’re not constantly applying for credit, a freeze means that all three agencies will ‘bounce’ a credit check if one is made. If you want to apply for credit, you have to unfreeze your status, and after your check is completed, re-freeze it. In my experience, the act of freezing/re-freezing costs about $10 (varies state-by-state).

  5. Paper files would be good. You can fit only so many in a closet.

    1. Why not stone? One additional advantage of stone records is that they last for a very long time.

      1. +10 Commandments

        1. I have this vision that we’re wrong about the older civilizations being more primitive than us. In fact, they were just as advanced, but turned to secure mechanisms like stone tablets for better security.

    2. and we could burn them… I mean, they could catch fire on accident.

  6. I can tell you right now why this isn’t a bigger issue A. nobody understands what happened. and B. No politician/reporter wants to touch this issue with a 1000 ft pole because they fall into category A. Why that matters in this particular issue as it applies to most political discourse is anyone’s guess.

  7. So, does “Cyber Pearl Harbor” mean: (a) a sneak attack, (b) an attack resulting in significant death and destruction, (c) an attack that kicks off American involvement in a larger war, or (d) something else?

    I mean seriously. I have no fucking idea.

    1. I’d like to expand this to include the question of: what separates a pearl harbor like fuck-up with your standard -gate suffix?

      1. were Asians involved? that is the single separating characteristic.

      2. Actually, in the INFOSEC/cybersecurity world, we don’t use “-gate”. The usage for which you’re looking is “wake up call.” There are some great articles written by colleagues of mine who have enumerated just how many of these security “wake up calls” people have cited over the years in their pronouncements, particularly Government representatives.

    2. E- it means absolutely nothing.

  8. The upshot is that foreign governments now have dirt on every federal employee, right?

  9. The government could shut down most IT theft by employing it’s own proprietary protected comm protocol. But such a feature would involve total transformation of Uncle Scam’s IT world; a re-org and format swap that would make Apple’s x86 transition seem quaint.

    Such an effort is far beyond the managerial abilities of such a poorly run organization – but technically, it would be quite feasible.

  10. This may sound crazy, but computers don’t **NEED** to be connected to the Interwebz.

    1. what? then all they can do is play spider solitaire and mine sweeper.

      1. Not connecting the Feds to the Interwebz could decimate the online porn industry.

  11. Imagine if an evil republican like George W, Bush was still president. This would likely be the biggest story so far this decade, and of course it would be more proof of how incompetent he and his administration was.

    But because the media worships and is still completely invested in Block Yomomma, the story got flushed down the memory hole within about 48 hours.

  12. If you think his is a big deal just wait until someone hacks into the little treasure trove the NSA has in Utah.

  13. The panic over this on the Conservative boards has served as a good reminder that conservatives can sometimes be as stupid as Progs. Every conservative posting on this subject is certain that everyone who has a security clearance has some deep dark secret hidden in their SF 86 that the Chinese are going to use to blackmail them with.

    A couple of things. First, there has never been to my knowledge a single instance of a foreign power ever blackmailing someone into becoming a spy. Every single instance of US spies has been someone who was greedy, disgruntled or a committed ideologue who volunteered to become one. Second, most people live boring lives and really don’t have any dark secrets they can be blackmailed over. Even the ones who do, are very unlikely to risk life in a SuperMax to avoid their disclosure. So the Chinese are not going to blackmail anyone.

    Why did they do this? To punk the US and Obama I think. And it is a treasure trove of identity information in order to create false identities for agents. That is what an SF 86 is, a complete picture of a real person. That is very valuable when outfitting agents.

  14. Bad analogy. At Pearl Harbor, the Japanese attacked us first. Is there anyone so naive as to believe that the NSA hasn’t been merrily hacking away at the Chinese government’s computers for years?

    1. If they haven’t, maybe they need to start.

      1. China has about half as many English speakers as US does. Anyone who really can get around on or program a computer in China will by default know some English conventions. American brands and cultural icons are known worldwide including China – not the other way around (Yao Ming is perfectly ironic example).

        But nobody outside China cares about or really understands Chinese cultural output – especially given it being politically circumscribed in a cryptic, provincial language.

        Such realities give the Chinese (and everyone else, really) some fundamental advantages vis-a-vis the US when it comes to mutual observation, illicit and otherwise.

  15. I am happy about this. The less trusted personal identifiers are, the better. A nine digit number that ties all of your credit and tax history together is terrible. It would be better for everyone except the tax man if the identifiers are less universally unique and require some authorization and authentication to be valid.

  16. This is a big deal for lot’s of reasons, many we will soon discover.

    1. Thar’s panic in them hallered halls.

      1. And a crisis is a terrible thing to waste. Think ‘Department of Cyber Security’.

        1. And if you want, you can buy the personal info of that Agent investigating you for the wood chipper incident. On Daaaarrrrkkkknet!

    2. It is a big deal because they are so incompetent. If they can’t do this, God knows what else they are fucking up. I have yet to hear anyone explain why this particular loss of information is such a big deal. All I hear are Tom Clancy novel fantasies about blackmail.

      1. Which is just stupid. If the Chinese are going to mimic a Tom Clancy novel, I think Debt of Honor is much more likely.

  17. We don’t have time or resources to plug any gaping holes in our data security, we’re busy writing subpoenas for a disrespectful comment some guy wrote about a court clerk on Twitter.

    1. Winner, winner, chipped-beef dinner!

  18. “The lesson is that we should probably think twice before entrusting the federal government with our own information.”

    I can choose not to? This new larnin’ amazes me!

Please to post comments

Comments are closed.