
U.S. Was Warned of System Open to Cyberattacks - amenghra
http://www.nytimes.com/2015/06/06/us/chinese-hackers-may-be-behind-anthem-premera-attacks.html?_r=1
======
higherpurpose
This is what happens when you focus mostly on offensive capabilities and
surveillance and do almost nothing about the _actual security_ of the systems.

Sounds like the main culprit of this data breach was not patching their
systems and not using 2-FA. Also, when you want to make it easy for the NSA to
get data on Americans, you're also making it easy for China to do the same - I
wonder if this is finally when the administration will get it (but I'm not
holding my breath):

> _And a number of administration officials in interviews on Friday painted a
> picture of Chinese adversaries who appear to be building huge databases of
> information on American citizens, useful for intelligence gathering and
> other purposes._

Also, it didn't help the security that Obama hired technological morons as
CISOs and "cyber czars" with their "big picture" ideas.

> _Mr. Earnest said Mr. Obama’s efforts to push legislation would bolster the
> nation’s data.

“We need the United States Congress to come out of the Dark Ages and actually
join us here in the 21st century to make sure that we have the kinds of
defenses that are necessary to protect a modern computer system,” he said._

Yup. So still not taking this seriously. The current "cybersecurity" bills are
all about surveillance, not about actual security defense. Well okay then.

------
wglb
> _“We understand that there is this persistent risk out there. We take this
> very seriously.”_ said every breach victim ever, _after_ the breach.

~~~
stcredzero
However, something is clearly going wrong in terms of:

1) How security infrastructure is constructed in the first place

2) How security experts have communicated to and educated the public

The way computers are put together and software is distributed makes them
insecure by design. This puts the public (non-experts) in a position where
they feel helpless to do the right thing.

On top of this, a pervasive attitude amongst security experts is that
laypeople are hopeless idiots. The science, medical, and public health fields
have to deal with misconceptions and misinformation all of the time. When I
compare outreach from those fields and computer security, I wonder if more
shouldn't be done.

~~~
superuser2
The problem largely comes down to _write secure software_ , a large part of
which is _stop doing manual memory management_ , to which the community
responds "over my dead body."

The problem isn't how security infrastructure is constructed, it's _that_
people would rather buy "security infrastructure" and bolt it on to bad code.

Laypeople have demonstrated themselves to be hopeless idiots with regard to 1)
passwords and 2) infecting Windows installations for quite a while. Taking
away the ability to accidentally screw these things up (2FA, sandboxing,
walled garden app stores, etc) is a huge step forward.

~~~
pdkl95
While I totally agree that memory management is a _huge_ source of problems
(learn Rust is next on my project queue), I suspect that the problem of
"writing secure software" is not actually technical in nature. The best tools
and methods in the world are only useful if they are actually used in
practice.

A better question is why people accept insecure software and then let the
software industry blame the victims (like calling them "hopeless idiots"),
when it was - as you say - the insecure software that was the actual problem.

Dan Geer was right - you fix this with product _liability_. The tools (such as
new languages like rust, etc) will happen automatically if you make the person
who sold you software liable for the damage it causes. (standard "when used
normally" restrictions apply, of course).

------
sehugg
_As one senior former government official who once handled cyberissues for the
administration, who would not speak on the record because it could endanger
the person’s role on key advisory committees_

In the commercial world, speaking out about security issues makes you a
celebrity. In government, it makes you a liability.

~~~
confluence
Pretty sure it makes you a liability everywhere.

Plenty of white hats have gone down for reporting publicly.

~~~
adventured
White hats go down for speaking out, because the government works with the
private sector to punish them.

Outside of that, it does make them celebrities. It gives them professional
credibility, publicity, and the opportunities that go with all of it.

------
mpyne
Well no shit. _I 've_ warned parts of the U.S. government that they're "open
to cyberattacks". It's obvious even from the outside and has been obvious for
years.

The surprise isn't that China (or somebody) hacked OPM. The surprise is that
we noticed this one.

~~~
mpyne
And it turns out that China was probably doing this for a year. And that the
only reason OPM caught it was because a cybersecurity company happened to be
demo-ing their product at OPM that day, which finally explains the surprise.

------
pasbesoin
It's time to be transparent about this. Hell, our "adversaries" apparently
have detailed knowledge of the circumstances. It's time we did, so that we can
push for things to be fixed.

At the same time, pushing back against this "lock down the Internet"
mentality. It's not about choking the medium to some autocratic death. It's
about smartening up one's presence on and use of it.

I'm not talking about some Congressional dog and pony show. Nor about reports
that sit in some pol or bureaucrat's locked desk drawer forever. I'm talking
about full on sunlight. Leave the wankers no shadows to hide in.

------
homunculus
If NYT knows the Third Department and whatever private contractors they have
are trying to breach USG computer systems then I guess NSA knows that as well.
Not even touching on defensive needs, why isn't NSA blanket surveilling Third
Department, et al. and making that intelligence known to potentially affected
agencies?

------
comrade1
The NSA has two jobs - defensive and offensive/surveillance. Not only have
they neglected their defensive work they and the FBI have been actively and
successfully weakening US information defenses.

------
anti-shill
The govt does not hire or promote on merit. This is why this occurred and why
the obamacare site and other govt software had/have so many problems.

~~~
noir_lord
That's only a small part of it, if at all.

Other reasons are costly infrastructure, huge size of systems, how long it
takes to replace them (if it's longer than an election cycle they'll probably
get cancelled/modified half way through and go late and over budget),
preferred vendors (only really large companies are given these jobs),
political pork and lack of oversight.

It's not just the US, the UK blew 12bn on an NHS system that basically never
worked the way it was supposed to and that was just one of their disasters.

~~~
pakled_engineer
Government here in Canada blew $200m on a glorified database that never worked
either. Contract given to a crony corp of the political party in power of
course.
[http://www.vancouversun.com/life/Auditor+general+slams+troub...](http://www.vancouversun.com/life/Auditor+general+slams+troubled+social+welfare+computer+system/10934904/story.html)

------
gaius
Two words: air gap

Three words: not rocket science.

~~~
pmorici
No way. For one there is no such thing as a true air gap in an organization
past a certain size that probably has multiple office locations. The worse
thing about this word though is idiots use an 'air gap' as a crutch to justify
their lazy and inept IT practices.

~~~
gaius
If you won't listen to me listen to Kaspersky

[http://www.theregister.co.uk/2015/06/05/kaspersky_says_airga...](http://www.theregister.co.uk/2015/06/05/kaspersky_says_airgap_industrial_systems_why_not_airgap_baby_monitors_as_well/)

You need our wisdom badly.

