But in this case there was no announcement about the attack. “The administration has never advocated that all intrusions be made public,” said Caitlin Hayden, a spokeswoman for the Obama administration. “We have advocated that businesses that have suffered an intrusion notify customers if the intruder had access to consumers’ personal information. We have also advocated that companies and agencies voluntarily share information about intrusions.”
That's rich. I'm a Facility Security Officer and this article is the first I have heard of this breach.
Also, as indicated by an article comment someone else posted here, e-QIP is used for all clearance investigations handled by OPM, regardless of who the candidate works for. They cover DOD, DOE, DHS, and other base-level security clearances. The complete records are supposed to be destroyed once the clearance is adjudicated, so it should only affect personnel who are in the process of an initial or periodic investigation.
I'm assuming that you deviate from this, but the reputation for FSO's in the Federal government is do-nothings who answer to nobody.
The security clearance process is a joke. Everything about DoD IT security is a joke. Polygraphing people and pretending its scientific is a joke. It's all just a bullshit machine to ensure left of center people are excluded from the Department of Defense and other agencies.
I'm done in 2 weeks. Can't wait to leave every FSO and Information Assurance manager behind me. A bunch of do-nothing paper pushers who conduct the security theater and hamstring decent software with paperwork while approving anything with Oracle or Microsoft written on it.
A brief NPR report on the subject last week was the absolute first I heard, but this article is the first detail. The NPR story didn't say what the hackers had tried to get, just that they breached OPM and tried to get a list of government employees in sensitive positions. This article I did not see until it was posted here
Most FSOs I've met and worked with don't at all keep up with anything relevant to their jobs. Its known to be a complete dead-end job in the Federal Gov't, with exception of people employed at Defense Contractors who have the role of FSO on top of another role. For those folks, its just a task of assisting with clearances and the like on top of their normal duties.
This is indeed a big deal. I believe e-Qip is used for HSPD-12 processing, so you would be looking at information for almost everyone who was directly or indirectly employed by the federal government. And their references, relatives, and so forth. It's not just security clearances; I got to use it last year applying for a public trust clearance.
Also, OPM is essentially the human resources department for the federal government, overseeing a bunch of stuff including currently running usajobs.gov.
Definitely not just sensitive jobs – I first encountered it as a contractor working for NASA (where I set foot in a government building no more than twice a year).
That's a LOT more people, many of whom have probably gone on to work in other interesting places.
The department itself is responsible for preventing this.
Cyber Command shouldn't be operating on US soil (or constitutional reasons), at least outside of "training exercises" and securing inter-DoD systems (of which the federal government is not). The NSA can help other departmental and non-departmental organisations secure their system either through consulting or potentially even pen testing (that's legal and part of their remit).
The FBI has also taken an on-again/off-again role in trying to secure inter-US systems but they don't really have the budget or remit to be doing that fully.
> The hackers must have used a US based VPN, because it would be retarded to allow connections directly from China to access any US DoD systems, right?
As you yourself eluded to, blocking connections based on GeoIP is utterly utterly pointless. The internet is designed such that you can route around those types of blocks fairly trivially (e.g. proxies, VPNs, foreign servers, private interconnect agreements, et al).
That answer does not present a constitutional bar to Cyber Command operating on US soil, it presents a statutory bar (the Posse Comitatus Act) to using the military for law enforcement .
Furthermore, its a truncation of a longer article (whose original source seems to unreachable, at least at the moment) that cuts off midsentence. The last whole sentence and the fragment that follows is at the beginning of the section titled "The erosion of the act" and reads "While the Act appears to prohibit active participation in law enforcement by the military, the reality in application has become quite different. The Act is "
So, I don't think it really answers the question at all.
I'd argue that the intention for that is to protect against using military equipment against civilians. (which is already being done in some cases, MRAPs, automatic weapons, body armor, SAMs)
Using the military to protect from foreign attacks is exactly what it's suppose to be used for. What's the harm of protecting US govt employees and even civilians and businesses from internet attacks with agencies that are technically part of a military branch? I'm not saying send troops after anyone, if someone within the US hacks something, either pass it to the FBI or just fix the security hole and move on.
From the page you linked to: "Active participation in civilian law enforcement, such as making arrests, is deemed to be a violation of the Act, while taking a passive supporting role is not. Passive support has often taken the form of logistical support to civilian police agencies." So basically that doesn't apply to internet and telecommunications protection. I'm not suggestion that USCyberCom hacks US citizens or businesses, but they possess the capabilities to help protect them which in turn strengthens their own security.
The way Cyber Command operates is quite offensive (e.g. attacking servers used by "enemy" "combatants").
The NSA's job is to secure US systems, the Cyber Command's job is to go attack foreign country's systems.
There is definitely some overlap there (particularly with cyber Command working to improve DoD security).
I'd say that ultimately the NSA has a far bigger/better legal right to be doing that kind of thing than the Cyber Command does (and also the law wouldn't be super-clear-cut if the Cyber Command had to attack a US-hosted server, network, or client).
Or to use a really bad analogy: You could have the US Army defend Washington DC instead of the Capitol Police, however most would be more comfortable with the Capitol Police and there are far less potential legal hurdles also. Everything is fine if all the US Army did all day was stand outside of buildings, but as soon as they literally have to shoot someone all hell is going to break lose (or in our case as soon as Cyber Command had to act in an offensive way against a US company, citizen, or similar).
"In July 2011 Deputy Defense Secretary William Lynn announced in a conference that “We have, within Cyber Command, a full spectrum of capabilities, but the thrust of the strategy is defensive.” “The strategy rests on five pillars, he said: treat cyber as a domain; employ more active defenses; support the Department of Homeland Security in protecting critical infrastructure networks; practice collective defense with allies and international partners; and reduce the advantages attackers have on the Internet.”"
Their directors have emphasized that while it will have extensive attack capabilities that it will also provide support to all departments to help strengthen system security across the board.
Banks, hospitals, government departments not relating to the military, utilities (power/water), are all critical to the nation and we must use every asset we have to protect them.
I'd argue that any analogy involving armed soldiers or deadly equipment is very different from defensive cyber warfare. Cyber Command should NEVER act offensively against a US company or citizens, no government organization should in my opinion unless a similar level of physical violence is threatened or preformed by those citizens.
If I was in charge I would allow all US citizens to attack US government systems as long as they responsibly disclose the security vulnerabilities and do not distribute any stolen information (and as long as they don't cause a service interruption), without fear of prosecution.
Is it reasonable to expect every department, organization, and agency to have flawless security?
Not necessarily blocking based on IPs, but requiring VPNs to access these networks, which would be a requirement for another level of authentication and another point of monitoring who accesses the systems.
> Is it reasonable to expect every department, organization, and agency to have flawless security?
No.
But it is no more reasonable to assume that a single department or organisation would have a remit to secure every computer system of the US government.
> Not necessarily blocking based on IPs, but requiring VPNs to access these networks, which would be a requirement for another level of authentication and another point of monitoring who accesses the systems.
You mean employees require a VPN to access these systems or the "bad guys?" VPN access for internal networks is fairly standard already. A handful of these kind of incidents originate when an employee infects their machine with malware which then "calls home" and gives others a backdoor way into the network (which can then be sold on or utilised).
To protect US (non-military) systems from foreign intelligence agencies and hackers? Probably not. I can't imagine many security researchers would want to work for the DHS unless the pay was enormous.
The most uncomfortable thing on an SF-86 would probably be your past convictions, but it's unlikely you would get a TS in that case. After that, maybe the names of family members. It also would have your current address and foreign investments, but nothing extremely personal.
> Not to sound like Chicken Little, but just looking at the information on my e-Qip form, there's a lot more in the database than the NYT reports. For starters, I'm not, nor have I ever been a federal employee. So, the scope is actually anyone who has, or has applied for a clearance. That means contractors too. The header of each of the 37 pages on my form has my Social Security Number. In the document you will find the SSN's for my ex-wife, son, and current girlfriend. Other tidbits include the Naturalization numbers for my mother, ex-wife, and girlfriend. Full names, and contact information for people who've known me at the places I've lived for the past ten years. Same for employers. Living in the DC Metro area, many of my references, both personal and professional, have clearances, so they each have the same form in the database. The only financial information asked for in the version I have had to do with accounts that were past due or in arrears, so the typical bank account, credit card, mortgate, and car loan stuff isn't in the form.
The SF-86 is a gold mine as a starting point for exploitation. It does not provide much useful blackmail material in itself, but all the contacts and life history information are very valuable for focusing further efforts if a person is chosen for exploitation. It also provides clues, particularly when combined with other open source material, as to who may have shit lying around that could be exploited. Remember, one purpose of this form is to allow OPM to do exactly the same thing, but from a defensive standpoint.
They have extensive sections on psychological health (e.g., have you seen anyone for a mental health issue in the last 7 years, if so who, and their contact information). There are extensive sections on criminal history and past employment, including reason for leaving, especially if it was Federal employment.
There are also sections on past friends, past addresses, and spouses and ex-spouses, and foreign contacts.
Furthermore, it's not just convictions, you also have to report being charged with any felony offense, even if not convicted. Also, drug and alcohol related history, and gambling. And repossessions, liens, etc.
The SF-85 is a less intrusive version of the SF-86. I think a typical contractor working on open projects would use a SF-85. But note, when you sign the SF-85, you allow the government to collect additional information from various sources (but not medical information). This compiled information would presumably be stored on the systems that were targeted in this hack.
I know people who resigned from their job rather than fill out the SF-85. Part of their reason was that something like this might happen.
They usually come from Chinese IP addresses and leave Chinese comments in scripts, Chinese symbols in binaries, and so on.
In many cases, the systems used in the attack also correlate to actual individuals through other means, such as the attacker logging in to their personal email account and doing daily activities, not being aware that they have been "hacked back" so to speak.
There is probably some percentage of attacks falsely attributed to China, but it's usually obvious, and no one else has much incentive to go to great lengths to impersonate them.
Russians don't care enough to train their operatives to learn Chinese and impersonate them in an attack for example, they'll just hack the US in Russian.
The US just claims every "cyber attack" is the work of Chinese hackers. It is very politically useful both for the continued demonification of what they see as a large adversary but also because it makes the US government appear less incompetent (as they often play up the "elite Chinese hacker" architype).
That's rich. I'm a Facility Security Officer and this article is the first I have heard of this breach.
Also, as indicated by an article comment someone else posted here, e-QIP is used for all clearance investigations handled by OPM, regardless of who the candidate works for. They cover DOD, DOE, DHS, and other base-level security clearances. The complete records are supposed to be destroyed once the clearance is adjudicated, so it should only affect personnel who are in the process of an initial or periodic investigation.
For reference, here is what the SF-86 is: http://www.opm.gov/forms/pdf_fill/sf86.pdf