Federal officials on Thursday revealed that the computer networks of the Office of Personnel Management and the Department of the Interior were recently victimized by a cyber-attack. Information on as many as four million current and former federal workers may have been compromised.
The breach, which was initially discovered in April, is believed to be the work of China-based hackers. Ironically, Chinese hackers were also suspected of breaking into OPM’s databases last year in search of information on employees with security clearances.
Here is what several cybersecurity experts had to say about the most recent breach:
Mark Bower, global director, product management, HP Security Voltage: Theft of personal and demographic data allows one of the most effective secondary attacks to be mounted: direct spear-phishing to yield access to deeper system access, via credentials or malware thus accessing more sensitive data repositories as a consequence.These attacks, now common, bypass classic perimeter defenses and data-at-rest security and can only realistically be neutralized with more contemporary data-centric security technologies adopted already by the leaders on the private sector. Detection is too late. Prevention is possible today through data de-identification technology.
So why is this attack significant? Beyond spear-phishing, knowing detailed personal information past and present creates possible cross-agency attacks given job history data which appears to be in the mix. Thus, it’s likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defense or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft."
Richard Blech, CEO, Secure Channels: This breach should give all citizens massive concern. OPM seems a tad blasé about this breach stating that "OPM, using new tools, discovered the breach in April, said officials at the agency who declined to comment on who was behind the hack." The new tools cannot be very good if it takes four months to find out you have been breached. The speed and velocity that stolen data proliferates through the hacker black market means that said data has already been exploited. The higher valued data that is held by OPM should have all been deeply encrypted. Their new tools that are detecting and alerting mean nothing if the data is still stolen. The goal is to leave data useless to the hacker when stolen.
Congratulations, four months later and your state-of-the-art technology has notified you that security and protection has been treated as an afterthought.
Igor Baikalov, chief scientist, Securonix: The annual hackathon at the Office of Personnel Management is on, and for the second year in a row, Chinese hackers seem to be in the lead, according to federal officials. Just like a year ago, the breach at OPM was discovered in the spring, announced in the summer, but apparently was going on since earlier winter. Just like a year ago, DHS Einstein identified the hack, although this time it took over 4 million records to get noticed – apparently, even automated intrusion detection system suffers from breach fatigue. Just like a year ago, the agency is working aggressively to assess the impact, to notify and offer credit monitoring to millions of victims, and to continue "protecting our federal employee data from malicious cyber incidents."
The only difference from last year is that now the Pentagon has a new cyber strategy that specifically calls out retaliation as a viable cyber option not only in response to an attack, but also as a principal factor of deterrence. Are we ready to explore it?
Ken Westin, security analyst, Tripwire: Although this breach is a significant blow to government agencies struggling to protect their data against persistent cyber-attacks, the silver lining is that the agencies are deploying more sophisticated tools to detect breaches, as well as taking additional measures to secure data. It’s frightening that a number of similar breaches that have gone undetected in federal agencies and in private industry as the hackers have found ways to circumvent many basic security controls by modifying malware signatures or utilizing tools native to the systems they are compromising to mask their activities and evade detection.
