The OPM Hack (link roundup – updated)

Update 08.31.2015:

China and Russia are Using Hacked Data to Target U.S. Spies, Officials Say– Los Angeles Times

How Bad? Very Bad:

Newly Disclosed Hack Got ‘Crown Jewels’; ‘This is Not the End of American Human Intelligence, but it’s a Significant Blow,’ a Former NSA Official Says– Politico

Hackers May Have Obtained Names of Chinese With Ties to U.S. Government – New York Times

The Hack on the U.S. Government was Not a ‘cyber Pearl Harbor’ (But it was a Very Big Deal) – Washington Post

Officials: Chinese Had Access to U.S. Security Clearance Data for One Year – Washington Post

Attack Gave Chinese Hackers Privileged Access to U.S. Systems – New York Times

China’s Hackers Got What They Came For – The Hill

Hacking as Offensive Counterintelligence;   China’s Hack Just Wrecked American Espionage and China’s Spies Hit the Blackmail Jackpot With Data on 4 Million Federal Workers – John Schindler at his XXCommittee blog and at The Daily Beast

How Was It Discovered? During a Product Demo:

Report: Hack of Government Employee Records Discovered by Product Demo Security Tools Vendor Found Breach, Active over a Year, at OPM During Sales Pitch – ArsTechnica

Level of OPM Incompetency? High. Very Old Software, Unencrypted Databases, and Foreign Contractors, Including Chinese, with Root Access:

Encryption “would not have helped” at OPM, Says DHS Official; Attackers had Valid User Credentials and Run of Network, Bypassing Security – ArsTechnica, with details of the OPM systems and lack of security

  “!! OPM IT outsourced to foreigner contractors, with root access, working from their home country. In this case, China” – John Schindler (@20committee): June 17, 2015

Oversight Chairman: Fire Leaders of Hacked Agency – Politico


5 Chinese Cyber Attacks That Might Be Even Worse Than the OPM Hack – Defense One


Former NSA and CIA Director, Michael Hayden (quote via Benjamin Wittes @ as to what he would have done if he had had the ability to get Chinese records equivalent to the OPM records when he was serving in his IC positions:

“I would not have thought twice. I would not have asked permission. I’d have launched the star fleet. And we’d have brought those suckers home at the speed of light . . . This is shame on us for not protecting that kind of information.”

From Benjamin Wittes writing on the OPM hack at LawFare in his post “Is the Privacy Community Focused on the Wrong Government?“:

“For the record, I have no problem with the Chinese going after this kind of data. Espionage is a rough business and the Chinese owe as little to the privacy rights of our citizens as our intelligence services do to the employees of the Chinese government. It’s our government’s job to protect this material, knowing it could be used to compromise, threaten, or injure its people—not the job of the People’s Liberation Army to forebear collection of material that may have real utility. Yet I would have thought that privacy groups that take such strong views of the need to put limits on American collection, even American collection overseas against non-U.S. persons, would look a little askance at a foreign intelligence operation consisting of the bulk collection of the most highly-personal information—an operation involving not only government employees but also those close to them. You’d think this would raise someone’s privacy hackles, if not mine.”

Adam Elkus writing at BusinessInsider:

“[C]leaning up the systematic dysfunction in OPM and other agencies will require a harsh and swift hand and plenty of pink slips. Fantasizing about super-hackers and visions of cyber-doom are more fun than the boring but necessary drudgery, for example, of modernizing a decrepit and decaying federal information technology base or ensuring that basic security protocols are observed.”

Megan McArdle at BloombergView:

“The serial IT disasters we have seen over the past seven years do not need a blue-ribbon commission or a really stern memo to fix them. If we want these holes fixed before they become catastrophic, we need leaders with a scorched-earth determination to have adequate IT. The only way that determination happens is if these failures become an existential threat to the careers of the politicians in charge.”