But who would you prosecute for what? It is easy to start pushing people under the bus, but when you look at cases like this you often find that it is an organisational failure, not an individual one.
That's why I really like the NTSB's style of investigation (they're the people who investigate air crashes). Instead of going in and trying to pin it on one person, they look at procedures, organisational communications, chains of command, the whole works.
Most of their reports don't come out and say "engineer John Smith caused the accident by forgetting to tighten this bolt!" They say, we looked at John Smith, we found the mistake, then we looked at how John Smith's work is monitored, the procedures for this repair, the training given, what their manager did, their working conditions, etc.
Then finally they come up with some recommendations so it cannot happen again. These are normally procedural, training, and organisational changes, rather than simply saying "nobody should make mistakes ever again or jail!"
This is what we need for information security leaks like this. We need an NTSB-style org to come in, pull apart the organisation and how they operate, give everyone criminal immunity so they talk openly, and then generate concrete changes so this never happens again (and ideally send these changes to other departments).
Isn't that what this article is about? We are pretty certain that this was an act of espionage by another nation state. Criminal investigations are not how you respond in those cases (unless we found the agent on our soil, which AFAIK we did not).
What is curious is that we aren't sure what the norms are for how to respond to cyber espionage, unlike with in person espionage which had a whole set of responses we could fall back on.
Certainly, negligence that should incur public disgrace.
Also arguably demonstrating one of the points made by the whistleblowers: You can't trust the government to properly manage all the information they collecting.
This isn't negligence. Instead of trying to protect data and networks the US government has made "cyber crime" a military issue. They've been doing it deliberately and publicly, for over a decade. Domestically they followed the same plan: companies get protection (financial, legal, image,) discouraging them from taking security seriously, and individuals get the CFAA which has a similar effect. They want data and network security to be a military problem, not to encourage security.
We can't blame the OPM for the security issues. They were a victim of a bad national strategy.
If you "see something, say something" unless its about cyber security.
"We, too, practice cyberespionage and . . . we’re not bad at it"
- James Clapper
Ironic, for the intelligence leader of a country that had their defensive systems completely penetrated (with the federal personnel records), and their offensive systems fully outed in the most humiliating way possible (by Snowden)
It seems to me that yeah... you kind are bad at it.
At the very least, a little less self-certainty might be in order.
For what it's worth, the CIA is the only federal agency that keeps their own employee records. Everyone else goes through OPM. They (rightfully) assumed that OPM couldn't keep secrets and that's where we find ourselves today. It's probable that these records are printed, locked in a vault.
James Clapper, the DNI, heads 16 intelligence agencies under him, one of which (CIA) didn't have their records stolen. Though the budget breakdowns are not disclosed, arguably, they are the largest of the bunch and only ones that have deployed field operatives.
this is exactly the problem. The CIA did not get hacked it was OPM and no CIA records were stolen. But by simple process of elimination china could look at all the embassy staff in beijing and find out who is not in the OPM records, since the CIA is the only one not keeping personel files with OPM anyone working at the beijing embassy and not in the OPM records must be a CIA agent
I don't think it's possible to conclude that the CIA employee records were not hacked in separate attempts - only that there is no public record of a hack. But that's poor proof, if there were CIA records were separately stolen, I assume there would be a strong justification made to hide that outcome.
Being bad at defense doesn't necessarily imply being bad at offense. Security is hard because you have to win 100% of the time. Being good at cyberespionage means getting a win now and then. I'm not saying the US is good at it, just that neither the OMB breach nor the Snowden incident bear on that. And a lot of the info released by Snowden indicate they were pretty good at it (at least targeting their own citizens) or those disclosures wouldn't be such a big deal.
I've never been caught. Does that make me good at cyberespionage? I think there's more to it than that. You might argue necessary but not sufficient, but I'd even disagree with that. The fact that the NSA was outed by Snowden has not made everything they're doing ineffective or we wouldn't be so worried about it.
I imagine Clapper was more focusing on offensive capabilities here. Not to mention, Clapper's quote is taken out of context, he wasn't bragging, he was arguing against a tit-for-tat retaliation.
Defensive is interesting considering how many federal departments there are and how they're all pretty autonomous in regards to IT. Going after employment records was especially devious as they aren't classified, so whatever requirements OPM had to follow weren't very stringent.
The real issue here, and something that affects the private sector as well is why are we not treating all IT data as classified? Why all the half measures? I think we're still in the early stages of digitization and automation and have to learn security lessons the hard way.
Also in autocratic states where information is tightly controlled, hacks like this don't make the news. We have no idea what the NSA is actually doing in these countries outside of Snowden, whose data is mostly (all?) domestic programs. And the stuff we do know about like Stuxnet, only come out because certain people wanted to turn it into a political football.
Yesterday I was wondering why encryption is not the default. Government shmovernment, but I remember looking up how to password-protect directories in Windows 95 (sorry to everyone else on HN who got started on an Apple II). It wasn't until college that I figured out that you can easily navigate the directory structure in another machine by just plugging in hard drives to a machine running a different OS. I look at people's nude pics of themselves by PC/phone repair people, and I'm convinced that there is no good reason why data should be stored in plain text. But now search comes into the picture, and it's expected and we're probably stuck with it for my lifetime
As some previous articles have already mentioned, they probably already knew who they were anyways. Only their offices have special locks. They don't mingle with anyone else at the embassy but their own. They also don't have same 3-4 year requirement of staying at the embassy so they leave early; and when their replacements arrive, they take over the same offices.
I like the idea that CIA officers are directly identifiable by their absence from the database. It reminds me of submarines and sonars. I understand that modern submarines are pretty good at diverting sonar waves so that they have a small footprint. However when a fishing boat passes over a submarine while scanning the ocean floor looking for fish, the submarine becomes immediately visible as a dark shape of sonar waves not returning from the ocean floor.
Anti-submarine vessels have to do one thing really well to have any chances; be quiet. Fishing vessels can happily plough the ocean wave pinging to their heart's content. An anti-submarine vessel that did that quickly becomes a target, or if the submarine is feeling generous, something to go around - thanks for telling us where you are.
There's a time and a place for active sonar in finding and killing submarines, but it's not from your anti-submarine ship, all day every day.
The Soviets used to do that with their "fishing fleet". We would send submarines out the Strait of Juan De Fuca, it would drop down to 1,000 feet, and the "fishing boats" would lose it every time. It still didn't work. I don't know of any reliable way to find a submarine, even today.
On an interesting related note, during the recent Russian occupation of parts of Ukraine, a helpful app was created and released by "Russia" [1] that would allow pro-Russian civilians in the region to act as reconnaissance for the Russian and pro-Russian forces. Very simple; if you see some Ukrainian military, push the matching picture on the app. Your location and chosen picture are uploaded, and whoever is sitting at the other end sees all the results.
Bingo; you've turned the civil population into military reconnaissance. Are they now a valid target? They certainly don't seem to be just plain civilians anymore, but they're not lawful combatants either.
As it turned out, I am led to believe that the app wasn't a great success, but it's still a disturbing trend.
[1] I say "Russia" because I can't dig out more detail right now. Obviously company X working with agency Y or some other such.
Another vindication of Ishamel Jones' position on the stupidity of relying upon State Dept covers for CIA personnel. For a hilarious and unparalleled informative look at the Agency:
This OPM breach is an unmitigated disaster. What were they thinking, storing sensitive biometric information like fingerprints in an easily hacked database[1]?
One can envision a time in the very near future (if not already), when a random foreigner is stopped on the streets of Beijing and asked to press his finger to a reader attached to an Android phone. The device would then display his picture, official position, address, salary, clearance level, etc. Or else, just walk into the restaurant he just left and take the fingerprint off a used glass.
If he's there in some intelligence gathering capacity, the Chinese could then have him followed, or send him packing, or maybe even detain him for a day as a form of harassment, knowing that the U.S. government is powerless to do anything about it. They have us over a barrel.
Be thankful for that. Cyberattacks are so hard to trace back that it's very easy to set up a false-flag operation. Framing someone else for your attack would become a simple way of starting a war between two of your opponents.
When Snowden leaked the documents, no one was endangered.
This breach, and lots of people are endangered.
But are you getting calls for criminal investigation? Are heads rolling (other than the head of OPM, who was hated anyways)?