Hacker News new | past | comments | ask | show | jobs | submit login 

  "We, too, practice cyberespionage and . . . we’re not bad at it" 
  - James Clapper
Ironic, for the intelligence leader of a country that had their defensive systems completely penetrated (with the federal personnel records), and their offensive systems fully outed in the most humiliating way possible (by Snowden)

It seems to me that yeah... you kind are bad at it.

At the very least, a little less self-certainty might be in order.




For what it's worth, the CIA is the only federal agency that keeps their own employee records. Everyone else goes through OPM. They (rightfully) assumed that OPM couldn't keep secrets and that's where we find ourselves today. It's probable that these records are printed, locked in a vault.

James Clapper, the DNI, heads 16 intelligence agencies under him, one of which (CIA) didn't have their records stolen. Though the budget breakdowns are not disclosed, arguably, they are the largest of the bunch and only ones that have deployed field operatives.


this is exactly the problem. The CIA did not get hacked it was OPM and no CIA records were stolen. But by simple process of elimination china could look at all the embassy staff in beijing and find out who is not in the OPM records, since the CIA is the only one not keeping personel files with OPM anyone working at the beijing embassy and not in the OPM records must be a CIA agent


I don't think it's possible to conclude that the CIA employee records were not hacked in separate attempts - only that there is no public record of a hack. But that's poor proof, if there were CIA records were separately stolen, I assume there would be a strong justification made to hide that outcome.


Being bad at defense doesn't necessarily imply being bad at offense. Security is hard because you have to win 100% of the time. Being good at cyberespionage means getting a win now and then. I'm not saying the US is good at it, just that neither the OMB breach nor the Snowden incident bear on that. And a lot of the info released by Snowden indicate they were pretty good at it (at least targeting their own citizens) or those disclosures wouldn't be such a big deal.


Being good at cyberespionage means "not getting caught"


I've never been caught. Does that make me good at cyberespionage? I think there's more to it than that. You might argue necessary but not sufficient, but I'd even disagree with that. The fact that the NSA was outed by Snowden has not made everything they're doing ineffective or we wouldn't be so worried about it.


II agree but was highlighting the fact that being to blatant ala the OPM hack can backfire.


I imagine Clapper was more focusing on offensive capabilities here. Not to mention, Clapper's quote is taken out of context, he wasn't bragging, he was arguing against a tit-for-tat retaliation.

Defensive is interesting considering how many federal departments there are and how they're all pretty autonomous in regards to IT. Going after employment records was especially devious as they aren't classified, so whatever requirements OPM had to follow weren't very stringent.

The real issue here, and something that affects the private sector as well is why are we not treating all IT data as classified? Why all the half measures? I think we're still in the early stages of digitization and automation and have to learn security lessons the hard way.

Also in autocratic states where information is tightly controlled, hacks like this don't make the news. We have no idea what the NSA is actually doing in these countries outside of Snowden, whose data is mostly (all?) domestic programs. And the stuff we do know about like Stuxnet, only come out because certain people wanted to turn it into a political football.


Yesterday I was wondering why encryption is not the default. Government shmovernment, but I remember looking up how to password-protect directories in Windows 95 (sorry to everyone else on HN who got started on an Apple II). It wasn't until college that I figured out that you can easily navigate the directory structure in another machine by just plugging in hard drives to a machine running a different OS. I look at people's nude pics of themselves by PC/phone repair people, and I'm convinced that there is no good reason why data should be stored in plain text. But now search comes into the picture, and it's expected and we're probably stuck with it for my lifetime




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: