A Crime, a Criminal and a Cover-Up
I live in the Washington DC metropolitan region, within miles of the Central Intelligence Agency and I’m shocked that people, including our elected officials, seem to be downplaying the criminal break-in at the Office of Personnel Management (OPM). This break-in could affect up to 18 million people and this is just the first inning.
OPM is generally known as the government entity that manages pension, health and insurance benefits for retired Federal employees and their families. It is also the organization that holds and processes the majority of security clearance paperwork. It houses volumes of highly sensitive information on the roughly 5 million people with current security clearances. That’s information about government employees and their contractors, here in this country and abroad, and includes many of my friends and neighbors, as well as yours, no doubt.
As a venture capitalist actively investing in privacy and security companies, this break-in caught my attention immediately. This is an opportunity for entrepreneurs to innovate around a serious vulnerability and help our country play offense, as well as defense to a very real threat on our soil.
This burglary hits home for me — I had a security clearance at an earlier time in my life, when I served as the CFO of an airline that supported the stealth fighter program as well as Desert Shield and Desert Storm. I will tell you that the information that the government gathers to determine if you can be granted a clearance is extensive, personal, invasive, and highly sensitive. It helps the government understand who you are, your family and your friends, and where your vulnerabilities might be to a foreign adversary. The investigation process is intense, expensive and time-consuming (and there’s room to re-engineer the process frankly).
Now China, which is behind the break-in, has unbelievable insight into who in the government (especially those with security clearances) has a financial issue, who may have had an affair they might be trying to cover up, who has or had a drug or drinking problem, and who has relatives with weaknesses which can be exploited. One such case was profiled in Reuters. It isn’t a matter of information being exposed. It is how it may be used to coerce and manipulate people into releasing state secrets that were once considered safeguarded.
And we are calling this a “data breach?”
This is not Target or Home Depot where a credit card number, password or email address was stolen. You can change your credit card number, password and email address. And this is not something where “One year of credit monitoring” is a good solution. You can’t easily change your name. Your address. The names of your kids. Your employer. Your spouse. Your social security number. Your links to family, friends, businesses and colleagues. Once an adversarial nation state knows you have a security clearance, they can start to map your network and target you and your employer via specific attack vectors, especially spear phishing.
And that is already happening.
Earlier this week, the United States Computer Emergency Readiness Team (US-CERT) issued the following warning:
“US-CERT is aware of phishing campaigns masquerading as emails from the Office of Personnel Management (OPM) or the identity protection firm CSID. For those affected by the recent data breach, the legitimate domain used for accessing identity protection services is https://opm.csid.com.”
Beyond hijacking valuable information, these perpetrators are now exploiting human naivety and weakness through spear phishing. Unlike high profile commercial scams, as Invincea’s Norm Laudermilch said, “Those breaches are typically not perpetrated with financial gain in mind.” (I’m an investor in Invincea an advanced threat endpoint protection company).
Lets call it what it is. This is state sponsored espionage that involves our second largest trading partner. This is cyber-terrorism. This is a crime. We need to respond accordingly, publicly and swiftly.
The Federal Times reported: Senators Mark Warner, D-Va., and Angus King, I-Maine, wrote in a June 10 letter that OPM should receive an additional $21 million in fiscal 2016 to continue and finish cybsersecurity upgrades it has already begun and to evaluate additional measures the agency may need to take.
There are rumors that a public update is expected next week. Here’s what I’ll be looking for:
How exactly did they break in to our systems?
When did the break-in happen, and how long did it take before we discovered it?
What steps were taken once we found out?
Who is responsible for this attack?
How does this impact these 18 million people — and their families?
What exactly are we going to do to fix this?
What exactly are we going to do to make sure it doesn’t happen again?
Finally, what will we do “offensively” as a government to discourage future such attacks? It is not enough just to build a wider moat. Entrepreneurs should start to think “offensively” to address new threat vectors in privacy and security.