Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Security Government United States

US Lawmakers Demand Federal Encryption Requirements After OPM Hack 91

Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.

The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
This discussion has been archived. No new comments can be posted.

US Lawmakers Demand Federal Encryption Requirements After OPM Hack

Comments Filter:
  • by MightyMartian ( 840721 ) on Tuesday June 16, 2015 @05:21PM (#49925199) Journal

    Back doors are line anal sex. Once you've lubed up, anyone can enter.

    • by Anonymous Coward
      You just gave half of congress erections.
    • by MobSwatter ( 2884921 ) on Tuesday June 16, 2015 @05:50PM (#49925361)

      While true, many governments are coming together to say outlaw encryption. In the case that has already been proven that we can't use it responsibly (ie: back doors) I agree, then there really isn't a really expensive black budget allocation care of the NSA. Of course credit card fraud would go up, but then again, has the government itself been responsible with credit? Being that they are printing money every six months to keep the doors open and still attacking the people for money I'd say no and with the example provided by government to the people, then the people shouldn't have credit either so no credit card fraud. In the case the government tries to use encryption but denies it to the people, then I'd say they should probably do away with the other parts of the constitution they haven't yet wiped their ass with yet, that being taxation. The constitution is in whole a contract of citizenship to a government, it has to be taken as a whole or not at all, they can't pick and choose which rights they want to stomp on and keep the parts they like.

      • I'm not really clear on how you ban encryption. Do you lock up all the mathematicians?

        • by tsotha ( 720379 ) on Tuesday June 16, 2015 @06:28PM (#49925563)

          They could probably ban encryption for the little people the same way the ban child porn (which is ultimately, after all, just data). Make possessing encryption tools a crime subject to harsh penalties, as well as dissemination of techniques and practices. Actively infiltrate and destroy groups seeking to break the law. Monitor external web sites and arrest anyone who seems to be actively searching for ways to encrypt his data. They could never completely stamp it out, but they could certainly make encryption tools difficult and risky to get ahold of.

          Of course the infrastructure to support the prohibition would be huge and a foot in the door to banning all sorts of other things, but to FBI-types that's a feature, not a bug.

          • Be easy to do, simply create a policy on the ISP level that if encryption is detected then deny service to the mac. End of story for encryption, and a lot of things. I say go right ahead if they have the balls to do it, pull the trigger, pink slip the NSA.

            • So asking for a https link gets your access blocked? Banking systems & webstores are going to LOVE that!
              • by mlts ( 1038732 )

                Easy fix: Have the ISP have a root cert one must put in their keystore, and the ISP uses a device like a BlueCoat appliance for real time MITM-scanning of all traffic.

                Add an in-transit ad injector, and it will be a money maker for the ISP as well.

              • To be honest, I've seen the government do a lot of stupid things and I wouldn't put this past them.

            • by tsotha ( 720379 )
              How could you possibly know a packet contains encrypted data?
          • by mlts ( 1038732 )

            This is easy to enforce:

            Make all devices that connect to the Internet have to pass a NAC healthcheck, with software similar to AV signature scanning, except it has signatures of encryption programs (except programs used for managing DRM), and uses heuristics to find what it considers encrypted files, then notifies the upstream to block the machine from the Net for good. Similar to how modded consoles get tossed off PSN or XBox Live, or how some printers will phone home if someone tries to print PDF files o

            • by suutar ( 1860506 )

              there goes jpegs in email, I guess (they don't compress well, and can have data embedded using steganography). That ought to go over well. Also video files.

        • by Kozar_The_Malignant ( 738483 ) on Tuesday June 16, 2015 @08:26PM (#49926195)

          I'm not really clear on how you ban encryption. Do you lock up all the mathematicians?

          Ask Phil Zimmerman about that. The US didn't lock him up, but it wasn't for lack of trying.

        • by Agripa ( 139780 )

          I'm not really clear on how you ban encryption. Do you lock up all the mathematicians?

          License it (with taxes and fees of course) with conditions which require key escrow or other backdoor. When data streams are discovered which are not using a government approved method, prosecute those who are responsible.

          Treat any constitutional right to use encryption the same way as speech and firearms which are often licensed. A $200 tax for certain firearms in 1934 is the equivalent of $3500 now and that was never s

      • by ihtoit ( 3393327 )

        So much this:

        While true, many governments are coming together to say outlaw encryption.

        It's a familiar line. When guns are outlawed, only criminals will have guns and the State will have monopoly on violent coercion.

        Or:

        When encryption is outlawed, only criminals will have encryption and the State will have the monopoly on secrets. ...Which brings the whole secrecy vs transparency thing to the foreground as well, but that's as equally a vast debate as this one and the twain should never meet.

      • No, they only want to outlaw encryption for individuals. Corporations and the gov't all must use the most powerful, unbackdoored encryption possible. And, of course, all devices used by politicians must not have backdoors either.

        Politicians hate being backdoored.

        But they don't mind it if everyone else gets backdoored. If they can at least watch, if not actually participate.

        • They will get backdoored as well, since most politicians keep using normal civilian tools (hotmail, iPhones, USB sticks, etc.) no matter what ultra-secure tools you offer them.

  • by Bruce66423 ( 1678196 ) on Tuesday June 16, 2015 @05:28PM (#49925245)
    As the revelations about the failure of the IRS to fulfil the requirements of email archiving law showed, the executive branch doesn't do things just because it's told to. Let's hope this one's got teeth; a breach of a system that has not been secured according to the regulations will result in the loss of pension of all those in the chain of command above the person responsible? Sadly, hanging, drawing and quartering isn't allowed any more...
    • by Anonymous Coward on Tuesday June 16, 2015 @05:47PM (#49925349)

      The problem with security is that under normal circumstances it delivers zero value to an organization and basically just shores up against bad publicity. The best security in the world isn't enough and you can spend $ridiculous on it and still only be 99% secure. You're basically trying to outspend your competition in the hopes that they won't hire the guy that knows where the bad sprintf() is.

      To any corporation, or any department, this is just a pure money-sink with no returns on investment. It's cheaper to cover up the breaches.

    • Re: (Score:3, Informative)

      Let's hope this one's got teeth; a breach of a system that has not been secured according to the regulations will result in the loss of pension of all those in the chain of command above the person responsible?Â

      That's a good one. Probably the worst that will happen is that someone higher up will be forced to retire earlier than planned, at full pension of course.

      It's not as good as the multi-million dollar golden parachute that a CEO gets for running a company into the ground, but they'll be comfortable.

    • by Saanvik ( 155780 ) on Tuesday June 16, 2015 @07:38PM (#49925963) Homepage Journal

      You're right in a way, but not the way you intended.

      The IRS requested funding to support the archiving requirement. Congress, instead, cut their budget. Even after the archiving issue became known, Congress refused to up the funding.

      If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.

      Breaches like this aren't a question of "what if" they are a question of "when" until Congress ends the chronic underfunding of government IT departments.

      • by perpenso ( 1613749 ) on Tuesday June 16, 2015 @08:10PM (#49926125)

        If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.

        Not true. The agency can cut spending elsewhere to implement the requirement. Which is what Congress wants the IRS to do, while the IRS want to use the excuse of no new funding to maintain things as they are. It all just theatre.

      • by MTEK ( 2826397 )

        Are you kidding me?! Who's in charge over there, a 12yr old? "If you don't give me more money, I'm going to continue to collect all this PII and not store it in a secure manner".

  • funny... (Score:5, Insightful)

    by ganjadude ( 952775 ) on Tuesday June 16, 2015 @05:31PM (#49925263) Homepage
    Since they have been telling us how encryption makes the government weaker (in the hands of americans) yet NOW they want to keep it all to themselves????

    yeah.... too bad
  • I mean, if it's good for us plebes and all ...
  • An alternative... (Score:2, Insightful)

    by Anonymous Coward

    You know, they could just collect and hoard less data...

    (Or as the Russians apparently have done, revert more sensitive systems back to paper and typewriters.)

    • by Gryle ( 933382 )
      In this instance OPMI is one institution you actually want collecting data, since they handle the background investigations for anyone applying for a security clearance.
  • by Hartree ( 191324 ) on Tuesday June 16, 2015 @08:48PM (#49926283)

    And the horse seems to be happily running free somewhere thousands of miles beyond the barn door.

    If this works like many IT security efforts, we'll spend millions replacing the barn door with a bank vault door. And then leave the window next to it open

  • by Required Snark ( 1702878 ) on Tuesday June 16, 2015 @09:01PM (#49926335)
    So now the Republican Congress is screaming about government cyber security, and demanding that the ebil imcompotent burocrats DO SOMETHING RIGHT NOW!!!

    The trouble is, those same Republicans have derailed national cyber security regulations since Obama has been in office. It's all been channeled through the US Chamber of Commerce. [shrm.org]

    Comprehensive cybersecurity regulatory reform failed for the second time this year in the U.S. Senate, increasing the prospects that the White House will implement some of the bill’s provisions through an executive order.

    The Cybersecurity Act of 2012 failed to get the 60 votes needed under Senate rules to bring the bill up for passage Nov. 14, 2012, most likely dashing any chance that cybersecurity policy would be addressed in the lame-duck session.

    “Whatever we do for this bill is not enough for the Chamber of Commerce,” Senate Majority Leader Harry Reid, D-Nev., said on the floor immediately after the failed cloture vote. “Cybersecurity is dead for this Congress,” he added. Republicans blocked the same measure in August 2012, saying it would lead to more government regulation of business.

    So that was pretty much the end of it. The Obama administration declared some executive orders, but that clearly did not have much impact. Up until this latest incident the Party of Ignorance (R) got what they wanted: keep you hands off my bidness.

    So no one should be very surprised that this happened. There is no bright line between big government and big business when it comes to matters like cybersecurity. Particularly with the amount of outsourcing going on. Don't forget that the OPM breach was not simply in a government network, but at security contractor USIS [washingtonpost.com].

    A background investigation firm with OPM, DHS, and other federal agency contracts notified the government that it identified an unlawful breach of its network. In a statement posted on the website today, USIS noted that it was working with the government to determine the ‘nature and extent’ of the attack. They acknowledged that it appeared to be a state-sponsored attack.

    The firm is already under fire for allegations of contractor misconduct. The Justice Department sued the company earlier this year for poor oversight of security clearance investigations, and a White House panel investigated bonuses received by USIS executives.

    The DHS/OPM/whatever are doing everything they can to cover up what really happened, so the trail to the contractors has been rather effectively hidden. They primarily want to keep evidence of their vast incompetency out of the public eye. That is taking precedence over remedial action to address the breach. This is why they are leaving the roughly 4 million government employees at risk just hanging in the breeze. If they were to do the responsible thing and help the victims it would reveal how extensively they failed.

    Remember, horribly incompetent government security contractors are the new normal: Blackwater in Iraq, the TSA meatheads who infest airports, and now this. No one should be surprised. And they should be even less surprised when no one is held accountable and nothing changes.

  • I mean this can't happen in real life.
  • Right, because another requirement/standard will solve this problem. It will get tossed on the pile of requirements for every new contract. It will be implemented to the letter, just like current security requirements. And it will help a bit but things still won't be "secure."

    Security is fundamentally picking the level of risk you're willing to accept. The answer is uniformly "none," but strangely enough you still that network hooked up, so you end up with a 4,000 page requirements that effectively amounts

  • It should be clear by now that systems cannot be made perfectly hack proof. The people who make security can break security. And some people have to be trusted. People cannot be trusted.

As the trials of life continue to take their toll, remember that there is always a future in Computer Maintenance. -- National Lampoon, "Deteriorata"

Working...