US Lawmakers Demand Federal Encryption Requirements After OPM Hack 91
Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.
The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
Back Doors Are Like Anal Sex (Score:5, Insightful)
Back doors are line anal sex. Once you've lubed up, anyone can enter.
Re: (Score:1)
Re:Back Doors Are Like Anal Sex (Score:4, Insightful)
While true, many governments are coming together to say outlaw encryption. In the case that has already been proven that we can't use it responsibly (ie: back doors) I agree, then there really isn't a really expensive black budget allocation care of the NSA. Of course credit card fraud would go up, but then again, has the government itself been responsible with credit? Being that they are printing money every six months to keep the doors open and still attacking the people for money I'd say no and with the example provided by government to the people, then the people shouldn't have credit either so no credit card fraud. In the case the government tries to use encryption but denies it to the people, then I'd say they should probably do away with the other parts of the constitution they haven't yet wiped their ass with yet, that being taxation. The constitution is in whole a contract of citizenship to a government, it has to be taken as a whole or not at all, they can't pick and choose which rights they want to stomp on and keep the parts they like.
Re: (Score:3)
I'm not really clear on how you ban encryption. Do you lock up all the mathematicians?
Re:Back Doors Are Like Anal Sex (Score:4, Interesting)
They could probably ban encryption for the little people the same way the ban child porn (which is ultimately, after all, just data). Make possessing encryption tools a crime subject to harsh penalties, as well as dissemination of techniques and practices. Actively infiltrate and destroy groups seeking to break the law. Monitor external web sites and arrest anyone who seems to be actively searching for ways to encrypt his data. They could never completely stamp it out, but they could certainly make encryption tools difficult and risky to get ahold of.
Of course the infrastructure to support the prohibition would be huge and a foot in the door to banning all sorts of other things, but to FBI-types that's a feature, not a bug.
Re: (Score:1)
Be easy to do, simply create a policy on the ISP level that if encryption is detected then deny service to the mac. End of story for encryption, and a lot of things. I say go right ahead if they have the balls to do it, pull the trigger, pink slip the NSA.
Re: (Score:1)
Re: (Score:3)
Easy fix: Have the ISP have a root cert one must put in their keystore, and the ISP uses a device like a BlueCoat appliance for real time MITM-scanning of all traffic.
Add an in-transit ad injector, and it will be a money maker for the ISP as well.
Re: (Score:1)
To be honest, I've seen the government do a lot of stupid things and I wouldn't put this past them.
Re: (Score:2)
Re: (Score:2)
yeah, but then folks will just send cat pictures with steganographically embedded data.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
This is easy to enforce:
Make all devices that connect to the Internet have to pass a NAC healthcheck, with software similar to AV signature scanning, except it has signatures of encryption programs (except programs used for managing DRM), and uses heuristics to find what it considers encrypted files, then notifies the upstream to block the machine from the Net for good. Similar to how modded consoles get tossed off PSN or XBox Live, or how some printers will phone home if someone tries to print PDF files o
Re: (Score:2)
there goes jpegs in email, I guess (they don't compress well, and can have data embedded using steganography). That ought to go over well. Also video files.
Re:Back Doors Are Like Anal Sex (Score:5, Interesting)
I'm not really clear on how you ban encryption. Do you lock up all the mathematicians?
Ask Phil Zimmerman about that. The US didn't lock him up, but it wasn't for lack of trying.
Re: (Score:2)
License it (with taxes and fees of course) with conditions which require key escrow or other backdoor. When data streams are discovered which are not using a government approved method, prosecute those who are responsible.
Treat any constitutional right to use encryption the same way as speech and firearms which are often licensed. A $200 tax for certain firearms in 1934 is the equivalent of $3500 now and that was never s
Re: (Score:3)
So much this:
While true, many governments are coming together to say outlaw encryption.
It's a familiar line. When guns are outlawed, only criminals will have guns and the State will have monopoly on violent coercion.
Or:
When encryption is outlawed, only criminals will have encryption and the State will have the monopoly on secrets. ...Which brings the whole secrecy vs transparency thing to the foreground as well, but that's as equally a vast debate as this one and the twain should never meet.
Re: (Score:1)
No, they only want to outlaw encryption for individuals. Corporations and the gov't all must use the most powerful, unbackdoored encryption possible. And, of course, all devices used by politicians must not have backdoors either.
Politicians hate being backdoored.
But they don't mind it if everyone else gets backdoored. If they can at least watch, if not actually participate.
Re: (Score:1)
They will get backdoored as well, since most politicians keep using normal civilian tools (hotmail, iPhones, USB sticks, etc.) no matter what ultra-secure tools you offer them.
Oh please, not another law for them to ignore (Score:4, Interesting)
Re:Oh please, not another law for them to ignore (Score:4, Interesting)
The problem with security is that under normal circumstances it delivers zero value to an organization and basically just shores up against bad publicity. The best security in the world isn't enough and you can spend $ridiculous on it and still only be 99% secure. You're basically trying to outspend your competition in the hopes that they won't hire the guy that knows where the bad sprintf() is.
To any corporation, or any department, this is just a pure money-sink with no returns on investment. It's cheaper to cover up the breaches.
Re: (Score:3, Informative)
Let's hope this one's got teeth; a breach of a system that has not been secured according to the regulations will result in the loss of pension of all those in the chain of command above the person responsible?Â
That's a good one. Probably the worst that will happen is that someone higher up will be forced to retire earlier than planned, at full pension of course.
It's not as good as the multi-million dollar golden parachute that a CEO gets for running a company into the ground, but they'll be comfortable.
Re:Oh please, not another law for them to ignore (Score:4, Informative)
You're right in a way, but not the way you intended.
The IRS requested funding to support the archiving requirement. Congress, instead, cut their budget. Even after the archiving issue became known, Congress refused to up the funding.
If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.
Breaches like this aren't a question of "what if" they are a question of "when" until Congress ends the chronic underfunding of government IT departments.
The IRS can reorganize its internal spending (Score:5, Insightful)
If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.
Not true. The agency can cut spending elsewhere to implement the requirement. Which is what Congress wants the IRS to do, while the IRS want to use the excuse of no new funding to maintain things as they are. It all just theatre.
Re: (Score:1)
Are you kidding me?! Who's in charge over there, a 12yr old? "If you don't give me more money, I'm going to continue to collect all this PII and not store it in a secure manner".
funny... (Score:5, Insightful)
yeah.... too bad
Re:Just use OpenBSD, for crying out loud! (Score:5, Insightful)
no, the first step is to airgap sensitive information. NEVER let it onto any sort of network. EVER. Then start worrying about what operating system you're using. *BSD has had security problems in the past and more will be discovered in the future. If you do not believe this to be the case, then you're living in a fantasy world.
Even with the default settings on a vanilla install (which basically don't let you do ANYTHING productive) there are vulnerabilities ranging from minor annoyances on the window manager to showstoppers in the TCP stack. Let's not even go into the simple fact that the second you start services, or install and run software from the ports repository, you are introducing vulnerabilities to your setup, hence *BSD is NOWHERE NEAR as secure as you're apparently making out. It becomes every bit as vulnerable to hackers/worms/whatever as OSX, Linux, any other UNIX, or Microsoft Windows.
Re: (Score:2)
There are two issues with air-gapping the OPMI database. The first is just data-entry. An SF-86, which is the form to apply for a security clearance, is 122 pages, not including the instructions and the authorization for the government to access your medical records and to run a credit check on you. If you air-gap that system you have to hire someone to either run OCR scans or enter all that
Air gaps allow for data input and output ... (Score:2)
If you air-gap that system you have to hire someone to either run OCR scans or enter all that data by hand into the database.
Or someone does a malware scan of electronic media and if all clear they walk the media past the air gap.
Let's say your character witness is Joe Schmuckatelly who lives in California and you live in Nebraska. It's easier and less expensive for the regional office in Nebraska to put the file on the network and request the regional office in California to interview Joe.
Why is the entire file necessary for the interview? A relevant excerpt, only what the applicant claims with respect to Joe, can be walked back across that air gap and sent to the regional office. The interview results then get walked past the air gap and merged/appended to the file. Naturally what really gets walked across is a large number of excerpts and data to merge/append.
In short air gaps allow
Re: (Score:2)
Why is the entire file necessary for the interview? A relevant excerpt, only what the applicant claims with respect to Joe, can be walked back across that air gap and sent to the regional office. The interview results then get walked past the air gap and merged/appended to the file. Naturally what really gets walked across is a large number of excerpts and data to merge/append.
Whether it's all of the file or part of the file is irrelevant, since the transmission time via USPS or UPS or FedEx is the same (per company obviously) whether you're sending a single page or a whole stack of pages. Your point about malware is well-taken though.
Re: (Score:2)
Why is the entire file necessary for the interview? A relevant excerpt, only what the applicant claims with respect to Joe, can be walked back across that air gap and sent to the regional office. The interview results then get walked past the air gap and merged/appended to the file. Naturally what really gets walked across is a large number of excerpts and data to merge/append.
Whether it's all of the file or part of the file is irrelevant, since the transmission time via USPS or UPS or FedEx is the same (per company obviously) whether you're sending a single page or a whole stack of pages. Your point about malware is well-taken though.
Apologies for being not being clear but the fragment of a single file would be sent electronically via a network. The point is that the entire database does not need to be exposed and vulnerable to a single breach.
Re: (Score:2)
As perpenso already noted-- you can move some of the data temporarily across the gap. Even whole files for people whose investigations are currently in progress. But given that reinvestigations are only every 5+ years, data that isn't immediately required can be isolated from the internet. In that case, if you suffer a data breach you still let out a bunch of confidential information on people, but you don't let *all* of it out on *everybody*. And some inputs to the database (e.g. invesitgation results
Re: (Score:2)
This gets me wondering:
Is it possible to separate the fields of the SF-86 form so after they get OCR-ed, the physical documents (if any) go to a secure site [1], and if electronic, it gets printed out. Hard copies are useful for long term archiving.
Then, the online data gets split up into different databases, each not connected to the other. This is done with banking, and has helped with limiting the scope of an intrusion.
By separating the data out (preferably into physically separate data centers, and th
Re: (Score:2)
Historically, governments are top notch at physical security...
You just made me spit coffee through my new keyboard.
https://en.wikipedia.org/wiki/... [wikipedia.org]
(incomplete list, LOTS of avoidable breaches, including hard drives, even LAPTOPS left on trains, paper documents left on park benches, the worst reported breach being revealed in 2008 of a 2007 loss of 25 MILLION records of benefit claimants' families (practically the entire UK population) were dispatched in the regular post on unencrypted CDs and subsequently "lost").
Re: (Score:2)
Nobody I know does their SF-86 form on paper. It is an online form completed through a system called "e-qip [opm.gov]".
Re: (Score:2)
Is it possible to separate the fields of the SF-86 form so after they get OCR-ed, the physical documents (if any) go to a secure site [1], and if electronic, it gets printed out. Hard copies are useful for long term archiving.
If you're going through OPM you fill out the SF86 online on a system called eQIP-- you get a pdf at the end that you can print and keep, but they collect all the data electronically. No OCR involved.
eQIP has its own problems-- the default passwords for entry are based on data that anybody can look up about you. You're supposed to change them so that when you submit your stuff for reinvestigation you use passwords that you made up, but given that they have specific password requirements (3 passwords) and r
Re: (Score:2)
The other point with data-entry is that each renewal for a security clearance, either due to the clearance expiring or to a periodic random review, requires a new and updated SF-86.
Concerning data transmission, the network is also much cheaper than flying a single investigator all around the country to interview folks in a timely manner. As it is, getting a security clearance takes anywhere from 3-6 months, longer if the investigator finds an irregularity.
Re:Just use OpenBSD, for crying out loud! (Score:4, Interesting)
oh, I do agree that there are circumstances (such as specific use cases as you mention) where rapid access to data would be required, but in that case, what about a compromise? Keep the airgap, just extract the data as needed and send it on a closed feed such as eDX (which has end to end encryption using a key the enquirer supplies). The enquirer doesn't even need to access the database. This can be done by an operator with local access. The legal profession uses something a bit less fanciful, DX in this case involves a courier (as in one single person who's basically surgically attached to the pouch to which he has no internal access) travelling nonstop from source to sink. A DX courier could make across the States from LA to NYC in a day.
As for data entry: this has to be done anyway, and depending on the sensitivity, varying clearances have to be met anyway so keeping that in-house shouldn't be a problem if the data is that important.
Sources: been there, done that, never had a breach. Disclosure: I (still) handle thousands of pages worth of legal documentation having previously represented in courts across England. I've come across solicitors firms who send documents via email(!) and even Facebook(!!). I've also dealt with some of the worst offenders one of whom sent me an entire case file on the WRONG CLIENT, by REGULAR MAIL.
Still shaking my head over that one.
Re: (Score:2)
The ironic thing is that if more companies used an OpenPGP variant (Symantec's PGP, GnuPG, NetPGP, and so on), it really wouldn't matter what channel stuff was sent on. They could create a FB group and stash the files as attachments, but the contents would be secure, assuming keys of a proper length and the private keys properly used/secured, for example, having a key generated and stored in a Yubikey or other cryptographic token. Even just doing document processing in a secured environment like an iOS or
Re: (Score:2)
The SF-86 is an online form. How are you going to airgap that?
Re: (Score:2)
what, me personally? By not using it.
Re: (Score:2)
step out from behind your AC sock and say that, bitch.
Re: (Score:2)
that is my full legal name, fool.
Re: (Score:2)
It certainly is your option to not have a federal job. I've had three employers over the last decade and all three have lost my PII, not sure how different it is.
Re: (Score:2)
The SF-86 is an online form. How are you going to airgap that?
Entry occurs on the public side of the gap. An applicant's data gets transferred to electronic media and walked across the gap. The applicant's data then get merged into the air gapped database that holds *everyone's* data.
:-)
Remember, before cat-5 cables we had station wagons loaded with tapes and it worked quite well.
Re: (Score:2)
There are several other problems.
1) When you come back to enter more data and expect the fields to be populated (the form takes a day or two to fill out the first time).
2) When you need access to something and the manager of that element has to look at your file to approve it.
3) When you get a new security manager and they have to approve it.
Your basically taking us back to the paper office days. In that time it was really easy to not put two and two together because cross referencing information was really
Re: (Score:2)
There are several other problems. 1) When you come back to enter more data and expect the fields to be populated (the form takes a day or two to fill out the first time).
Again, fill out the form on the public side. Completely filled out. It doesn't need to got into the database until then.
2) When you need access to something and the manager of that element has to look at your file to approve it.
(a) The people who need to access it can be on the air gapped side, analysts and such.
(b) One person's data can be extracted from the database, walked across the gap, and sent to someone who needs it. The point of the gap is to isolate the database with everyone's records, and the monitor/supervise data coming from and being sent to public networks. Individual records being worked on at a
Will their encryption be designed with backdoors? (Score:3)
Re: (Score:2)
An alternative... (Score:2, Insightful)
You know, they could just collect and hoard less data...
(Or as the Russians apparently have done, revert more sensitive systems back to paper and typewriters.)
Re: (Score:2)
except when it is, because you don't (Score:2)
You make an excellent point. A corollary is a bit of a counter-point. Sometimes you DON'T need to decrypt it, and in those cases you shouldn't be able to.
The most obvious example is passwords. You store those as salted hashes which can't be decrypted. You don't need to know what their password is, you only need to know if it's the same as what they entered or not . We can apply the same principle to data we use for fraud prevention. We want to know if this transaction attempt is coming from the same
Re: (Score:2)
When you go fill out the SF-86 they populate it with the information from the last time you filled it out. It makes the process faster.
The horse named Elvis has left the building! (Score:3)
And the horse seems to be happily running free somewhere thousands of miles beyond the barn door.
If this works like many IT security efforts, we'll spend millions replacing the barn door with a bank vault door. And then leave the window next to it open
Republicans: Hypocrit Much? (Score:4, Insightful)
The trouble is, those same Republicans have derailed national cyber security regulations since Obama has been in office. It's all been channeled through the US Chamber of Commerce. [shrm.org]
So that was pretty much the end of it. The Obama administration declared some executive orders, but that clearly did not have much impact. Up until this latest incident the Party of Ignorance (R) got what they wanted: keep you hands off my bidness.
So no one should be very surprised that this happened. There is no bright line between big government and big business when it comes to matters like cybersecurity. Particularly with the amount of outsourcing going on. Don't forget that the OPM breach was not simply in a government network, but at security contractor USIS [washingtonpost.com].
The DHS/OPM/whatever are doing everything they can to cover up what really happened, so the trail to the contractors has been rather effectively hidden. They primarily want to keep evidence of their vast incompetency out of the public eye. That is taking precedence over remedial action to address the breach. This is why they are leaving the roughly 4 million government employees at risk just hanging in the breeze. If they were to do the responsible thing and help the victims it would reveal how extensively they failed.
Remember, horribly incompetent government security contractors are the new normal: Blackwater in Iraq, the TSA meatheads who infest airports, and now this. No one should be surprised. And they should be even less surprised when no one is held accountable and nothing changes.
Re: (Score:2)
But having no meaningful regulatory framework makes it all worse. Who's in charge? There's been a monumental screw up, but with no rules or formal chain of command how can responsibility be determined?
Without some kind of accountability the response will certainly be inadequate. If you want another horrible example of th
This must be a chapter for a novel (Score:2)
Just another requirement (Score:1)
Right, because another requirement/standard will solve this problem. It will get tossed on the pile of requirements for every new contract. It will be implemented to the letter, just like current security requirements. And it will help a bit but things still won't be "secure."
Security is fundamentally picking the level of risk you're willing to accept. The answer is uniformly "none," but strangely enough you still that network hooked up, so you end up with a 4,000 page requirements that effectively amounts
It should be clear by now (Score:1)