OPM Data Breach - Whitehouse Petition - Help Wanted

My apologies in advance to any here who might feel that this is off
topic... I don't personally believe that it is. Frankly, I don't
know of that many mailing lists where the subscribers are likely to
care as much about network security (and/or the lack thereof) as the
membership of this list does.

By now, most of you will have read about the massive federal data breach
at the U.S. Government's Office of Personnel Management (OPM), and also
the fact that (by OPM's own preliminary estimates) this massive data breach
affects at least four million federal government employees... but perhaps
as many as 14 million current and former employees. However as this
story is still evolving, even as we speak, you may perhaps not be familiar
with the following additional important facts that have just come out:

    *) In addition to ordinary government personel records, including
  the usual kinds of frequently-hacked personal information (e.g.
  social security numbers), an as-yet undetermined number of highly
  detailed 127-page government security clearance forms (SF86)
  containing vast and intimate details of virtually every aspect
  of the lives of essentially EVERYONE who has applied for or been
  granted a government security clearance at any time within THE
  PAST 30 YEARS have also been hacked/leaked.

  (Experts seem to agree that this security clearance data constitutes
  and absolute gold mine and treasure trove of information for foreign
  intelligence services, opening up vast possibilities for phishing,
  blackmail, and on and on.)

    *) The Director of the Office of Personnel Management, Ms. Katherine
  Archueta was warned, repeatedly, and over several years, by her
  own department's Inspector General (IG) that many of OPM's systems
  were insecure and should be taken out of service. Nontheless, as
  reveled during congressional testimony yesterday, she overruled
  and ignored this advice and kept the systems online.

Given the above facts, I've just started a new Whitehouse Petition, asking
that the director of OPM, Ms. Archueta, be fired for gross incompetence.
I _do_ understand that the likelihood of anyone ever getting fired for
incompetence anywhere within the Washington D.C. Beltway is very much of
a long shot, based on history, but I nontheless feel that as a U.S.
citizen and taxpayer, I at least want to make my opinion of this matter
known to The Powers That Be.

I *really* would like some help from members of this list on this endeavor.
In particular, if you agree, I'd appreciate it if you would sign my petition,
and, whether you agree or not, I sure would appreciate it if you would all
share the following URL widely:

https://petitions.whitehouse.gov//petition/immediately-fire-office-personnel-managements-director-katherine-archueta-gross-incompetence

Note that Whitehouse petitions do not even get properly or completely
published on the Whitehouse web site until such time as they receive at
least 150 signatures. I am hoping that members of this (NANOG) mailing
list will help me to get past that threshold.

Thanks for your attention.

Regards,
rfg

I think it would be great if you were to include some source links in
your petition/email so that folks unaware of the specifics can educate
themselves in a non-partisan and factual manner.

Just my $0.02.

Cheers,
Harry

This is the government... you have to put on your bizarro-economics and
bizarro-ethics glasses for the State to make sense.

It does not operate like a market. Failure results in people being
shuffled around, and larger budgets. Failure justifies more control and
power. People get taken down for political reasons, not based on a lack of
ability or lack of virtue.

I would hope this measure succeeds and to see something meaningful come out
of it, I just don't see it happening.

In message <CAOxD=zU=i2UMEdLixOOnqYW-3cF9RDFF4eN+KJG_sDcwDip_7A@mail.gmail.com>

This is the government... you have to put on your bizarro-economics and
bizarro-ethics glasses for the State to make sense.

It does not operate like a market. Failure results in people being
shuffled around, and larger budgets. Failure justifies more control and
power. People get taken down for political reasons, not based on a lack of
ability or lack of virtue.

I would hope this measure succeeds and to see something meaningful come out
of it, I just don't see it happening.

Thanks for your support.

And yes, I agree that most probably nothing will come of this, but it
is worth a try.

Consider this, if even just one out of every forty (1/40) of the affected
4+ million (now hopefully pissed off) federal workers signs this petition
then it will get past the 100,000 signature point and then the Whitehouse
will HAVE to respond to it.

Of course, even in that case, the WH might very well just put off their
response, you know, until that proverbial "cold day in hell"... just as
they have done, and continue to do, with the "Pardon Snowden" petition...
however as it that case, their mere lack of response... basically
ignoring their own rules which they made for themselves relating to
these petitions... would itself call more attention to their utter
failure, not only to prevent such breaches, but to even deal with
them in a sensible way afterwards. (If this utterly unqualified
ethnic-checkbox woman had done this in the private sector, there's
no doubt that her ass would be out the door already. As far as I have
been able to tell in my limited research, she never managed _anything_
in her life before being named as the head of OPM... not even a Denny's...
with the only possible exception being that she may have managed some
portion of the President's re-election campaign.)

Regards,
rfg

P.S. I just learned that the story on this breach is even worse than
I already thought it was when I started the petition. From ArsTechnica:

      ...
      A consultant who did some work with a company contracted by OPM to
      manage personnel records for a number of agencies told Ars that he
      found the Unix systems administrator for the project "was in
      Argentina and his co-worker was physically located in the [People's
      Republic of China]. Both had direct access to every row of data in
      every database: they were root. Another team that worked with these
      databases had at its head two team members with PRC passports. I
      know that because I challenged them personally and revoked their
      privileges. From my perspective, OPM compromised this information
      more than three years ago and my take on the current breach is
      'so what's new?'"

Un-bleeping believable!

There's nothing else that I can say about the quote above... at least
nothing else that I can say in polite company.

Idk whether she was wrong or not. They were running "COBOL" systems - I'm
guessing AS/400 (maybe even "newer" zSeries) which are probably supporting
some db2 apps. They also mention this is on a flat network. So stopping the
hack once it was found was probably real interesting (I'm kinda impressed
they minimized downtime as much as they did really).

I'm ok saying they were incompetent but not too sure you can do *this* much
to mess up a network in <2 years (her tenure). I'd actually be interested
in a discussion of how much you can possibly improve / degrade on a network
that big from a management position.

If the argument is that she should've shut down the network or parts of it
- I wonder if anyone of you who run Internet providers would even shut down
your email or web servers when, say, heartbleed came out - those services
aren't even a main part of your business. One could argue that it would've
been illegal for her to shut some of that stuff down without an act of
Congress.

I'm not saying you're dead wrong. Just that I don't have enough information
to say you're right (and if you are, she's probably not the only head you
should call for).

Have to agree with Shawn on this.
If you watch her testimony in front of Congress, it is clear that she was
completely flustered at the inability to hire competent people, and the
lack of her superiors to prioritize the modernization project she had so
passionately advocated for.
When I've worked for organizations larger than - say - four or five office
locations in diverse parts of the U.S., I've started to see how difficult
it can become to get all of them to coordinate on *anything*, and I'm not
even talking government here.

From the sound of it, she ran into the ceiling of available workers that

were willing to work for the pay grade that the government offers for those
positions, which is usually much less than private industry offers and - as
a consequence - they are not nearly as familiar with migrations of that
size.
I do not envy her position, and doubt in the ability of anyone in her
position to do more than she has attempted.
Give her some credit.

Hi Ronald,

I'm of the opinion that the whole thing is your fault. The security
inadequacies of your network are obviously what allowed the Chinese
Super Hackers to break in with their false BGP advertisements and
source address spoofing.

Well, maybe not, but just imagine if that was true: your post would be
on-topic for the mailing list!

Regards,
Bill Herrin

Look at the average lifespan of heads of cybersecurity in the federal space -
they don't seem to last more than 18-24 months before their foreheads are
permanently damaged from banging against the wall...

Having worked for several departments like this, I can assure you her
flustsration was not about her "inability to hire competent people" or "the
lack of her superiors to prioritize the modernization project". Unless you
have worked for the Federal Government it's almost impossible to understand
the mindset - Politics is job #1, Office Politics is job #2, "doing your
job" is not a priority. The issue here was 100% looking bad - the worst
possible offense a political appointee can commit. Firing this one person
is pointless, she's one of 1,000,000 clones, not a one should be employed.
I wish I had some simple solution, but I don't, it's going to require
years, probably decades, of hard work by a motivated and skilled team.
Also, a stable of unicorns.

Nick

Hi Ronald,

The core problem here is that the Authority To Operate (ATO) process
consumes essentially the entire activity of a USG computing project's
security staff. The non-sensical compliance requirements, which if
taken literally just about prevent you from ever connecting any
computer to any other, get in the way of architecting systems around
pragmatic and effective security.

There's no use blaming the director for a broken system she's
compelled to employ, one far out of her control. The next warmer of
that seat is constrained to do no better.

Regards,
Bill Herrin

Absolutely Bill,

That is always the case with the government (I have worked with them a lot). They build lots and lots of procedure and process and dumb standards (mandatory POSIX compliance?!?!?, that was a good one) when step one would have been to get current firewall technology in place, have current operating systems, and patch known vulnerabilities (which is why you want the current operating systems). Instead, they go out and commission multi-million dollar consulting contract that spend time drawing up blueprints for the be-all end-all systems that no one is going to fund. When you look at the way the government goes about things like simply setting up the Healthcare website, it is miraculous that they even knew they got hacked. I will bet for every documented breech like this there are hundreds of continuous vulnerabilities being exploited that they don't even know about. These are just the weak ones that got caught.

They still tend to look at these systems like their old mainframe based systems instead of looking at desktops, servers, and networks as separate independently upgradable parts. This makes all of their planning so massive that it can never be implemented so no one ever starts. Eventually the desktop OS gets too old to support, the servers have to stay compatible with the old desktops, the software application can't be upgraded because it does not run on the old database, etc etc etc... until the whole system collapses and you have to get the forklift. This director has nothing to do with it. I think they might need to eliminate some useless department and create or hire an IT organization that operates like a service provider to all of these agencies.

Steve Naslund
Chicago IL

In message <CAPPYGuwCB-r3OzYTHM+ywTApgdtYOn+j3L6t+N0A7eaF6_chFA@mail.gmail.com>

If you watch her testimony in front of Congress,...

I did, actually. And it pissed me off so much that I started the
petition (to get her fired).

I encourage everybody to watch the video of her congressional testimony
on Tuseday. She how she tries to stonewall simple questions like "Why
wasn't the data encrypted?"

From the sound of it, she ran into the ceiling of available workers that

were willing to work for the pay grade that the government offers for those
positions, which is usually much less than private industry offers and - as
a consequence - they are not nearly as familiar with migrations of that size.
I do not envy her position, and doubt in the ability of anyone in her
position to do more than she has attempted.
Give her some credit.

I _do_ understand the point you are making. But if you are charged with
the safekeeping of untold millions of extraordinarily detailed personal
data files, and if you don't have the resources to do your job properly,
wouldn't the Right Thing To Do be to either (a) resign in protest or else
(b) at the very least send a letter to members of Congress telling them
just how effed up things really are, so that they will understand what
is at risk?

This lady did neither, as far as I can tell. She just followed the first
rule of government service: To get along, you go along.

In most cases, that course of action would not have resulted in any great
harm. But in this case the result was provably and absolutely catastrophic.

If there were any justice in the world, Mr. Snowden would be back home in
the U.S.A. now, and Ms. Archuleta would now be hiding out in Russia.

Regards,
rfg

Based on prior work in this space, the problems are as follows:

0. Political appointees don't stick around for long, therefore they can
always point to the last guy as the problem. They are also gone, before
impact of lack of security focus impact their jobs.

1. Executives and middle managers are not compensated or recognized for
have secure systems, there for operations and missions take priority. This
includes disabling all security if the operation requires it, and the PM
justifies it.

2. Architecture of systems seldom includes a security architect from the
beginning, with security added later at a substantial expense.

3. Test plans are inadequate and at times the wrong test plan for the
technology being audited.

4. Third party contractor performing audits and assessments, are paid by
the IT department to provide a favorable report, as quick as possible. To
accomplish this, the testing is minimal, the qualifications of the staff
are low, and the contractors PM has the ability to change findings to
ensure the customer looks good.

5. System and network admins - they too are not compensated for secure
system, only that the system are operating. This forces prioritizing
operations over security.

6. Developers are not held accountable for secure code, and their
contractors ignore the issues, even in the few instances where a security
clause is included in the contract.

7. Many architectures are build around a security product, and not the risk
profile.

8. Stovepipes - Many organization have competing political goals, and spend
time CYA instead of making this secure by default.

9. Contractor staff training – contractors promises training to customer
facing staff, but instead never budget for that training. Instead the
contract companies see this as OJT on the taxpayer dime.

From a game theory standpoint, it turns security always loses.

Joe Klein
"Inveniam viam aut faciam"

She will have some large number of Civil Service Rockets "working", or at
least on the TO&E below her:

"Won't work; can't be fired."

Mmmm, most people (gov or private) do their jobs - the problem seems
to be policy makers and getting money for things that no one is going
to see (security). This has been a well documented issue in the
private but idk anyone has realy said how bad gov is (I'd suspect
worse than public at this point).

My point was that idk you can blame someone for not implementing
security in a place that big w/in 2 years. I'd've liked to have seen a
roadmap, but I don't suppose you want your attackers to know that,
so...

18.06.2015 18:00, shawn wilson wrote:

I'd actually be interested in a discussion of how much you can possibly

> improve / degrade on a network that big from a management position.

That's quite an interesting topic, isn't it ?

Dilbert still has his job so it might as well be immutable.

Yes, I would. We did (at Purdue) one day in November 1988, when we knew
that we had a problem and we had very good reason to believe we were a
serious hazard to the rest of the 'net.

Confronted with a similar situation today, I would do the exact
same thing. It is the highest duty of everyone on the 'net, whether
they're running one laptop or a 50,000-server cloud, to ensure that
their operation isn't an operational menace to everyone else.

And it is the failure of many to discharge that duty, above all others,
that is directly responsible for many of the issues we face every day.

---rsk

Not to mention an Act of Congress. Oh, wait...

If anyone cares to fix government tech (and not just whine about it on
mailing lists), the US Digital Service is probably the best way to make an
impact: https://www.whitehouse.gov/digital/united-states-digital-service

Damian

I think one of their major issues is that they look at too much of the network at a time. If they decided they were going to secure a particular data center or building, they might be much better off. If they start with defending the servers from internal as well as external threats and then move toward the perimeter they might make progress. I think they look at the entire comprehensive network and end up with a number or a project that is too big to fathom. First thing would be current IDP/IDS technology so they would at least know where and what the threats are.

Steven Naslund
Chicago IL

18.06.2015 18:00, shawn wilson wrote: