The hack that resulted in the theft of information on 4 million government employees didn't need to happen. We had plenty of warning and next to nothing was done.
Last Friday marked the second anniversary of Edward Snowden's infamous NSA leaks. Those leaks not only exposed major government data collection efforts on which much debate has already been focused, but they also exposed some fundamentally troubling lapses in cybersecurity practices at one of our most sensitive government agencies. Whether you view him as a martyr, a traitor, or possibly both, Snowden's exploits did more than anyone else to call our attention to the sorry state of data protection in this country. The NSA found itself reeling from a massive breach perpetrated not a by an enemy state but by a talented junior analyst with a mission to bring the system down. It was the loudest warning shot in cybersecurity history and unfortunately our government didn't listen...or if they listened then they failed to act decisively. That is potentially even more troubling.
Now we are paying the price, again. Almost two years after the Snowden inside-job data breach, foreign-based hackers (initial reports indicate probably from China this time) compromised the Office of Personnel Management and stole information on 4 million government employees. OPM is expected to start notifying the victims today. So based on the growing flames, Rome just might be burning. Will the U.S. Government act now to implement strong standards to prevent further breaches or will they continue to fiddle about?
This latest breach is just the tip of the iceberg. While our Government leaders have debated whether or not to take decisive action, criminal hacker groups and hostile governments have been determinedly attacking our leading government agencies and corporations, wreaking havoc at the State Department, the Pentagon, Sony, Target, JP Morgan, Home Depot, and the White House itself. Make no mistake: this is a real war and we are not winning. Cybercriminals are an enormous threat to our economy, our infrastructure, and potentially the stability of our society.
Why is this latest breach so troubling? Is it because decisive action from our leaders might have prevented this latest breach? Yes. But the nature of this attack is disturbing on another level entirely. What is the purpose of this attack? Is it designed to use the personal data of these 4 million people to run up charges on their credit cards and to damage their credit histories? Possibly, and if that is the reason then the government's action of providing credit monitoring is a good response. But the real value of this information to an adversary is to provide essential identity information on people throughout the US Government to prepare for a much more damaging attack or set of attacks. This breach is a precursor to something that is potentially several orders of magnitude more damaging and we should be very concerned.
In response to previous mega-breaches, two bills have been introduced. H.R. 1560, Protecting Cyber Networks Act, and H.R. 1731, National Cybersecurity Protection Advancement Act of 2015, were passed on April 22 and 23, respectively, during what was dubbed "Cyber Week" by House leaders. The decision to pass these two bills and send them to the Senate is welcome. These bills support the obvious need for cooperation, collaboration, and information sharing between the government and corporations.
But let's be absolutely clear on one thing -- neither of these new bills will make our companies or our country substantially more secure. Why not? Because neither of them addresses the root cause of the problem. Our cybersecurity defenses built on the old status quo of simple, software-based security are built on sand. It's time for our leaders to lay a new foundation. It is time to abandon the pretense that software and passwords alone are keeping us safe. We need a fortress, not a sandcastle.
We need cybersecurity legislation that recognizes the fact that the industry standard IT security solutions that we've come to know and rely on are being hacked and bypassed so easily that we're negligent if we don't take notice and act to change them. When the keys to 4 million entry points to our national treasure trove of critical data have been stolen, it is time to change the locks. As Snowden highlighted to John Oliver a few weeks ago, the majority of passwords can be broken within seconds. If the real goal for new cybersecurity legislation is, in fact, stronger cybersecurity, then surely we need to mandate minimum requirements for government IT systems and establish National Standards that can actually prevent these hacks from happening in the first place.
The terms multifactor authentication and hardware-based security should be the guiding tenets here. The use of multiple identifying factors makes it exponentially harder for a hacker to gain entry to a system. A hacker would not only have to gain possession of a person's valid user credentials (i.e. User ID and password), but in a hardware-based multifactor authentication solution they would also need to take physical control of the security chip itself, whether it's securely embedded on the motherboard of the user's specifically assigned computing device or in a removable token. Only then could a hacker gain access to the IT environment and initiate the attack. Why does that matter? Because the vast majority of hacking attempts, like this last one, are carried out remotely. By forcing a hacker to gain physical control of a computing device or server to initiate an attack we make it much more difficult to execute the attack and traditional methods of defense such as physical security controls are then also effective.
The good news is that a new foundation is available to us. It lies dormant in many millions of devices we already own, devices we each use every day. Close to one billion Trusted Platform Module chips have been shipped over roughly the last 7 years on standard business desktops, laptops and tablets. And on some highly secure smart phones. These very powerful hardware-based security chips could provide a very capable and very quickly implemented hardening of our cyber defenses, not just in the U.S. but world-wide. So while we debate about cybersecurity, worry about data collection, and read about the latest mega hacks, what we should really be doing is asking our politicians a simple question. If there are solutions available to protect us, why aren't you turning them on?