Before We Pass CISA As A Response To OPM Hack, Shouldn't We Look At What The Feds' Cybersecurity Practices Were?

from the just-saying... dept

As we’ve been discussing, some surveillance hawks in Congress have been trying very hard to push CISA through into law, often using the disastrous OPM hack as evidence for why it’s needed. Yet, as we’ve pointed out multiple times, there’s nothing in CISA that would have prevented OPM from being hacked. Instead, the Senators pushing CISA and using the OPM hack as the reason seem to be blindly flailing around assuming that because both are tangentially related to “cybersecurity,” people will believe that it all “works.”

The reality, of course, is that CISA has nothing to do with the OPM hack, but is really a backdoor surveillance bill, designed to give immunity to companies sharing info with the NSA, that it can feed into its system that it uses to monitor all “upstream” traffic. Senator Ron Wyden has been warning about this for months, without too many people paying attention — because fear! cybersecurity! hack!

So, Wyden’s latest strategy is to look a little more deeply at the OPM hack itself and what the government’s National Counterintelligence and Security Center (NCSC) did (if anything) to prevent the hack. In a letter to NCSC, Wyden asks for details of what steps it had taken to protect OPM.

The National Counterintelligence and Security Center (NCSC) is tasked with a very important mission, which includes defending the nation’s classified information and assets from exploitation by foreign adversaries. The importance of this mission has recently been underscored by compromises of sensitive US government personnel data.

And thus, the following questions:

  1. Did the NCSC identify OPM’s security clearance database as a counterintelligence vulnerability prior to these security incidents?
  2. Did the NCSC provide OPM with any recommendations about how to secure this information?
  3. At least one official has said that the background investigation information compromised in the second OPM hack included information on individuals as far back as 1985. Has the NCSC evaluated whether the retention requirements for background investigation information should be reduced to mitigate the vulnerability of maintaining personal information for a significant period of time? If not, please explain why the existing retention periods are necessary?

There may be a variety of reasons for sending this letter — but one clear one is to send the following message: before Congress rushes around demanding CISA as a response to the OPM hack, shouldn’t we look at how our own processes failed to prevent that attack? And that’s especially true given that the point of CISA is to trust the very same government to help private companies with cybersecurity. If the government can’t even do the most basic things to protect its own data, why are we rushing to pass a law that is entirely premised on the idea that the government can help others protect their data?

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Before We Pass CISA As A Response To OPM Hack, Shouldn't We Look At What The Feds' Cybersecurity Practices Were?”

Subscribe: RSS Leave a comment
Anonymous Coward says:

If the German government wants access to my system, no problem here. But if the American government does no thanks. Sad I trust a foreign entity more than my own government. After seeing how good the NSA and US government in general is at protecting their own servers and respecting our right to privacy I don’t want them to have access, even though I assume they do have it when I face the internet. When the RIAA and MPAA lawyers and congressmen collectively known as the MAFIA get done there will be no internet to access in any way shape or form, and that will be one less bill a month for me to pay, hell, I might even be able to afford to retire.

Anonymous Coward says:

Pass it now!

No, silly Mike. We don’t need due process, investigation and consultation! We need to captialise on this hack while it’s still fresh in people’s minds! The sooner it gets passed, the sooner we can collect even more data! I mean, the sooner it gets passed, the sooner we can stop those evil [foreign adversary/ies] from hacking us!

Anonymous Howard, Cowering says:

#7 - Robert Freetard

Everyone, and especially the intruders. OPM handles civilian personnel issues (including clearances) for the entire Federal government. And no, everyone has not yet been fired.

All of them; although your definition of plainly apparently includes post hoc recriminations.

Remember, the only secure data storage is one that has no connection to any other point, and that pretty much precludes its ever being a useful thing.

Anonymous Coward says:

Its default connect every pc to the web,
AT this point the federal government
get close to zero points when it comes to security.
right now there,s 1000,s of servers with public user data ,names ,social security no,s
maybe runnng windows xp, ie 6 totally unsecure ,
The opm did not even have data encrypted ,
not even using basic security procedures from 3 years ago .
SO WHY we should want to give more private info to the government to put on servers or hand around to
more agencys which could be hacked in a year or
anytime in the future .
opm had user data from 1985 to 2015 .at this point theres major hacks every few months in the us .
Right now china can read government emails on various
servers ,
the basic service of government email data is not yet secure .
Most companys wait a few days or weeks to announce they were hacked into or public user data was acessed .
Companys or the federal government are hiring contractors from india or china based on the lowest bid
to handle various contracts in regard to handling
computing services .
These people work for maybe 9 dollars a hour .
How easy would it be for a hacker or spy to get a job
and infiltrate these contractors to get acess to data ,passwords , user id,s etc
very easy .
article here covers opm hack.
SO outside foreign companys already have acess to
the a lot of data on us citizens ,employment data ,birth dates,social security nos,etc
There needs to be one government agency who has just one function
set standards and procedures for security and protect data on all government servers ,pcs .
And provide acess to experts and advice to companys
and state governments re cybersecurity and outside threats to computer networks .
Ths bill will just allow more private companys to send user data to the government .

GEMont (profile) says:

From the No-Brainer Department

Easy one.


From the Orifice of the NSA.

In answer to your inquiry concerning Government
Security Measures Practices.

1. National Security. Terrorists. ISIL. Hacks. Muslims.

2. National Security. Terrorists. ISIL. Hacks. Muslims.

3. National Security. Terrorists. ISIL. Hacks. Muslims.

We regret that due to “National Security and all that,
you know.”, we cannot divulge anything at this time
concerning your concerns. Soooooooo Sorry.

Head of Primary Anal Retention, NSA.


GEMont (profile) says:

Re: Wrong Answer

Eventually the sleeping giant will realize that its security agents care not one iota for the security of the nation, and are actually in the business of using the nation’s information horde to profit themselves and their masters in high places.

If you look over the totality of the so-called “security apparatus”, all you will find is make-shift facades, designed more to fool the public into believing it has a security apparatus than to actually do anything remotely akin to national security.

The agencies use outdated computers purchased fifteen years ago, running ancient software that is easily spoofed and in no way capable of doing the job the agency claims to be doing.

Forensics turns out to be a crock of made up on the fly shit, designed to simply incarcerate as many people as possible and create an appearance of a drug crisis.

The agents charged with catching terrorists use all their technology to spy on their own civilian population, meaning either that they suspect the public are terrorists, or that they are more interested in collecting dirt on everyone for blackmail than in catching any terrorists, leading to the questions – do terrorists actually exist, and if so, why are the security people of the US not at all concerned about them.

Every aspect of the National Security Machine proves blatantly that those charged with the safety of the public, are not in the least bit interested in the safety of the public.

As more inside information leaks out – and it will as more young people realize they are being tricked by their government and its corporate handlers – the whole facade will be shown to be a simple, but efficient business model, designed to steal everything possible before the shit finally hits the fan economically and the parasites run for greener pastures, while the ship of state sinks beneath the waves of debt and poverty.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...