The recent U.S. Government Office of Personnel Management hack is getting worse by the day. In Saturday's Wall Street Journal they revealed that apart from more than 4 million personal records including SSN, now their security clearance database also has been exfiltrated.
The two security clearance forms, known as Standard Form 85 and 86 contain extensive information about family members, mental health, drug use, police record and credit history, and lists of foreign contacts -- people that a person might know abroad. These forms have more data than a mortgage application. Because of the unforgivable error that the data was not encrypted, this is now a full-blown scandal and deserves the hashtag OPMgate.
How Could This Happen?
Well, here is a bit of history. Early 2011 the Immigration & Customs Enforcement Agency (ICE), part of DHS, noticed a significant uptick in "mail infections and privacy spills" in its networks. It determined that the spike was due to ICE employees accessing their personal webmail accounts from office computers. ICE senior managers then terminated webmail access in September 2011 as a hacking security precaution.
I would say that was the right thing to do, agreed? Not so fast. The American Federation of Government Employees filed a grievance with a federal arbitrator, claiming that any change in access to private email must first be collectively bargained with the union.
HUH? Yup.
ICE showed the arbitrator evidence of the keyloggers, Trojans and other malware that foreign intelligence services had been able to drop on government employee workstations through (spear) phishing attacks. However, the arbitrator dismissed ICE’s security arguments in a mere 75 words, stating that the law didn’t give federal agencies "exclusive discretion" to manage its IT systems; so ICE had to give the union a say. You can guess what happened. Today, many federal agencies allow personnel to check their webmail from their government workstations. Unconscionable.
Two Things To Do About It Now
If you have a security clearance, assume all your highly personal data is in the hands of the Chinese and might be used to gain leverage in a multitude of ways. The expression that the price of freedom is constant vigilance and willingness to fight back is truer than ever.
1) In an office environment, analyze the different types of data you have, determine the sensitivity levels of that data, and start encrypting your crown jewels both at rest and in flight ASAP. Make this a TOP priority.
2) Formulate and disseminate security policy that forbids employees to check their webmail in the office. Explain why, and tell them they should use their smartphone for that. Block webmail portals in your
firewalls and/or other network edge devices. There are lists available you can copy and paste.
And oh, stepping all employees through new school security awareness training would not hurt either. That way they will truly understand why security policies are put in place. Find out how affordable this is for
your organization. Ask for a quote here and you will be pleasantly surprised: