June 8, 2015 – by ,

President & CEO, Wave Systems

The hack that resulted in the theft of information on 4 million government employees didn’t need to happen. We had plenty of warning and next to nothing was done.Last Friday marked the second anniversary of Edward Snowden’s infamous NSA leaks. Those leaks not only exposed major government data collection efforts on which much debate has already been focused, but they also exposed some fundamentally troubling lapses in cybersecurity practices at one of our most sensitive government agencies. Whether you view him as a martyr, a traitor, or possibly both, Snowden’s exploits did more than anyone else to call our attention to the sorry state of data protection in this country. The NSA found itself reeling from a massive breach perpetrated not a by an enemy state but by a talented junior analyst with a mission to bring the system down. It was the loudest warning shot in cybersecurity history and unfortunately our government didn’t listen…or if they listened then they failed to act decisively. That is potentially even more troubling.Now we are paying the price, again. Almost two years after the Snowden inside-job data breach, foreign-based hackers (initial reports indicate probably from China this time) compromised the Office of Personnel Management and stole information on 4 million government employees. OPM is expected to start notifying the victims today. So based on the growing flames, Rome just might be burning. Will the U.S. Government act now to implement strong standards to prevent further breaches or will they continue to fiddle about?

This latest breach is just the tip of the iceberg. While our Government leaders have debated whether or not to take decisive action, criminal hacker groups and hostile governments have been determinedly attacking our leading government agencies and corporations, wreaking havoc at the State Department, the Pentagon, Sony, Target, JP Morgan, Home Depot, and the White House itself. Make no mistake: this is a real war and we are not winning. Cybercriminals are an enormous threat to our economy, our infrastructure, and potentially the stability of our society.

Why is this latest breach so troubling? Is it because decisive action from our leaders might have prevented this latest breach? Yes. But the nature of this attack is disturbing on another level entirely. What is the purpose of this attack? Is it designed to use the personal data of these 4 million people to run up charges on their credit cards and to damage their credit histories? Possibly, and if that is the reason then the government’s action of providing credit monitoring is a good response. But the real value of this information to an adversary is to provide essential identity information on people throughout the US Government to prepare for a much more damaging attack or set of attacks. This breach is a precursor to something that is potentially several orders of magnitude more damaging and we should be very concerned.

In response to previous mega-breaches, two bills have been introduced. H.R. 1560, Protecting Cyber Networks Act, and H.R. 1731, National Cybersecurity Protection Advancement Act of 2015, were passed on April 22 and 23, respectively, during what was dubbed “Cyber Week” by House leaders. The decision to pass these two bills and send them to the Senate is welcome. These bills support the obvious need for cooperation, collaboration, and information sharing between the government and corporations.

But let’s be absolutely clear on one thing — neither of these new bills will make our companies or our country substantially more secure. Why not? Because neither of them addresses the root cause of the problem. Our cybersecurity defenses built on the old status quo of simple, software-based security are built on sand. It’s time for our leaders to lay a new foundation. It is time to abandon the pretense that software and passwords alone are keeping us safe. We need a fortress, not a sandcastle.

We need cybersecurity legislation that recognizes the fact that the industry standard IT security solutions that we’ve come to know and rely on are being hacked and bypassed so easily that we’re negligent if we don’t take notice and act to change them. When the keys to 4 million entry points to our national treasure trove of critical data have been stolen, it is time to change the locks. As Snowden highlighted to John Oliver a few weeks ago, the majority of passwords can be broken within seconds. If the real goal for new cybersecurity legislation is, in fact, stronger cybersecurity, then surely we need to mandate minimum requirements for government IT systems and establish National Standards that can actually prevent these hacks from happening in the first place.

To read the rest of the article go to:  http://www.huffingtonpost.com/bill-solms/national-cybersecurity-we-need-a-fortress-_b_7518986.html

InCyber Comments:

The details of this case are still being investigated by the FBI and other Agencies. Here are the facts we do know:

Hackers accessed the Database of the OPM and copied the records of 4 Million Federal Workers. This is considered one of the most dangerous and damaging cyber attacks in recent years.

To copy 4 Million records is not a quick “download” job. Months before the announcement, the people at OPM suspect some irregular activity. This means that the attack took days or weeks to accomplish. What did the OPM do with the suspicion? Not much or nothing at all!

Could the InCyber PAS system avoid this data breach?    Not 100% sure. If the OPM had deployed the PAS system, we could have detected abnormal activity with the first penetration and we could have given a Predictive Alert to the Cyber Security Team.  This alert could have avoided the massive “download” of  Employee Data.The InCyber PAS Pro-Active and Predicting System has been proven 100% effective against Insider Threats. For additional information write to:

 info@incyber.co . We are now offering a Free Insider Penetration Test for up to 500 Employees using your own historical data.