Hacked U.S. files not en­crypted

Los Angeles Times - - THE NATION - By Brian Ben­nett and Colin Diers­ing brian.ben­nett@latimes.com colin.diers­ing@latimes.com

WASHINGTON — Mil­lions of gov­ern­ment em­ployee records ap­par­ently stolen by Chi­nese hack­ers were not en­crypted, and soft­ware de­signed to block known com­puter breaches has not been in­stalled to pro­tect most of the files, of­fi­cials said Tues­day.

The latest dis­clo­sure came as of­fi­cials con­tin­ued to in­ves­ti­gate two dev­as­tat­ing hacks into the files of the Of­fice of Per­son­nel Man­age­ment, the fed­eral gov­ern­ment’s hu­man re­sources agency. The cy­ber­at­tacks have ex­posed how vul­ner­a­ble and out­dated many of the com­puter sys­tems are that the fed­eral gov­ern­ment uses to store de­tails col­lected for job ap­pli­ca­tions, se­cu­rity clear­ances and other needs.

In­tel­li­gence of­fi­cials are con­cerned that Chi­nese in­tel­li­gence ser­vices or oth­ers could use the sen­si­tive in­for­ma­tion, which can in­clude med­i­cal his­to­ries and other per­sonal de­tails, to black­mail or oth­er­wise re­cruit spies in the U.S. gov­ern­ment and to de­sign care­fully tai­lored emails to in­fect com­put­ers of fed­eral work­ers with ac­cess to se­cret files.

Chi­nese of­fi­cials deny be­ing be­hind the in­cur­sion.

Dur­ing a con­tentious con­gres­sional hear­ing about the mas­sive dig­i­tal theft of per­son­nel files, law­mak­ers ripped into the of­fi­cials in charge of se­cur­ing the net­works.

“You failed. You failed ut­terly and to­tally,” Rep. Jason Chaf­fetz (R-Utah), chair­man of the House Over­sight and Gov­ern­ment Re­form Com­mit­tee, told the of­fi­cials.

The agency’s in­spec­tor gen­eral had rec­om­mended last year that se­cu­rity on the data­bases be up­graded. The warn­ing fol­lowed a hack dis­cov­ered in 2014. But the agency didn’t move quickly enough, law­mak­ers said.

Many elec­tronic files that hold So­cial Se­cu­rity num­bers, health car­rier in­for­ma­tion and other de­tails about the per­sonal lives of of­fi­cials and gov­ern­ment con­trac­tors are so an­ti­quated that fed­eral com­puter ex­perts can­not en­crypt the files, said Donna Seymour, the top tech­nol­ogy of­fi­cer for the Of­fice of Per­son­nel Man­age­ment.

“Some legacy sys­tems may not be ca­pa­ble of be­ing en­crypted,” Seymour told law­mak­ers, who ex­pressed baf­fle­ment and frus­tra­tion at the lack of progress in im­prov­ing the sys­tems.

If sen­si­tive records were scram­bled and locked, hack­ers would not be able to read the data even if they could get the files out of fed­eral servers, se­cu­rity ex­perts note. But some of the elec­tronic files are more than 20 years old and are stored in out­dated sys­tems, Seymour said

“These prob­lems are two decades in the mak­ing,” she said.

The in­tru­sion into per­son­nel files was dis­cov­ered in April. Com­puter foren­sics ex­perts found that hack­ers had been in the data­bases for months. They are be­lieved to have copied pri­vate in­for­ma­tion be­long­ing to 4.2 mil­lion cur­rent and for­mer fed­eral em­ploy­ees and gov­ern­ment con­trac­tors.

Dur­ing a sec­ond at­tack, which was dis­cov­ered by look­ing for com­puter ac­tiv­ity sim­i­lar to the ear­lier breach, the in­trud­ers ac­cessed the de­tailed back­ground forms filled out by mil­lions of in­tel­li­gence, mil­i­tary and other fed­eral work­ers who have ap­plied for se­cu­rity clear­ances. Those forms were stored on shared servers main­tained by the In­te­rior Depart­ment.

The se­cu­rity clear­ance ap­pli­ca­tion re­quires po­ten­tial hires to list any men­tal health is­sues, crim­i­nal con­vic­tions, drug use, and the names and ad­dresses of rel­a­tives over­seas. In­tel­li­gence of­fi­cials fear that China or another au­thor­i­tar­ian gov­ern­ment will use the in­for­ma­tion to black­mail Amer­i­can of­fi­cials or pres­sure for­eign rel­a­tives of U.S. gov­ern­ment work­ers with ac­cess to clas­si­fied files.

De­spite the sen­si­tiv­ity of the data held by the Of­fice of Per­son­nel Man­age­ment, the agency was not us­ing the most up-to-date mon­i­tor­ing soft­ware that many other fed­eral agen­cies use to au­to­mat­i­cally block known vul­ner­a­bil­i­ties in the com­puter net­works.

That so-called perime­ter sys­tem, called EIN­STEIN 3A, is man­aged by the Depart­ment of Home­land Se­cu­rity and cov­ers nearly half of the com­put­ers used by civil­ian per­son­nel at 13 fed­eral agen­cies. But the sys­tem is not in place at the Of­fice of Per­son­nel Man­age­ment or 51 other agen­cies. The Na­tional Se­cu­rity Agency is re­spon­si­ble for pro­tect­ing in­tel­li­gence and mil­i­tary servers.

The se­cu­rity breaches fol­low the per­son­nel agency’s “long history of fail­ing” to up­date its in­for­ma­tion tech­nol­ogy in­fra­struc­ture, said Michael Esser, the agency’s as­sis­tant in­spec­tor gen­eral of au­dits. For many years, Esser said, agency staff in charge of com­puter se­cu­rity had no tech­nol­ogy back­ground. Also, the agency has never dis­ci­plined man­agers for fail­ing to pass mul­ti­ple cy­ber­se­cu­rity au­dits, he said.

Rep. Ted Lieu (D-Tor­rance) called for the top lead­ers who over­see the breached sys­tems to re­sign.

“I’m look­ing here to­day for a few good peo­ple to step for­ward, ac­cept re­spon­si­bil­ity and re­sign for the good of the na­tion,” Lieu said.

The di­rec­tor of the Of­fice of Per­son­nel Man­age­ment, Kather­ine Archuleta, told law­mak­ers that no one had lost their job over the cy­ber­at­tacks.

Cliff Owen As­so­ci­ated Press

OF­FICE OF Per­son­nel Man­age­ment chief Kather­ine Archuleta said no one had been fired over the at­tacks.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.