This is the price of western consumers having more, cheaper junk (that we don't even need) so western corporations can receive even higher corporate profits. Sure, let's keep sending western jobs and the resulting tax dollars (which pay for our military, the NSA, etc.) to a clearly unfriendly, and still an enemy country - Communist Red China, where nothing has changed except that their one party dictatorship has learned to get our money... Let them use it to build and expand their military, while their hackers probe and ATTACK us daily... Hey, we're all ok with it as long as we have cheaper prices at Walmart. Especially for the deniers and apologizers commenting here who say that it's not China... Hey maybe it's Putin trying to drive a wedge between us! Yeah, right. Wake up. They still believe that they have the right to dominate the world.
21
The ominous truth is that the Internet, now vital to global infrastructure, is a new, essentially untested system. Because it is entirely human and its internal oppositions are entirely human, a hyperdarwinian struggle, there is no way for brains to produce a "secure" system against all future brains.
And when I read articles like this, I always think, so what are the shadow finance operations doing? How could anybody possible know or keep track? They simply can't. Banks, hedge funds, and sovereign wealth funds now have massive supercomputers churning billions of dollars per second. If a few billion go missing every week, would we ever hear about it?
As far as the tax payers who support national currencies and debts are concerned, the entire computerized money system is operating in a black box.
And when I read articles like this, I always think, so what are the shadow finance operations doing? How could anybody possible know or keep track? They simply can't. Banks, hedge funds, and sovereign wealth funds now have massive supercomputers churning billions of dollars per second. If a few billion go missing every week, would we ever hear about it?
As far as the tax payers who support national currencies and debts are concerned, the entire computerized money system is operating in a black box.
6
This falls squarely on the Office of the President.
Vulnerabilities, like this, have been known for a long time. More so in recent years than in the past.
Instead of following up on things like this, things that have an impact on our country and its people, directly, the major driving factor of presidential achievements has been based on what king of legacy will be left behind.
Once again, America and Americans come second, and, now, more Americans will suffer for that hubris.
Vulnerabilities, like this, have been known for a long time. More so in recent years than in the past.
Instead of following up on things like this, things that have an impact on our country and its people, directly, the major driving factor of presidential achievements has been based on what king of legacy will be left behind.
Once again, America and Americans come second, and, now, more Americans will suffer for that hubris.
5
Hackers--both national and criminal: China, Russia, North Korea, and criminals throughout the world. NSA?
Is it time that Intel, Microsoft, Apple, and all hardware, software, and telecomm companies be allowed and required to build in security at the source. Now we seem to patch over existing, poorly designed technology in the face of intrusive and outright destructive cyber attacks. Where does Acxiom and the entire industry around buying and selling our personal data fit in?
What would the crooks and cyberwarriors do if security and monitoring was built into all computing and communications devices giving the owners more security capability?
As a consumer, I should not have to buy security and privacy services. I should not have to constantly monitor my credit file, and pay for that too to the companies that don't invest in adequate protections to begin with. And, I should be paid for the use of my personal data that I can see to ensure accuracy.
Where are my rights? Who enforces my rights? I am tired of this side of free market capitalism--not free for me! I am tired of being exposed to risk of cyberattack. Maybe there should be a universal data file--hello Acxiom--where I am afforded a universal opt out opportunity, and an opportunity to set a price and sell my data if I desire. I could turn these switches on and off. Every user of my data would have to check this file for permissions or pay hefty fines, to me, for each misuse. Cybersecurity by design.
Is it time that Intel, Microsoft, Apple, and all hardware, software, and telecomm companies be allowed and required to build in security at the source. Now we seem to patch over existing, poorly designed technology in the face of intrusive and outright destructive cyber attacks. Where does Acxiom and the entire industry around buying and selling our personal data fit in?
What would the crooks and cyberwarriors do if security and monitoring was built into all computing and communications devices giving the owners more security capability?
As a consumer, I should not have to buy security and privacy services. I should not have to constantly monitor my credit file, and pay for that too to the companies that don't invest in adequate protections to begin with. And, I should be paid for the use of my personal data that I can see to ensure accuracy.
Where are my rights? Who enforces my rights? I am tired of this side of free market capitalism--not free for me! I am tired of being exposed to risk of cyberattack. Maybe there should be a universal data file--hello Acxiom--where I am afforded a universal opt out opportunity, and an opportunity to set a price and sell my data if I desire. I could turn these switches on and off. Every user of my data would have to check this file for permissions or pay hefty fines, to me, for each misuse. Cybersecurity by design.
14
Two thoughts come to my mind:
1. Avoid buying made in China products whenever possible.
2. Ramp up NSA and FBI's cyber security efforts and increase
budget for Universities offering scholarship, education and research
on cyber security. Dakota State University is one such school.
1. Avoid buying made in China products whenever possible.
2. Ramp up NSA and FBI's cyber security efforts and increase
budget for Universities offering scholarship, education and research
on cyber security. Dakota State University is one such school.
8
Welcome to the cloud!
“shocking because Americans may expect that federal computer networks are maintained with state of the art defenses.”
Well, Americans would be wrong. Funding cuts hit at procuring 'new' hardware. Funding cuts preclude hiring of 'new' expertise (contracts are notoriously ineffective). GSA regulations, the bidding process, and protests delay obtaining state of the art capability until it is badly dated.
Pile on top of that the Libertarian/conservative view that all government is bad and the 'beast' needs to be starved. So, they starve the beast and create a self-fulfilling prophecy that Federal folks are incompetent.
The vast majority of Federal folks are competent and dedicated. Congress needs to get off of the 'pillory the Feds' horse and give them the funding needed to get those state of the art defenses. We need newly trained people first and then the equipment to help them succeed.
“shocking because Americans may expect that federal computer networks are maintained with state of the art defenses.”
Well, Americans would be wrong. Funding cuts hit at procuring 'new' hardware. Funding cuts preclude hiring of 'new' expertise (contracts are notoriously ineffective). GSA regulations, the bidding process, and protests delay obtaining state of the art capability until it is badly dated.
Pile on top of that the Libertarian/conservative view that all government is bad and the 'beast' needs to be starved. So, they starve the beast and create a self-fulfilling prophecy that Federal folks are incompetent.
The vast majority of Federal folks are competent and dedicated. Congress needs to get off of the 'pillory the Feds' horse and give them the funding needed to get those state of the art defenses. We need newly trained people first and then the equipment to help them succeed.
20
Well this is the reason why you don't outsource everything to China. China is making a fool out of you Americans. China is out there to conquer not make friends.
11
The problem is that better security is expensive and Americans do not want to spend money. A few years ago many Americans were saying government talk of cyber attacks were just a hoax for government to spend more money.
Better US security for the internet requires hiring many more government employees with excellent computer skills. This goes against the idea of using contractors.
Contrary to public opinion there are no simple solutions and dedicated government employees are far better then contractors.
By the way we have today in the NY Times an Op-Ed from Edward Snowden.
We really are living in Wonderland since Snowden did more damage to the United States with his theft of tens of thousands of government documents than this latest cyber attack against the government.
Snowden is also a good example of why it is better to hire government employees instead of contractors. When Snowden was a government employee at the CIA it was quickly seen that he was attempting to access secret information that he had not reason to access. Snowden did a great deal of damage to the US but he would have done even more damage if he had not been forced to leave the CIA.
Better US security for the internet requires hiring many more government employees with excellent computer skills. This goes against the idea of using contractors.
Contrary to public opinion there are no simple solutions and dedicated government employees are far better then contractors.
By the way we have today in the NY Times an Op-Ed from Edward Snowden.
We really are living in Wonderland since Snowden did more damage to the United States with his theft of tens of thousands of government documents than this latest cyber attack against the government.
Snowden is also a good example of why it is better to hire government employees instead of contractors. When Snowden was a government employee at the CIA it was quickly seen that he was attempting to access secret information that he had not reason to access. Snowden did a great deal of damage to the US but he would have done even more damage if he had not been forced to leave the CIA.
9
Hopefully every federal employee who works for the NSA in the areas that invade ALL of our privacy are included.
How do you like them apples, cupcakes? Karma is a you know what.
How do you like them apples, cupcakes? Karma is a you know what.
1
In China data hacking either for commercial gain or espionage is the same. What they don't say is whether or not this capability, no matter where it originates, can effect the power grid, the banking system, stock market or air traffic control. That's what's really scary.
4
Let my just publish my Social Security number here in the New York Times. It's been stolen so many times, I can't even pretend it's private information anymore.
3
I know the left has canonized him but one day it will be revealed that Edward Snowden was a spy and all the recent cyber attacks were facilitated by information he stole for the Chinese and Russian governments. The so-called NSA revelations that everyone went ballistic over were probably the least significant secrets he stole and acted as a cover for the even more important stuff he took. The CIA either already knows and doesn't want to admit it or doesn't know and doesn't want to because they would be embarrassed that they let someone get so deep into our National Security secrets. The only fools in this story are the American People who have turned a traitor into a hero.
6
I see this as a false-flag inside job done to either 1) gain funding or 2) as a propaganda tool to keep American's content in giving our surveillance and intelligence services unlimited power, and/or 3) part of the continuing campaign to paint Beijing as the world's boogeyman.
Unfortunately, no matter how much information our government and intelligent services have (warning before 9/11, beforehand knowledge of Madrid bombings, warning from Russia on the Boston Marathon bombers, etc...), nothing is prevented. Even more maddening, the efforts of the NSA to weaken encryption (shown in documents provided by Edward Snowden) are only going to help hackers.
Unfortunately, no matter how much information our government and intelligent services have (warning before 9/11, beforehand knowledge of Madrid bombings, warning from Russia on the Boston Marathon bombers, etc...), nothing is prevented. Even more maddening, the efforts of the NSA to weaken encryption (shown in documents provided by Edward Snowden) are only going to help hackers.
3
Four million citizens have their data hacked and the writers worry about warrantless surveillance and citizens caught up in the government's work to stop such hacking. The Times has its focus wrong.
2
THIS is what the government should be building a system to combat, not collecting information on every citizen. It's outrageous that we haven't done so, already. Take some of the trillions being spent on war, and use it to strengthen our own country, right HERE.
9
The problem here is more with the guardians of our data than with the hackers. When you leave something valuable on the sidewalk you should not be surprised if someone else picks it up.
5
THIS is the result of too much reliance on Technology over Professionalism and Privacy! Technology is not safe or private so why must we rely on it so much specifically when it breaches OUR PRIVACY! Does our Government fail to acknowledge that there are hundreds if not more Hackers out there; some do it for fun and because they can while others get paid to do it!
Yet everyone thinks that the convenience of technology is so cool and easy when reality speaks differently!
Yet everyone thinks that the convenience of technology is so cool and easy when reality speaks differently!
2
How's that small government working for y'all?
10
I only hope the nuke codes are not in Government computers.
1
Kind of amazes me that with our $50 billion a year defense budget we can't even protect our federal employees personal information.
9
Are our intelligence services probing China and other potential adversaries' computer systems as they ours? Hard to protest if it is "tit for tat". If we can cause Iranian Centrifuges to run amok it should be possible to deploy defenses that would do the same to hacker systems. In any event our government needs to have more robust cyber-security systems and rethink who the people are that manage so many of the electronic systems in this country. Even corporations need to rethink some of the outsourcing going on like the recent example of Disney firing American workers to justify bringing in third world nationals to run their back office systems at Disney World. The immediate cost savings would be a pittance compared to the potential damage from cyber sabotage to their systems.
8
Some corporations are willing to turn over source code to China to do business with them. We have offshore programmers and H1B visa folks all over our systems.
The United States has had primacy in IT since that acronym meant something. There is absolutely no good reason to relinquish that mantle. It's time for a federal response to this crisis. We need to put long term interests ahead of a few corporations making what looks to them like a very small short term gain.
There is a lot of talk about getting kids college educations. Lets get them jobs. We can teach and lead the world in this frontier of technology.
The United States has had primacy in IT since that acronym meant something. There is absolutely no good reason to relinquish that mantle. It's time for a federal response to this crisis. We need to put long term interests ahead of a few corporations making what looks to them like a very small short term gain.
There is a lot of talk about getting kids college educations. Lets get them jobs. We can teach and lead the world in this frontier of technology.
9
We know Snowden released information on tactics used by the NSA to break into Chinese and Russian government systems. How can we be sure they didn't just use our own tactics against us?
2
Riiiigghhhtt! Let's focus on the Chinese. Let's wring our hands about CYBERATTACKS! Let's buy some credit monitoring! Yes! Yes! Let's do everything but focus on why the data was left in a vulnerable place. Which highly-paid manager held the budget purse-strings that forced the techies to make poor data security choices?
9
If China was REALLY a threat Congress would repeal China's MFN (Most Favored Nation) trade status and treat them like we did when Mao was ruling and making the same threats.
2
norman pollack: "The chickens come home to roost." Do you think China wouldn't be doing this if we'd played nice all along? Are you that naive? "Genuinely amicable relations" sounds great, but nations don't have friends, they have interests. And the Chinese don't want to be our friends in the first place.
2
Jeez, China, who would have thought? Why do we do business with these folks? Oh, yeah, multinationals make $trillions while consumers of the imported goods suffer.
2
How do we know that the information that Edward Snowden released didn't make it easier for this to occur?
2
Perhaps the Chinese should put their technical skills toward something useful, like river cruise safety, for example.
2
It is concerning that “The target appeared to be Social Security numbers and other ‘personal identifying information’.” We have seen a pattern in the recent data breaches, including the IRS breach. The criminals start by initially stealing data from potentially less protected systems and use that data to attack additional systems.
Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security. Ponemon concluded that “This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.”
I found great advice in a Gartner report, covering enterprise and cloud, analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data–Centric Audit and Protection.”
The report concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."
Ulf Mattsson, CTO Protegrity
Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security. Ponemon concluded that “This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.”
I found great advice in a Gartner report, covering enterprise and cloud, analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data–Centric Audit and Protection.”
The report concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."
Ulf Mattsson, CTO Protegrity
It's pretty clear from the the hacking activities of PLA Unit 61398, and North Korean hackers at the Chilbosan Hotel in Shenyang that the Chinese Communist Party is bent on using the Internet's wide-open freedom as a weapon against the free world. It's also obvious from their erection of the 'Great Firewall' that the CPC
1
Last week we learned that TSA agents have failed at preventing dangerous items, including weapons, from slipping through security.
And yesterday we learned of the attack on OPM.
And the Patriot Act, under a new name, continues in effect.
And then there's the bogus threat of the schlemiel in Boston who was killed after threatening to behead someone.
There is no security. There is security theater. These latest attacks and threats will be yet another in a long line of bogus eye-openers, and nothing will change. Regardless of the various cyber commands, as a nation we have neither the will, the funding, nor the capacity to engage in, or counter, cyber attacks. Instead we have Congressmen and Governors believing that the US is planning to impose martial law in Texas. Perhaps things will change when we have real adults governing as adults and as leaders; I'm talking to you, Republicans.
And yesterday we learned of the attack on OPM.
And the Patriot Act, under a new name, continues in effect.
And then there's the bogus threat of the schlemiel in Boston who was killed after threatening to behead someone.
There is no security. There is security theater. These latest attacks and threats will be yet another in a long line of bogus eye-openers, and nothing will change. Regardless of the various cyber commands, as a nation we have neither the will, the funding, nor the capacity to engage in, or counter, cyber attacks. Instead we have Congressmen and Governors believing that the US is planning to impose martial law in Texas. Perhaps things will change when we have real adults governing as adults and as leaders; I'm talking to you, Republicans.
9
Who is running the Executive Branch of Government? Your target needs to be brought into your scope - POTUS and his entire administration.
Where to start with this nonsense? The fact we hack other nations' systems, but are outraged when they return the favor? The fact we act as if the Chicoms (using slave labor) are our friends, kinda, but not really? The gross incompetence of our gov-co? The fact gov-co has plenty of time to violate the rights of citizens, but doesn't have time to harden systems? Pretending this is inevitable is absurd, and is the excuse of people who should not be in charge of a lemonade stand, let alone holding secret data.
Your reporter might want to check in with some federal employees before reassuring your readers that workers have been notified about this breach. My husband works for the VA as a federal employee (VA records are held at OPM), and he has received no notification or offer of credit counseling related to this latest episode.
9
Who knew that any nation other than the exceptional American land of the free and home of the brave could use cyber warfare and spying against other nation states and individuals?
Who knew how incompetent and unprofessional the American national security defense intelligence infrastructure really was and is?
There was no competent professional Constitution preserving, defending and protecting excuse for what happened to America on September 11, 2001. It did not happen because America could not kidnap, torture and indefinitely detain people. Nor was it caused by an inability of the American government to spy on all Americans without any particular showing of probable cause or due process. Nor was the governments inability to target and kill American citizens without due process a problem. Nor was the inability of our government to eavesdrop on foreign friends and foes alike a fault.
Uncle Sam is increasingly a musclebound chimera chasing fool beholden and bewitched by the military-industrial complex into acting against the national interests and contrary to American values. We owe much insight and thanks to the 9/11 Commission Report and the brave selfless patriot Edward Snowden.
Who knew how incompetent and unprofessional the American national security defense intelligence infrastructure really was and is?
There was no competent professional Constitution preserving, defending and protecting excuse for what happened to America on September 11, 2001. It did not happen because America could not kidnap, torture and indefinitely detain people. Nor was it caused by an inability of the American government to spy on all Americans without any particular showing of probable cause or due process. Nor was the governments inability to target and kill American citizens without due process a problem. Nor was the inability of our government to eavesdrop on foreign friends and foes alike a fault.
Uncle Sam is increasingly a musclebound chimera chasing fool beholden and bewitched by the military-industrial complex into acting against the national interests and contrary to American values. We owe much insight and thanks to the 9/11 Commission Report and the brave selfless patriot Edward Snowden.
22
Whenever this type of breach happens with a U.S. public company the federal government immediately begins sticking their nose in and wanting to impose finds in the millions of dollars. What will the federal government do to itself now that it has exposed private information of millions of its employeees? Nothing, I'll bet.
2
Make corporations like Target, Anthem and Home Depot responsible for damages and stiff fines to consumers affected by data breaches in their probably understaffed and outsouced IT departments (c.f., yesterday's article on Disney firing their staff for cheap H1B Indians) instead of giving them lame remedies like "one year free credit reports" and maybe you'd see some incentives for companies to bolster their obviously woeful security.
I'm sick to death of hearing that XYZ corporation is going to give me one year of free credit reports (the subscription to which takes hours, let alone poring over that data looking for fraud). Where is the FTC?
I'm sick to death of hearing that XYZ corporation is going to give me one year of free credit reports (the subscription to which takes hours, let alone poring over that data looking for fraud). Where is the FTC?
15
But this not a data breach at a Private corporation. it is the federal Government. The systems are manned by Federal employees, they are not outsourced
This feels like a completely fake story given the NSA just lost their privileges and the DoD is looking to build up the machine against China. Or is it a real story but someone is giving the access on purpose to get funding?
14
Is it a coincidence that just at the moment President Obama is playing the "fear China" card to justify Congress letting him sneak TPP past the American people, we just now learn that this breach was linked to China?
In any case, this breach is a very good reason to increase funding to have the U.S. government hire more qualified security personnel, instead of paying outrageous profits to private security companies to perform what is a basic government function. Using the Republican patronage-packed Homeland Security Department will not solve the problem.
In any case, this breach is a very good reason to increase funding to have the U.S. government hire more qualified security personnel, instead of paying outrageous profits to private security companies to perform what is a basic government function. Using the Republican patronage-packed Homeland Security Department will not solve the problem.
20
Q. whether people will want both government control of information and government exclusion of data gathering.
Hopefully the data of members of Congress was affected--that may improve security for everyone. Otherwise it is just the little people's problem, like paying taxes.
36
Since China refuses to use the Internet in a responsible fashion, I think we ought to reverse-engineer their "Great Firewall" in the opposite direction. The entire country should be sand-boxed until further notice.
20
As a former, long ago federal employee, I wish the article had told how far back in time these data go. I don't think OPM had my records on computer when I left, but some ambitious soul could have entered them at some point.
Also, it would have been helpful if the article gave a contact at OPM to request free credit monitoring, if needed.
Also, it would have been helpful if the article gave a contact at OPM to request free credit monitoring, if needed.
8
What are we doing to them ? The US has the most SuperComputers in the world. Why dont we have an internet where everyone has to identify who they are ?
http://www.top500.org/
http://www.top500.org/
3
When government officials express "little doubt" but provide no evidence I get skeptical. It would take only a little effort to build systems with which to generate, manage and appear to operate a cyber attack from China but be physically located anywhere, downtown Manhattan for instance. How better to conceal true identities and motivations than to adopt a "Chinese" origin by providing a few misdirecting clues in the code and network origin.
10
Er I see, 3 breaches in one year and multiple documented intrusions by both Chinese military installations and "Civilian" contractors over the last five years. Now whose blowing smoke?
Appearances can indeed be deceiving. There are an awful lot of Russian and other Asian oligarchs using shell corporations to buy real estate in Manhattan...
China is clearing waging a low-level cyber war against the US government and economy. It's time for the US to respond forcefully.
For my part, I am boycotting Chinese products as much as possible.
For my part, I am boycotting Chinese products as much as possible.
36
Where is "American exceptionalism" when we need it? We don't have the brains needed in this industry to prevent these disasters? Could this be one if the results of decreased funding for education? We seem to be more than a step slow in identifying cyber thieves, foreign and domestic. This incompetence probably has nothing to do with conflicting national priorities, like deregulating industries, preserving infinite cap-free campaign spending capabilities, and other more important priorities. Finally, the intellectual quality of recent incoming Congressmen (and Congresswomen) had never been lower. How can problems like this be addressed by those on subcommittees who are provincial and backwards in their world views, people who are astonishingly ignorant?
1
I thought America was the best of everything, superior to all. It seems we have a very difficult time truly protecting ourselves. Maybe President Obama should pardon Ed Snowden and bring him home to head up our computer protection systems.
12
So, is the advent of everything being put "online" still a net positive? I don't recall these things happening with this frequency or scale when files were kept in a filing cabinet? Does even asking that make me a Luddite?
4
Where is the NSA in all this? While they were scarfing up all our phone calls, who was watching the store? Terrorism today isn't just the military type, nefarious as that is - but this country will be shut down in a heartbeat if electronic communication is derailed.
5
Tear China's bamboo curtain and expose it for what it is-- a thief. This is dangerous. Our electrical grid, our water, nuclear facilities--all are vulnerable. We need global treaties on this issue. The UN should address this as a global threat and we need enforcement with extradition and prosecution in a Global Cyber Court to the fullest extent of the law. Like climate change this too is an issue about which world leaders drag their feet without consensus or robust counter measures.
1
It seems remarkable to me just how successful other countries are in hacking our supposedly highly confidential information. Are we that technologically inept? And why, does it appear to take so long to put in place firewalls to prevent this behavior knowing full well their intent? Through past history I take no comfort in the government's empty promises of concern for responsibility.
Very unsettling.
Very unsettling.
3
Looks like the only government employee who had a secure server was Hillary Clinton.
6
Remember the good old days when a spy or saboteur had to physically enter a facility, unlock doors and drawers to steal or photograph documents, then pass the information through a cleverly orchestrated network out of the country? Now there's an app for that.
3
We must push those who misappropriate our data into court and make it hurt. Until they feel the pain, we bear it. Sue the data loafers into the ground! Then you'll finally see encryption get tossed around.
Gonna bring the whole admob gang down. Those smart pipe grifters who sift us for them? Out of business.
Gonna bring the whole admob gang down. Those smart pipe grifters who sift us for them? Out of business.
1
At some point in the past 20 years, I'm guessing about half of all Americans have had their Social Security numbers spilled out into the public domain by various private and now, foreign-government-employed hackers. Maybe my guess is wildly optimistic, but at some point in the near future, none of us will be safe from having our digital identities used by another person.
We are approaching a point where no amount of personal consumer safety behavior such as using long passwords, not revealing them to others, etc will make any difference to our digital security. These U.S. government employees did nothing to cause this data breach, yet it is their information which is now blowing in the winds of cyberspace. Maybe we should be rethinking this whole online-all-the-time paradigm, and go back to paper record keeping. What we're doing now isn't working.
6
Look, if the net is made safe by encryption, then the admobsters have nothing to sell and the whole webby business model goes boom. Now that's scary.
They prefer to make money until the music stops, again. Keep it under your hat, NYTs.
They prefer to make money until the music stops, again. Keep it under your hat, NYTs.
1
When the Chinese Peoples Liberation Army was indicted for hacking into private American corporations, one could argue that it was mere theft. If this recent hack into the Office of Personnel Management was done by the Chinese state, is this not an act of war? If we don't react in the way a nation should, we risk an appeasement not unlike that granted to Hitler in 1938.
1
Wow. I was born in 1937! Do you know what your are talking about? Act of War? Is that what you want? We have Yucca Mt., Top Gun and zillions of secret military bases here in the Nevada Desert. What do you have to lose except lobsters and L.L. Bean???
Are these the same Chinese that President Obama is now advocating for inclusion in the proposed fast-track trade agreement?
Maybe he should do some rethinking on this proposal. China's idea of fairness is not the same as America's idea of fairness.
Maybe he should do some rethinking on this proposal. China's idea of fairness is not the same as America's idea of fairness.
1
What we have is one more reason the NSA's bulk collection of when and where Americans' phone calls and emails are sent; the inability to guarantee that such data won't be breached.
I've only spoken to a few visiting Chinese in the past year who were pursuing post-graduate degrees at US universities. So beware of the sample size. The comments made were that, unlike in the past, the Chinese people no longer fear, respect or are impressed by the US. It's seen as a laughable power with people in decline. With that and the likelihood China trusts the US as much as it trusts the former, it would seem no crossborder or international agreements on data protection and integrity will be struck or if completed, both sides would cheat like there's no tomorrow.
I opine that in reference to comments that mutual agreements to limit hacking, data theft and cyber warfare are possible. The only hope might be a digital version of restraint due to a reality of mutually assured destruction.
I opine that in reference to comments that mutual agreements to limit hacking, data theft and cyber warfare are possible. The only hope might be a digital version of restraint due to a reality of mutually assured destruction.
If the Chinese have your SSN you are in much better shape than if the Russians have it. The Chinese want to monetize this info without draining your bank account. Russia on the other hand is a giant criminal enterprise from top to bottom. In the words of one of my former Russian colleagues about growing up there he said "imagine if John Gotti ran the country".
2
When will the US government acknowledge that the Chinese are not friends, not civil, and certainly not allies of the US and in fact this cyber-activity is an act of war that deserves and requires direct action in response?
I suspect our intelligence communities can pinpoint the sources of these attacks and therefore should be able to "attack" them directly. If not, we are the equivalent of a bucket with thousands of holes in it.
I suspect our intelligence communities can pinpoint the sources of these attacks and therefore should be able to "attack" them directly. If not, we are the equivalent of a bucket with thousands of holes in it.
4
Details of top-level security clearances are on the internet?? Seriously?
12
It seems like many resources are wasted on the government implementing policies, staff, software for use on low-level federal employees to promote security. But, loses sight of the most vulnerable places.
For instance, a federal agency implemented a plan to encrypt all the laptop computers for all of its 10000x federal workers -- most w/only PII on the individual machine's user. Meanwhile, it allowed a contractor to take an unencrypted laptop with the entire agency's database off site and unencrypted. (It was stolen.)
It implemented a plan that only set IPs can remote log into its low-level user machines (w/ only the individual's PII), while this story tells of OPM having less strict requirements for its machines.
Low level workers are given annual IT security training -- about at the level of 'don't click unfamiliar links'. Meanwhile, it does nothing to address more subtle means of attack. (Need to download open-source software, but a malicious mirrors can add in bad code.)
Agencies try to centralize IT security by having contracts with service companies to provide machines and security. But these systems are notorious for being several-years-old technology with older (more vulnerable) software. Are these contractors hired because they are the most knowledgeable or b/c the contracts are the most competitive (cheap)?
This story also highlights the need to move away from social security numbers and birth dates to more secure, less easily stolen identifiers. (biometrics?)
For instance, a federal agency implemented a plan to encrypt all the laptop computers for all of its 10000x federal workers -- most w/only PII on the individual machine's user. Meanwhile, it allowed a contractor to take an unencrypted laptop with the entire agency's database off site and unencrypted. (It was stolen.)
It implemented a plan that only set IPs can remote log into its low-level user machines (w/ only the individual's PII), while this story tells of OPM having less strict requirements for its machines.
Low level workers are given annual IT security training -- about at the level of 'don't click unfamiliar links'. Meanwhile, it does nothing to address more subtle means of attack. (Need to download open-source software, but a malicious mirrors can add in bad code.)
Agencies try to centralize IT security by having contracts with service companies to provide machines and security. But these systems are notorious for being several-years-old technology with older (more vulnerable) software. Are these contractors hired because they are the most knowledgeable or b/c the contracts are the most competitive (cheap)?
This story also highlights the need to move away from social security numbers and birth dates to more secure, less easily stolen identifiers. (biometrics?)
3
We all just might as well post all of our personal info freely everywhere, because it appears to be a hopeless endeavor to protect any of it.
None of the entities we are FORCED to provide our most private personal and financial details to has much (if any) interest in protecting our privacy--after all, why should they invest the money in real security measures when all they have to do in the event of a breach is to offer an "oops--sorry" and some cheap identity protection service to those whose privacy was violated?
Hey, I like the convenience of the internet as much as the next person, but it's clear that it was a bargain made with the devil. There is simply no way to protect myself from the serious harm it can cause me!
No matter what I do with my own computers, no matter how much I invest in protections, there will always be employers, former employers, insurers, medical offices, government entities, and corporations who don't give a rip about protecting me or my data.
It's too late for protection now: all of our data is out there for the taking. We are all naked to the world.
None of the entities we are FORCED to provide our most private personal and financial details to has much (if any) interest in protecting our privacy--after all, why should they invest the money in real security measures when all they have to do in the event of a breach is to offer an "oops--sorry" and some cheap identity protection service to those whose privacy was violated?
Hey, I like the convenience of the internet as much as the next person, but it's clear that it was a bargain made with the devil. There is simply no way to protect myself from the serious harm it can cause me!
No matter what I do with my own computers, no matter how much I invest in protections, there will always be employers, former employers, insurers, medical offices, government entities, and corporations who don't give a rip about protecting me or my data.
It's too late for protection now: all of our data is out there for the taking. We are all naked to the world.
23
Kathleen, I agree it is very frustrating where those like you & me do everything possible, everything we are told to do to be safe from viruses & hackers. Don't click on unknown links, best anti-virus & firewalls, be careful what you post that is personal information about yourself, etc., yet, we constantly have things like this that occur & actually what ticks me off is when they act like giving you free credit monitoring for a few months is really doing something.
However, people to me are really unbelievable on this as well. We are really vocal about government surveillance as we should be & should always be paying attention to what is going on with our government but yet people will post all kinds of iinfo on the web or give out all kinds of info to private corporations without a thought. Just find that rather contradictory.
However, people to me are really unbelievable on this as well. We are really vocal about government surveillance as we should be & should always be paying attention to what is going on with our government but yet people will post all kinds of iinfo on the web or give out all kinds of info to private corporations without a thought. Just find that rather contradictory.
I think any data connected to the Web is open and free to all, no matter what kind of security you have......the open source code theory has eaten us all
5
Never had to happen, but NSA wants barn doors left open so they can haul their trawlings away, too.
Encryption, it's not a sin, it's the only way the net will work safely.
Encryption, it's not a sin, it's the only way the net will work safely.
1
I am getting tired of all the blatant and cyber attacks coming out of China and the Chinese government's refusal to curtail this activity. Perhaps it is time that as citizens, and as consumers, we register our protest by boycotting all Chinese goods. Sending a few thousand jumbo cargo ships back to China with the cargo still loaded might send a message that they will understand. Enough already.
1
So, maybe Hillary Clinton wasn't that stupid to have her own server in her basement to keep her stuff private. She was smart enough not to trust the Government Computers to protect her stuff!
23
No. Her server could be hacked just as easily. She did it because she does what she wants, when she wants.
If it's China behind these attacks, we will have no choice but to get tough with them and ask them politely to please maybe consider stopping.
1
Why are vital statistics and data infrastructure still connected to the internet?
There should be internal networks not connected to the outside world. That is the only way to assure data security. As long as government servers are connected to the internet, the possibility of data breaches rises exponentially.
Create internal isolated networks for sensitive data.
There should be internal networks not connected to the outside world. That is the only way to assure data security. As long as government servers are connected to the internet, the possibility of data breaches rises exponentially.
Create internal isolated networks for sensitive data.
4
Nothing happens in One Party State China without some level of governmental blessing.
With this episode, perhaps the Chinese regime is merely demonstrating their abilities in accessing official, protected American servers, at any time and place of their choosing.
With this episode, perhaps the Chinese regime is merely demonstrating their abilities in accessing official, protected American servers, at any time and place of their choosing.
3
So, nothing digital is safe. Perhaps we should re-visit O's statements of respect and never safer. Could they be lies, or just someone who is in a advanced state of delusion. Seems national security, all kinds, is something the O administration does not do, ever. It appears that O is waiting for some type of digital intrusion to be destructive before he will act, you know take down the electrical grid or spin the elevators in the Freedom Tower out of control. Wake up America, quickly wise up to O and ask him to resign.
1
Katherine Archuleta, the personnel agency’s director, said in a statement, “Protecting our federal employee data from malicious cyberincidents is of the highest priority at O.P.M.”
Well, obviously it isn't.
When it comes to lying, the Government's agency directors are on a par with corporate ceos.
Well, obviously it isn't.
When it comes to lying, the Government's agency directors are on a par with corporate ceos.
6
are you serious? when it comes to lying, the government's agency directors hold the world championship trophy. says someone who's personal data was just hacked out of opm.
On the bottom of all the equipment it says "Made In CHINA!" common folks get a clue here. It's time to stop producing computers in China. The hacking code comes preinstalled no extra charge. As long as we keep buying computers from China we are going to keep getting hacked. It's all hard coded on the chips. They can turn it on and off like a light switch. They won't have to invade a country to take over they just turn off your infrastructure. China is probably using the NSA to accumulate information. I could tell you how to prevent these problems until we start making computers in the USA but I'm a capitalist so who wants to know?
10
So purchasing that $8.99 Chinese-made USB WiFI dongle via Amazon wasn't necessarily a good idea you say?
As a recently "seperated" VA employee I was NOT told by the Office of Personnel Management about this compromise or that I could request 18 months of free credit monitoring. Dear OPM, reading in the NYT that your data has been compromised does not constitute notice. Congress,where does the "Personal Data Notification and Protection Act of 2015" stand?
9
not only that, christine, but it has been made public that we will be offered 18 months of free credit monitoring. 1) credit monitoring is already free on some websites. 2) whoever now holds all our personal data knows to just sit on it for 18 months and then we're on our own to try to fight whatever happens to us as a result. our current or former employer will leave us high and dry when we start seeing the effects of this data breach on our personal lives, and the lives of anyone we ever covered on our health insurance (spouses, children) or named as beneficiaries to our pensions and life insurance. the ONLY thing opm doesn't know about us is what colour underwear we're wearing.
Dear China, will you please start coming up with your own ideas instead of stealing from everyone else?
12
That's right, China stole so many things, such as printing, paper, gunpowder, compass... the list is too long. Please check out here: http://en.wikipedia.org/wiki/List_of_Chinese_inventions
The purpose of the Chinese hacking is very clear.
In the event of a hot or cold war, China could massively disrupt the personal lives of government employees thus substantially degrading their performance in executing their official duties. This is an extremely effective form of cyber warfare. It is low-cost in high impact.
The United States has to get very serious about cyber security, we are a uniquely vulnerable country.
In the event of a hot or cold war, China could massively disrupt the personal lives of government employees thus substantially degrading their performance in executing their official duties. This is an extremely effective form of cyber warfare. It is low-cost in high impact.
The United States has to get very serious about cyber security, we are a uniquely vulnerable country.
3
"In the event of a hot or cold war, China could massively disrupt the personal lives of government employees "
If we get into a hot war with China, I hope those government employees will be too busy for personal lives.
If we get into a hot war with China, I hope those government employees will be too busy for personal lives.
If Congress is aware of a possible failure in critical security infrastructure--
...Representative Adam B. Schiff of California,
the senior Democrat on the Intelligence Committee,
called the intrusion "shocking because Americans
may expect that federal computer networks
are maintained with state of the art defenses."
He said enactment of new cybersecurity measures was
“perilously overdue.”--
then there must be a good reason why it wasn't done.
I hope that the reason doesn't revolve around lobbying efforts by US business concerns. e.g., GM, with mega investments in China. That would call into question whether GM's China business model is an entailment of its US bailout. And if so, why that bailout money was not used to upgrade our Nation's security infrastructure.
Let the hearings begin!
...Representative Adam B. Schiff of California,
the senior Democrat on the Intelligence Committee,
called the intrusion "shocking because Americans
may expect that federal computer networks
are maintained with state of the art defenses."
He said enactment of new cybersecurity measures was
“perilously overdue.”--
then there must be a good reason why it wasn't done.
I hope that the reason doesn't revolve around lobbying efforts by US business concerns. e.g., GM, with mega investments in China. That would call into question whether GM's China business model is an entailment of its US bailout. And if so, why that bailout money was not used to upgrade our Nation's security infrastructure.
Let the hearings begin!
the primary reason is budgeting. the republican-lead congress has stripped the federal workforce to bare bones and has defunded the vast majority of it. they don't want any money going into the federal government or workforce or agencies for running of their programs or protection of their systems. let's see if the what we hear next is that all these things, especially the protections, should be contracted out. so if you were afraid federal employees who've passed background checks and are strictly monitored can't protect your sensitive data, let's let john q. anyman who just got hired for xyz data protections inc to protect you.
The abiding irony is that Chase, Citi, Facebook, Paypal, Google, Apple, and other private corporations that monetize our private information with incremental agreements that erode our privacy and diminish their liability if breeches occur through their negligence, are allowed to operate with zero oversight.
Americans worry about the government having information on them, but gladly volunteer it to private corporations to sell and make money off them. What's with that?
As for the role the NSA plays in protecting American data, it should take down and disable intrusive hacking attempts by setting up data traps and tracers of its own. Probably it is, and the reason we're all treated to such stories through the hysterics of Fox News outlets is to grow public support for protection mandates to the NSA. This is a pretty old game isn't it? It's called the protection racket. There are plenty of hacker outfits and marginally legal internet operators and advertisers with malware and stealth ware right now running that game - 'clean your mac?' and other type scams that implant super cookies - 'subscriptions and paywalls' - including those run by many online publications, that operate under policies that sell access to such outfits. The average consumer hasn't a clue.
Americans worry about the government having information on them, but gladly volunteer it to private corporations to sell and make money off them. What's with that?
As for the role the NSA plays in protecting American data, it should take down and disable intrusive hacking attempts by setting up data traps and tracers of its own. Probably it is, and the reason we're all treated to such stories through the hysterics of Fox News outlets is to grow public support for protection mandates to the NSA. This is a pretty old game isn't it? It's called the protection racket. There are plenty of hacker outfits and marginally legal internet operators and advertisers with malware and stealth ware right now running that game - 'clean your mac?' and other type scams that implant super cookies - 'subscriptions and paywalls' - including those run by many online publications, that operate under policies that sell access to such outfits. The average consumer hasn't a clue.
3
If a Chinese PLA cyber-intelligence unit actually is behind it (50/50), I see it as part of a much bigger picture, and an infinitely more dangerous problem: China's South China Sea adventurism logistically supported by base-building on and around Mischief Reef in the Spratly Islands, tiny uninhabited specks China claims are its territory.
If this colossal hack is their doing, think of it as a friendly reminder, a tap on our shoulder: if push comes to shove in the South China Sea they might take a drubbing and probably will. But they can really scramble our eggs here without too much trouble.
If this colossal hack is their doing, think of it as a friendly reminder, a tap on our shoulder: if push comes to shove in the South China Sea they might take a drubbing and probably will. But they can really scramble our eggs here without too much trouble.
5
We are at war with the Chinese whether we want to be or not. They will continue to steal information until stopped.
14
"We are at war with the Chinese whether we want to be or not. They will continue to steal information until stopped."
I cannot help thinking how convincing it was that Iraq had weapons of massive destruction.
I cannot help thinking how convincing it was that Iraq had weapons of massive destruction.
Assuming that the government can prove the location of the intruders, I would expect some reaction more than crying wolf and leaking the facts to NYT.
US has been very soft on China with timely enforcing reciprocity in trade and polices, consequently, we demonstrated our repeated unwillingness to act.
As it was proven with delayed reaction to China building an artificial island to expand its maritime territory, the slow, weak and childish approach of complaining to the media has only encouraged and fired Chinese cyber attacks.
US has been very soft on China with timely enforcing reciprocity in trade and polices, consequently, we demonstrated our repeated unwillingness to act.
As it was proven with delayed reaction to China building an artificial island to expand its maritime territory, the slow, weak and childish approach of complaining to the media has only encouraged and fired Chinese cyber attacks.
4
China has decided to steal data from US government, US companies and setup their own manufacturing to undercut Americans. We really should hit them where it hurts, stop buying Chinese made crap and send a message.
29
That's a great idea, except that the share holders of American companies have demanded that our goods be made in the lowest cost manner and location possible in order to make the highest profit. Any company that attempted to move operations back yo the United States would be severely punished in both the stock market and the market place. Heck even Disney is laying off American workers and sending the jobs over seas in order to keep costs down and profits up.
Employees need to be given an option to opt out of having their personal data stored electronically by their employer.
5
I read an article in this month's Atlantic by two of my favorite banksters, Hank Paulson and Bobby Rubin (architects of the 2008 financial collapse).
I'm sure if they were writing this article in the 1930s, they'd be arguing for Ford and IBM to continue doing business with Germany, and for U.S. Steel to continue doing business with Japan.
Leave it to business tycoons to solve all our problems.
I'm sure if they were writing this article in the 1930s, they'd be arguing for Ford and IBM to continue doing business with Germany, and for U.S. Steel to continue doing business with Japan.
Leave it to business tycoons to solve all our problems.
7
First things first, we need to totally get rid of archaic Social Security numbers. Credit and identity theft starts there.
10
It is increasingly clear that in the internet world we need the NSA to actively engage hackers.
The idea that innocent Americans might get swept up in an NSA surveillance is upsetting. Upsetting until compared to getting swept up in surveillance by the Chinese army.
Unfortunately the most uninformed computer people in the country are concentrated in Washington DC. Our Federal computer systems start off antiquated, never mind what happens after they stay in place for decades. The debacle with the computer systems for health care is only the tip of the iceberg. The bias is for old fashioned centralized systems with contracts for development going to the lowest (dumbest) bidder.
We need a strategic program to modernize our computer systems. It needs to bypass the congressional pork barrel and uses the extraordinary computer resources that only we have. At that point we might have options to the ham handed solution of NSA sweeps.
The idea that innocent Americans might get swept up in an NSA surveillance is upsetting. Upsetting until compared to getting swept up in surveillance by the Chinese army.
Unfortunately the most uninformed computer people in the country are concentrated in Washington DC. Our Federal computer systems start off antiquated, never mind what happens after they stay in place for decades. The debacle with the computer systems for health care is only the tip of the iceberg. The bias is for old fashioned centralized systems with contracts for development going to the lowest (dumbest) bidder.
We need a strategic program to modernize our computer systems. It needs to bypass the congressional pork barrel and uses the extraordinary computer resources that only we have. At that point we might have options to the ham handed solution of NSA sweeps.
5
I don't know what the amount is spent on our cyber security but it seems that the constant attack of our federal government agencies & employees by the republicans is not the way to go to improve our cyber security defense. Also, this is one area of our military budget that may need to be increased. For today it would seem that cyber security is as important a defense as military hardware such as planes & other weapons.
50
Is this in the military budget of 540 Billion? Doubt it. I don't see it in the FY 2015 Defense Budget analysis. The article says the FBI is handling the case. Further, we really have no idea what the DoD is spending 540 billion on--that amount doesn't need to be increased, it needs to be accounted for!
Yeah, don't know Raspberry, agree & should have said accounted for & increased if necessary. My point on that is that I see cyber security as important if not more than all other forms of defense with the constant really high profile hacking gong on that is obviously by other not so-friendly countries to us.
My post was a reply to Jon, below, who said we should increase military spending.
Besides usage of the stolen information for criminal enrichment, since OPM holds security clearance data, this breach could have catastrophic national security consequences. For instance, security clearances by their nature would involve cataloging people's most embarrassing foibles and weaknesses. A foreign power could use this data for blackmail or other targeting purposes.
Recently the Obama Administration announced a new cyber security policy wherein we reserve the right of offensive retaliation as a disincentive to cyber attack. And while espionage is a murky area (and I'm sure we're doing it too), a line has to be drawn somewhere. Perhaps this is just such an occasion to place our marker as to where our tolerance ends.
But such also holds the potential to spiral out of control. We don't drop bombs on each other because we know that would mean war, yet we all happily attack each other in cyberspace as if such has no real world consequence outside of that. But at some point, dissatisfaction with what somebody is doing there is going to get someone killed and then we really have trouble.
Perhaps it is time to stop strategizing only for ourselves and to make some agreements with other states establishing the rules of the road before someone does something truly provocative and war ensues.
Recently the Obama Administration announced a new cyber security policy wherein we reserve the right of offensive retaliation as a disincentive to cyber attack. And while espionage is a murky area (and I'm sure we're doing it too), a line has to be drawn somewhere. Perhaps this is just such an occasion to place our marker as to where our tolerance ends.
But such also holds the potential to spiral out of control. We don't drop bombs on each other because we know that would mean war, yet we all happily attack each other in cyberspace as if such has no real world consequence outside of that. But at some point, dissatisfaction with what somebody is doing there is going to get someone killed and then we really have trouble.
Perhaps it is time to stop strategizing only for ourselves and to make some agreements with other states establishing the rules of the road before someone does something truly provocative and war ensues.
9
Kurt, SONY is Weill about this plot. Funny think is encryption would take all the mystery out of crime thrillers.
The chickens come home to roost. Cyberattacks were of American origin, as in disrupting Iran's nuclear activities, before China and others instituted the practice. Eavesdropping, as on EU leaders, is a related act; in sum, NSA has been a veritable monster, contemptuous of American's civil liberties and, getting away scot free on that account, venturing out on a global basis.
Why pretend respect for privacy and civil liberties? And in China's case, if it can be proven that it is responsible for the recent attack, it would be well to recall Obama's Pacific-first strategy, in tandem with TPP, as aggressive moves to contain, isolate, and encircle China. Perhaps more genuinely amicable relations would lead to more harmonious cyber relations.
Why pretend respect for privacy and civil liberties? And in China's case, if it can be proven that it is responsible for the recent attack, it would be well to recall Obama's Pacific-first strategy, in tandem with TPP, as aggressive moves to contain, isolate, and encircle China. Perhaps more genuinely amicable relations would lead to more harmonious cyber relations.
24
Cyberwarfare is only beginning to ramp up.
The US needs a major effort and expanded defenses for protection.
The US needs a major effort and expanded defenses for protection.
25
RR - The US is the world leader in hacking, data theft, etc. ... (and has been for the last hald century). China is just trying to play catch up as are the Russians.
"We take very seriously our responsibility to secure the information stored in our systems"
Apparently you do not.
Apparently you do not.
52
Separate systems for sensitive information and no sensitive information on accessible computers is the only safe strategy, no matter the inconvenience.
National labs with top level secret information go so far as to hot glue the USB ports of computers that are connected to secure systems so that no one can make a copy of classified information on a stik for convenience. Personnel files should be treated pretty much the same way. Of course that means it would be less convenient to sign-up for benefits on the internet and it would put an onus on workplaces to read as well as write protect the HR files, flag any attempts to read them, prohibit any attempt to read the records of more than one person, etc.