Private security clearance info accessed in second OPM breach
Officials believe Chinese operatives accessed information from SF-86 forms filled out by candidates applying for security clearance.
Hackers tied to China may have accessed private security clearance information in what is being seen as a separate hack of the Office of Personnel Management (OPM) from the one that the agency revealed last week.
They are believed to have tapped into Standard Form 86 documents that include information about arrests, drug use, mental illness and other personal information on military and intelligence applicants trying to obtain security clearance.
Not only do the forms contain data on the applicants themselves, they also include information on associates and relatives, identifying whether the latter are from foreign countries.
Splunk chief security evangelist Monzy Merza told SCMagazine.com that the breach was national security matter. SF-86 forms, Merza explained, contain incredibly sensitive personal information not only on applicant but also “on other people in their lives, such as spouses, children, love interests.”
The 127-page forms are detailed and specific, “asking about things that under law have expired," including drunk driving convictions, traffic citations, “if you've EVER have used illegal substances, even if you were never caught or charged,” he said. They ask for “a lot of sensitive information people share willingly because they know they're applying for clearance for a national security position” to serve the nation.
In the wrong hands, that information is dangerous. “Whoever has it can target these people or their relatives,” he said, noting that the OPM's data coffers might even include information on senior officials.
Rep. Steve Daines, R-Mon., in a late Friday tweet called it “deeply concerning that Chinese hackers could have access to our nation's military and intelligence agencies security clearance [information].”
As it became apparent that the initial federal data breach was larger than first believed, exposing the Social Security numbers and personnel records of every federal worker – and as reports emerged that some of those records had surfaced on the darknet – members of Congress clashed over languishing cybersecurity legislation.
Senate Majority Leader Mitch McConnell, R-Ky., used the breach to try to push through the Cybersecurity Information Sharing Act (CISA) as an amendment to the Defense Authorization Bill and exchanged words with Senate Minority Leader Harry Reid, D-Nev., over which party was playing politics with national security.
And in a 56-40 vote Thursday, the Senate failed to gain enough support for the Defense Authorization Bill to push it through.
While Merza noted that extent of the “net fallout” from the hack is unpredictable at this point and requires a tightening of data protections to “treats this [type of] information as national security information.”
He said the attack goes beyond security measures like encryption and perimeter control
“Tech solutions are part of it but the question is what administrative and tech controls should be in place to protect info,” said Merza. “How is it accessible?” If the information is ultimately connected to internet, “that should be revisited,” he added.
Noting the second major breach in a week, “it's troubling that the Obama [administration] has yet to prioritize addressing this problem,” Daines tweeted.
And Liebermann called naming an administrator, OPM Director Kathleen Archueletta, rather than someone with security chops to head the agency OPM “a severe and unrecoverable blunder.” The former educator, like most of those who served before her, is an administrator, not surprising since OPM's mission is providing “human resources, leadership, and support to Federal agencies.”
But Merza cautioned against “pointing fingers,” and said he feared there would be a knee-jerk reaction to the latest breach—like banning a move to the Cloud that could make it more difficult for people to gain security clearance and could impair important work. He urged that the industry and government act “in a mature fashion so we don't overstep and hurt people's ability to get clearance; to get people cleared to do a job.”
News of the second breach, and the possible compromise of SF-86 forms ignited calls for dramatically and swiftly improving data security of federal government systems.
Former Cisco executive and current Illumio COO Alan Cohen said that while identifying the data accessed, infiltrators and motivation for the attacks are all important, “it's also time to look where, why and how investments designed to protect against this kind of incident are being made.”
Calling cyberattacks “the new terrorism” in comments emailed to SCMagazine.com, Cohen noted, “The only way to stop the ongoing stream of breaches is to fully understand the entire ‘ecosystem' of security technologies, client-side processes, resource allocation, etc., that are enabling breaches to continue to happen.”
Since cyber attacks are nothing new and not likely to abate any time soon—Lane Thames, security researcher at Tripwire pointed out that “27 breaches were reported by various government entities in 2014 according to a database maintained by the Privacy Rights Clearinghouse—government and private industry need to step up their game.
To get started, Thames suggested organizations can take three steps to protect themselves, beginning with knowing how to respond properly to an attack. “The lack of an appropriate response can be just as damaging as the cyber-attack itself, if not more,” he explained, in comments emailed to SCMagazine.com.
“To reduce attack surfaces,” he noted, “organizations must continuously work towards improving the security of their cyber-resources—it is never a one-time thing.”
And, they need to use the right tools to monitor cyber-resources. “Without appropriate monitoring tools, organizations will face significant challenges when trying to respond to successful attacks,” said Thames.