OPM breach diverges into finger-pointing and dispute over initial detection
The federal government are scrambling to answer questions about the recent OPM breaches, including how it was detected, what can be done to mitigate future risks and how to best retaliate.
First it was one colossal Office of Personnel Management (OPM) breach, and then it was two. While the U.S. government and law enforcement sort through lost data and grapple with the total breadth of the breaches, Congress has its own work ahead.
During a Friday press call, White House Press Secretary Josh Earnest directed criticism at Congress, in addition to other federal government arms, for their failure to clamp down federal cybersecurity policy.
“There are some steps that we could implement that require congressional authorization that could make not just the federal government but also the private sector more nimble and more effective in communicating with one another to make sure that we're doing everything we can to protect the computer networks and the data of the American people,” Earnest said.
He went on to describe information sharing legislation and how it could help the private sector and federal government work together to prevent further intrusions.
Legislation doesn't appear to be close to passing, considering the Senate failed to pass cybersecurity legislation as part of the National Defense Authorization Act on Thursday, but at least one Congressional committee is pushing for answers on the breach in the meantime.
The House Committee on Oversight and Government Reform called OPM officials to a Tuesday hearing that at least some OPM staffers will attend, according to The Washington Post.
Chariman Jason Chaffetz said he wants an explanation and no more “hiding behind a press release.”
As far as retaliation, it remains to be seen how exactly the Obama administration will fire back at China, the primary suspect behind the breaches. The Obama administration previously used economic sanctions against North Korea after the Sony hack but has left its policy wording open to other means.
Two Senators requested this past week, for example, that the International Monetary Fund (IMF), an international organization, deny China's attempts to make the yuan a reserve currency.
“It is long past time for the international community to rally together and make crystal clear to the Chinese government that if they want to be treated as a leading nation on the global stage, then they need to start acting like it,” said Senator Charles E. Schumer (D-N.Y.) in a press release. “Until China curtails their hacking operations, the IMF shouldn't designate the yuan as a reserve currency. We need to punish China's bad behavior, not reward it.”
Beyond retaliation and legislation to prevent further breaches, the government still hasn't totally clarified how it discovered the breach.
The OPM said its internal intrusion detection system alerted it to the attack, while The Wall Street Journal reported that a Virginia-based cybersecurity firm said it discovered spyware on the network while demonstrating its product.
The OPM denied this report, calling it “inaccurate.” The firm, CyTech, said it was “unaware if the OPM security staff had previously identified” the malware.