Breach, Data Security

Motives for OPM hack unclear, U.S. could retaliate

While President Obama's press secretary Josh Earnest declined to confirm allegations that China was behind the massive data breach at the Office of Personnel Management (OPM), he did tell reporters at a press briefing Friday that if a nation state was found to be behind the attack, President Obama would have the authority to retaliate.

“In April, the president, using his executive authority, signed an executive order giving the Treasury Department additional authority to use economic sanctions to punish or hold accountable those who are either responsible for a cyber intrusion or are benefiting from one,” Earnest told reporters, adding the example demonstrates Obama “using his executive authority in a way that reflects and demonstrates his comprehension of how significant the cyber risk is right now.”

Igor Baikalov, chief scientist, at Securonix, in a statement sent to SCMagazine Friday acknowledged the president's authority but asked, “Are we ready to explore it?”

And Lisa Sotto, managing partner of the Hunton & Williams LLP's New York office and head of the firm's Global Privacy & Data Security Practice, had told SCMagazine.com in an interview that she expected that if the breach is the work of the Chinese government, “we will see some retaliation."

But despite the chatter and musings about China's involvement in the OPM hack, Earnest refused to confirm the country, with whom the U.S. has had a dicey relationship when it comes to technology and cybersecurity, was the perpetrator of the attack.

“I can't get into any conclusions that have been reached about who or what country may be responsible for this particular incident,” said Earnest, pointing out that “the President has frequently -- including in every single meeting that he's conducted with the current Chinese President -- raised China's activities in cyberspace as a significant source of concern.”

That posture “was on display” last year, he said, after the Justice Department indicted five Chinese military officials for cybercrimes. “That's an indication that our law enforcement professionals certainly take the broader cyber threat very seriously and are aware of the threat that is emanating from China,” he said.  

The FBI, he said, continues to probe the incident. So far, no additional details have emerged from their efforts. Beyond assertions that the attack was launched via a remote access trojan (RAT), Paul Shomo, senior software development manager, Guidance Software, which was called in to do a forensic investigation, says it is unclear so far how the attack was launched.

Saying that he didn't “know that OPM is unique” and that “the bad guys, especially state financed actors, have outpaced detection methods,” Shomo said it was possible that signs of the attack were “lost in a mountain of security events.”

Organizations, he explained, “often get as much as a million events a day, many of which are false positives.”

In fact, the Department of Homeland Security (DHS), apparently concerned about attacks, had issued a May Binding Operations Directive (BOD), the first of its kind, telling agencies to patch critical vulnerabilities in their networks, according to a report by Federal News Radio. A bill passed by Congress last year gave the department that authority.

Investigators do not yet know the motives behind the attack, which James Carder, CISO of LogRhythm and vice president of LogRhythm Labs, told SCMagazine.com in an emailed statement.

“[This] could be literally anything from identity theft and fraud to full extortion and individual targeting," Carder wrote.

The information “could be used for general financial gain or to obtain US intelligence and intellectual property,” he said, noting the most “interesting information” is OPM's security clearance data. “Pieces of the data could even be split off and sold to other nations or criminal groups.”  

One thing is for certain, Carder explained,  “OPM was targeted for the rich, single, source of federal employee identities.”

If attackers targeted a single agency, “then you get that entities information, but if you target OPM, you get the information for all the federal entities,” Carder said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.