Let’s say my brother and I are out on the town. He insists on holding my purse for me while I use the restroom, but then leaves my purse sitting in plain sight right on the bar, and some creep steals it. Should I trust my brother with my purse, ever again?
The U.S. Office of Personnel Management (OPM) sent me a letter this month informing me that my personal information was stolen in a “malicious cyber intrusion” earlier this year. My personal data (such as my SSN, name, address, date of birth, place of birth, residency history, employment history, educational history, personal foreign travel history, immediate family members, business acquaintances, personal acquaintances, medical history, criminal history, financial history, and more!) is all now somewhere out there in cyberspace, and like extinction and herpes, the Internet is forever.
This leak alone affected 21.5 million people, including 5.6 million people’s fingerprints,including mine. I provided that information, and my fingerprints, to the federal government long ago when I applied for a job as a research assistant at the Smithsonian Astrophysical Observatory. What started as an actual folder, somewhere along the line, got connected to Skynet – sorry, the Internet, and my fingerprints, which I can never change, were digitized and uploaded along with everything else.
What if I had found my brother two years ago photocopying my diary and circulating it to his friends for laughs, and that when confronted he just muttered something about it being to “keep me safe” because “there are dangerous people out there”? What if he then went out on the street with a bullhorn, telling everyone who will listen that we need to give him special keys to unlock all their stuff, because if we don’t, the Terrorists Will Win? What if he decided all on his own to break every lock in town, so he could access any document at any time? How much should I trust him then?
The government took six months even to tell me that my data was compromised, and that’s not even the worst of it. The federal budget President Obama just signed off on contains the Cybersecurity Act, a bill that will funnel everyone’s data into the hands of Big Brother.
James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, says that “the dark secret is there is no such thing as a secure unclassified network. Law firms, think tanks, newspapers — if there’s something of interest, you should assume you’ve been penetrated.” The FBI’s former head of cybersecurity investigations, Shawn Henry, says, “I’ve yet to come across a network that hasn’t been breached.” In the private sector as well, breaches have affected everything from Anthem to Ashley Madison, Home Depot to Hello Kitty, and LinkedIn to LastPass.
The government cannot plead ignorance here. OPM didn’t just know that data breaches were a serious concern in general—it was specifically and repeatedly alerted to the fact that the protections in place on its systems were grossly inadequate. The OPM hackers had access to the system for at least a year before the intrusion was even detected. A federal employee union has already filed a class action suit accusing the OPM of negligence for failing to heed several years of warnings from its Office of Inspector General that the OPM’s cybersecurity protocol was deficient.
Just for reference, here are links to stories about hacks of government databases this year alone:
- Census Bureau (USCB)
- Central Intelligence Agency (CIA)
- Department of Defense (DOD)
- Department of Energy (DOE)
- Department of Homeland Security (DHS)
- Department of Justice (DOJ)
- Department of State (DOS)
- Environmental Protection Agency (EPA)
- Federal Bureau of Investigation (FBI)
- Federal Communications Commission (FCC)
- Joint Chiefs of Staff (JCS)
- National Aeronautics and Space Administration (NASA)
- National Oceanic and Atmospheric Administration (NOAA)
- National Security Agency (NSA)
- National Weather Service (NWS)
- Nuclear Regulatory Commission (NRC)
- US Army Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance (CECOM)
- US Army Corps of Engineers (USACE)
- US Navy (USN)
- US Postal Service (USPS)
- White House
In 2014, malware was created at a rate of approximately a million new pieces of malware per day. Crypto-ransomware attacks increased 4000 percent. Most concerning of all, in 2014 it took 59 days, on average, for software companies to roll out patches after vulnerabilities were discovered; in 2013, the average was only four days. And the government’s response, so far, has been to (a) insulate companies from liability for sharing information, (b) funnel as much data to the government’s insecure systems as possible, and (c) require absolutely nothing of companies in terms of practicing basic data hygiene. No wonder, as the old joke has it, “Congress” is the opposite of “progress.”
I know it’s the holidays, but are we now obliged to make fake-nice with the government and pretend they’re trustworthy, despite everything that’s happened?
They keep telling us that this time, things will be different, and they’ll be so much more careful with our stuff. Why should we believe a word of it?
Our advice is twofold. Start using real security, in the form of encrypted browsers, call and messaging services, and email. It’s easy and free to do, and it doesn’t place your data in the hands of provably untrustworthy actors; and help us in our work to protect the people against mass surveillance.
We have already passed the point at which it became obvious that the solution is to keep critical information offline. Concern about “cyber vulnerabilities” has led the Navy to start training its officers in celestial navigation techniques again, in case GPS stops working. The Russian security service is reviving the typewriter industry so as to avoid NSA interceptions.
Meanwhile, in response to the hack of my data, the government is giving me three years of “identity theft protection and monitoring service.”
Wonderful. But you know what? Signing up for the service itself entailed entering all kinds of personal data into the “ID Experts” database. It’s all for my protection, sure, but if (or perhaps I should say when) ID Experts gets hacked, I’ll be even more vulnerable to identity theft than I was before. Thanks, Obama!
As usual, Big Brother’s big solution involves handing him more and more data with no warrant, and no steps on his part to change a long track record of epic failure to really secure government databases.