Point of View: Federal Personnel Data Breach

Government agencies are in serious danger from cyber threats. While many have a continuous network security program in place, most have spent very little time securing their applications.  We are going to continue to see breaches of government agencies… at least the ones they choose to disclose.

I was offended to see the Obama administration comment, “The administration has never advocated that all intrusions be made public.”  Breach visibility and transparency are critical to getting in front of our security issues.  I thought the Obama administration shared this belief as well.  Yet apparently when it’s their agencies getting hacked, they aren’t quite as quick to push for disclosure.  Time to eat your own dogfood, executive branch.

I’ll just grade the disclosure…  Overall I think was a D/D+.  They came off as belligerent, didn’t acknowledge their fault in the breach, and provided very few details.  How about the people whose sensitive information was in the e-QIP database, including me.  What am I supposed to do now?

• Tone – F, not at all apologetic for their role in the breach
• Timeline – C, some details, 3 months is way too long to disclose
• Scope – D, still investigating, unclear if control was lost
• Size – B, they seem sure, I am unconvinced
• Root Cause – F, no details whatsoever about defenses or attacks
• Discovery – C, seems their IDS detected it
• Remedy – F, none, not even credit card monitoring?
• Future: F, no details about what measures are being taken to prevent future breaches
• Blame: F, immediately blaming China with no public proof. Attribution takes a LONG time.
• Oddities: F, if the IDS detected the attack, how were they able to complete the exploit?  Something is screwy here.