back to article As the US realises it's been PWNED, when will OPM heads roll?

Heads are set to roll at the Office of Personnel Management as director Katherine Archuleta continues to receive a grilling from Senate committees, who are beginning to realise that the country's entire intelligence workforce has been utterly pwned, probably by a hostile nation. Archuleta, alongside OPM's Chief Information …

  1. Joey M0usepad Silver badge

    Did I miss a meeting? what actually happened and who too? this article is just a load of finger pointing.

    1. Alister Silver badge
      Facepalm

      Blimey, which pile of sand did you have your head stuck in?

      The links are in the article, but here's one to be going on with:

      http://www.theregister.co.uk/2015/06/05/opm_data_breach/

    2. Where not exists

      finger pointing

      You must not have read the memo. Finger pointing is the primary function of the best congress that money can buy.

      1. asdf Silver badge

        Re: finger pointing

        Wow wish I could upvote this comment a dozen times.

      2. Anonymous Coward
        Anonymous Coward

        Re: finger pointing @ Where not exists

        OPM doesn't work for Congress, they work for President Obama. I know the majority of readers on this site are blindly Pro-Obama but it is time to start holding him accountable. Congress can do little more than cut funding or, in a very unused method, impeach they head of the Agency if they were confirmed by Congress.

        Just look at the IRS mess. Do you really think that they are that incompetent? They know who they work for.

        http://apnews.myway.com/article/20150625/us--irs-lost_emails-47ff44b9ff.html

        AC because I don't need the IRS riding my ass anymore than they already are. Yes I know the IRS can find out who I am if they really want to but no need to make it easier for them.

        1. Destroy All Monsters Silver badge
          Windows

          Re: finger pointing @ Where not exists

          I know the majority of readers on this site are blindly Pro-Obama but it is time to start holding him accountable.

          Oh come on. We might see one or two Obamites from time to time but, hey ...

        2. asdf Silver badge

          Re: finger pointing @ Where not exists

          While I agree Obama is responsible for this incompetent twit political apointee still having a job it still doesn't invalidate the comment about Congress. As for Obama its ok though from here on out as lame duck means time to hook up the %1ers and hope the dumb base forgets. Ebay time for pardons. Get your contributions in now.

          1. Anonymous Coward
            Anonymous Coward

            Re: finger pointing @ Where not exists

            While I agree Obama is responsible for this incompetent twit political apointee still having a job it still doesn't invalidate the comment about Congress.

            Yes it does. After the last Congress approved the money for this, it was Obama's poor oversight that resulted in this mess.

            Blaming Congress' funding Obama's failure is like blaming the gas station that fueled the car that killed pedestrians.

            The desperate actions of the Obama fanbois here to shield Barry from his incompetence is entertaining. But hey, I'm not complaining, I confess I make A LOT OF MONEY off these types of liberals!!!! Their online personas are "adult children" and they are willing to buy anything that confirms their bias while ignoring facts. Capitalism, F**k Yeah!

            For each downvote I get, a kitten dies.

        3. veti Silver badge

          Re: finger pointing @ Where not exists

          Last I heard Congress are the ones who control the purse strings, so OPM works for them. If not, then why are they grilling this woman? If she asked for more IT funding and Congress denied it, then they've got no-one but themselves to try desperately to deflect blame from.

          And Archuleta's appointment was confirmed by the Senate. In so far as this is her mess, they're as responsible as Obama. Sorry, but if you insist on sharing the power then you have to share the blame too.

          1. Tom 13

            Re: Last I heard Congress are the ones who control the purse strings

            You haven't been paying attention. The 0bamaphiles in the Republican party who go by the names of McConnell and Bohner actually handed control of the purse to The Big 0 as their first act after the elections but before the new class was sworn in. All agencies were fully funded for the next two years. So in order to cut funding, they need to pass legislation that the President would have to sign off on.

            But that's okay, we've accepted our fate. Yesterday SCOTUS drove a stake through the heart of the Constitution. If the plain language of a law cannot be counted on as the meaning of the law, particularly when that would be the normal legal reading of a law, the foundations of ordered liberty are dead.

          2. Anonymous Coward
            Anonymous Coward

            Re: finger pointing @ Where not exists

            Last I heard Congress are the ones who control the purse strings, so OPM works for them.

            Wrong.

            If not, then why are they grilling this woman?

            Because they can deny Obama funding if they don't like the answers.

          3. Tom 13

            Re: then why are they grilling this woman?

            Written like the ignorant power slut you are.

            They're grilling her for the same reason they should have been allowed to grill $Hrillary over Benghazi: Congress has oversight responsibilities for everybody in the Executive Branch (including 0bozo).

  2. SolidSquid

    So about those claims that Russia had managed to access the Snowden files and get details on US intelligence officers. Seems quite the coincidence that there's the "most devistating cyber attack in US history" happening on the people who store those details at exactly the same time the Russians apparently managed the decryption

    edit: Snowden, not Assange. Bit of a difference there

    1. ST Silver badge

      > those claims that Russia had managed to access the Snowden files

      That sounds like complete bullshit to me.

      There's no need to spend time and resources on cracking what I would imagine is some very strong crypto - The Snowden Files - when the OPM was running unpatched systems full of known 0-day vulnerabilities.

      From what I understood, this attack lasted over a year. Whenever someone obtains free access for over a year, they have plenty of time to steal whatever they want, re-arrange the furniture in the offices, water the plants and play Net-Trek.

      Firing the bosses won't fix a single thing - not that they shouldn't be fired. The magnitude of this breach demonstrates crass incompetence at all levels of that organization.

      1. Rich 11 Silver badge

        and play Net-Trek.

        Surely they'd prefer to play Net-Hack?

        Damn. Haven't played that for decades. Got to get a port for my tablet now.

    2. Christoph Silver badge

      The claim that the Snowden files had been cracked by Russia is a ridiculous lie.

      1. Destroy All Monsters Silver badge
        Windows

        The claim that the Snowden files had been cracked by Russia is a ridiculous lie.

        Also seems to have sunk without a trace again after this blatant trial balloon failed to take over the Sphere of Discourse with a 24/7 Emmanuel Goldstein hatefest.

        Makes you wonder what is actually true in the Ukraine story and the concomitant East-West escalation, doesn't it?

    3. Naselus

      "Seems quite the coincidence that there's the "most devistating cyber attack in US history" happening on the people who store those details at exactly the same time the Russians apparently managed the decryption"

      Yes, this must be down to a leak, and nothing to do with the OPM requiring an outside instruction to install AV software, run an update schedule, and not hand out the admin password to anyone who happens to ask for it. Seriously, fricking Lizard Squad could've hacked this system, it doesn't take nation-state backing to breach a system running known vulns.

  3. codejunky Silver badge

    Ha

    Obama administration "views the federal government as capable of tackling almost every problem the nation faces"

    He's a democrat. It comes with the territory.

    1. Joe Harrison Silver badge

      Re: Ha

      Obama administration "views the federal government as capable of tackling almost every problem the nation faces"

      Nation faces a problem, government tackles it, isn't that what they're supposed to do? Think I must be missing a subtlety here.

      1. Richard Jones 1
        WTF?

        Re: Ha

        Given the quality of the recruitment and vetting processes as shown by several recent data runners they need a quarter the staff numbers and ten times the quality. Possibility exist that both figures will need revising the number of bozos downward and the skill level factor upwards.

      2. Anonymous Coward
        Anonymous Coward

        Re: Ha

        The subtlety that you're missing is called free market enterprise. Centralized planning isn't supposed to the the solution to almost every problem, except in a society where people have been stripped of so many liberties that they're incapable of acting on their own behalf. See also invisible hand, Adam Smith, Ludwig von Mises' Bureaucracy.

        1. Filippo

          Re: Ha

          Yeah, I'm really looking forward to intelligence services working as a free market. Can't see what could go wrong with that.

          1. Anonymous Coward
            Anonymous Coward

            Re: Ha

            "Yeah, I'm really looking forward to intelligence services working as a free market. Can't see what could go wrong with that."

            That's how they usually work, surely? Information is supplied to the highest bidder. If that is someone other than your current employer, well, that's freedom for you.

          2. codejunky Silver badge

            Re: Ha

            @ Filippo

            "Yeah, I'm really looking forward to intelligence services working as a free market. Can't see what could go wrong with that."

            They dont? I thought the discussion of government surveillance had included industrial espionage.

      3. Old Handle
        Headmaster

        Re: Ha

        I guess it depends on whether you interpret "tackling" as implying a successful action, or merely an attempt.

        1. perlcat

          Re: Ha

          Thanks to our fine government, solving imaginary problems by replacing them with real ones since the start.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ha

      "Federal techies will, from now on, need to install security patches, use anti-virus software, and avoid giving everyone the admin password."

      Yep, those are some mighty radical measures.

      Whatever next?

      Managerial accountability, third party security audits, supplier SLAs, or certifications for suppliers ?

      The mind boggles.

    3. 2+2=5 Silver badge
      Joke

      Re: Ha

      Obama administration "views the federal government as capable of tackling almost every problem the nation faces"

      A suitably condescending statement made by a Republican with his knee-jerk reaction to Big Government (except when it's the military, of course). What does he think the alternative is? To outsource to the lowest bidder? I think the Chinese might come in with a very competitive quote, especially since they've already completed the data migration!

    4. Ken Hagan Gold badge

      Re: Ha

      "He's a democrat. It comes with the territory."

      The previous administration reckoned that the same problems could be solved by writing blank cheques to just the part of the government that doesn't have to tell us how they spend them.

      1. Will Godfrey Silver badge
        Unhappy

        Oi!

        Can you left-ponders keep your local political squabbles to yourselves!

        We've got more than enough of our own.

      2. codejunky Silver badge

        Re: Ha

        @ Ken Hagan

        "The previous administration reckoned that the same problems could be solved by writing blank cheques to just the part of the government that doesn't have to tell us how they spend them."

        That is part of what is so disappointing. Bush was an idiot, he did wrong but mostly because he didnt really know what he was doing. Since Obama chooses to carry on with the worst of Bush while adding his own, do we consider him to be a moron as well or does he know what he is doing? I think Obama knows what he is doing, he seems reasonably intelligent.

        So the outcome is the same but one does it in stupidity and one does it intentionally.

  4. Camilla Smythe Silver badge

    Shit happens...

    Extradite Gary McKinnon. Sorted.

    1. alain williams Silver badge

      Re: Shit happens...

      Extradite Gary McKinnon. Sorted

      More or less what I was going to write. Gary only got in because of hopeless sysadmin practices in the USA (eg not changing default passwords). Have these clowns learned nothing in the decade since then?

      It seems not - the hunt is now on for scapegoats and then not bother to smarten up their act.

  5. stephajn

    Such amazing security measures worth $82bn...

    "Federal techies will, from now on, need to install security patches, use anti-virus software, and avoid giving everyone the admin password."

    Does this mean that they weren't installing patches, using anti-virus software and WERE giving everyone the admin password?

    Wow....

    1. Bucky 2

      Re: Such amazing security measures worth $82bn...

      My understanding from cocktail party conversations is that government computer systems tend to be so convoluted that people find themselves locked out of the very systems they need to actually do their jobs.

      So the administrator password sharing begins.

      As for the patches and anti-virus software, I'm also given to understand that every piece of software has to be certified. If a patch isn't certified, it doesn't get applied.

      It could just be one department in one office somewhere, so I can't say that this situation applies throughout the government. However, the point is over-application of security dogma can have negative effects.

      1. earplugs

        Re: Such amazing security measures worth $82bn...

        Govt computer systems are designed to defeat congressional oversight, not hackers, as the report says so well.

      2. Anonymous Coward
        Anonymous Coward

        Re: Such amazing security measures worth $82bn...

        It's not just the Americans, why do you think Cameron & Co keep sounding off on stuff that just has to be a diversion or blame spreading

      3. Anonymous Coward
        Anonymous Coward

        Re: My understanding from cocktail party conversations

        Then the people you talk to on the party circuit are some of the incompetents who are to blame for the current mess.

        Yes, government systems are locked down. But within most given agencies it isn't difficult to get permissions on systems you need to access. You ask your boss to grant request the permission, he sends it to IT, IT confirms he's authorized to grant it, and it is granted. You only run into problems when you cross agency lines. And if admin passwords are being shared across agency lines, that's even worse than within the agency.

        BTW: The NIST standard (which is supposed to govern ALL IT within the federal government) is to change passwords at least once every 90 days. So even when passwords are shared, the reset should somewhat mitigate the problem. Granted too many security buffoons make it impossible to implement this for the local administrator password on Windows*, but that should be an issue on the actual network systems.

        *My understanding from our network team is that all documented systems for changing this on Windows essentially require you to temporarily store the password in plain text, so the security buffoons nix the change strategy. Yes it does bother me greatly that I think our local admin password hasn't been changed in more than 5 years, possibly as many as 10. Especially as the account is automatically disabled and scrambled as part of the Group Policy and we have to manually reset it after a new system is joined to the domain.

    2. Ashton Black

      Re: Such amazing security measures worth $82bn...

      Yes. Bonkers.

    3. Naselus

      Re: Such amazing security measures worth $82bn...

      "Does this mean that they weren't installing patches, using anti-virus software and WERE giving everyone the admin password?"

      Yes, but in fairness the admin password had recently been upgraded to 'Password02!'. So it's astonishing that anyone was able to crack it.

      1. Alister Silver badge

        Re: Such amazing security measures worth $82bn...

        Yes, but in fairness the admin password had recently been upgraded to 'Password02!'.

        OMG!!! YOU POSTED IT ON THE INTERNET!

        1. Ken Hagan Gold badge

          Re: Such amazing security measures worth $82bn...

          It's OK. The average internet user is so illiterate that they won't realise the exclamation mark is part of the password.

          1. 404 Silver badge

            Re: Such amazing security measures worth $82bn...

            you mean the bang?

          2. Anonymous Coward
            Anonymous Coward

            Re: Such amazing security measures worth $82bn...

            Except that you just told them. On to Password03!

          3. Tom 13
            Joke

            Re: exclamation mark is part of the password.

            EPIC FAIL!

            You didn't include the quote marks.

        2. Naselus

          Re: Such amazing security measures worth $82bn...

          "OMG!!! YOU POSTED IT ON THE INTERNET!"

          In my defence, it seems OPM's staff had been doing so for the last couple of years.

  6. Anonymous Coward
    Anonymous Coward

    Katherine Archuleta is lying to Congress!

    OPM tells its vendors to do things that it does not even do themselves.

    It's in their background investigator contracts to do everything with 2FA, Anti Virus, VPN, no browsing, etc.

    This proves that OPM was already aware of the issue and their inability to use any common sense proves that they are incompetent all the way to the top level including their director and the man who is supposed to over see them, the President.

    Fire them ALL!

    1. Destroy All Monsters Silver badge
      Trollface

      Re: Katherine Archuleta is lying to Congress!

      Isn't there a Union Problem with this plan?

    2. breakfast
      Trollface

      Re: Katherine Archuleta is lying to Congress!

      This is about the only solution to the problem - but not just the OPM, To clear the risks caused by this compromise they just have to to fire everyone who has gone through that vetting system. From what I can tell that means a complete government staff turnover. Should be exciting times watching a completely new civil service try to figure out how to do their jobs...

      1. Anonymous Coward
        Anonymous Coward

        Re: a complete government staff turnover.

        Except of course you now have no one to vet the new employees because the vetters themselves have been compromised.

        I think the only solution is to not only fire all the employees, but fire all the elected politicians. Then start with a fresh election cycle. Put Senators on the same cycle as when they first ratified the Constitution. Sadly this means I'll probably be looking for new work as well as I am a contractor and probably compromised as well.

  7. Anonymous Coward
    Anonymous Coward

    Bureaucrats

    ...are so gullible and technically challenged that it's a disgrace. Unfortunately the U.S. isn't the only country being hacked daily by crims from other nations.

    1. keithpeter
      Windows

      Re: Bureaucrats

      ...and it has to be said that in the US, you can find out about stuff. In the UK our culture of secrecy means that there is a good chance that all kinds of stuff will never come to light.

  8. auburnman
    Trollface

    Archuleta sounds like the name of a mole working for Ming the Merciless. When the attack from space begins, her spider-minions will reveal themselves and strike at key targets throughout the globe!

  9. Anonymous Coward
    Anonymous Coward

    Peter principle

    she may well be in over her head, bureaucratic organisations are well known for promoting internally based on length of service and favouritism rather than actual ability and experience. That said I haven't seen a bio/resume for her and the CIO so just an assumption

    1. Martin Gregorie Silver badge

      Re: Peter principle

      That said I haven't seen a bio/resume for her and the CIO so just an assumption

      Career summary is here: https://en.wikipedia.org/wiki/Katherine_Archuleta

      She looks to me like a pure political appointee.

      In summary: she worked at a Denver law firm, but there is no indication of where she got a law degree or if she has one. She worked for the Clinton administration, was Executive Director of the National Hispanic Cultural Center Foundation and was National Political Director for Obama's 2012 reelection campaign before being made director of the OPM in late 2013.

      1. perlcat

        Re: Peter principle

        In other words, a political hack of such imbecility that basic IT behavior like the "extreme measures" mentioned are actually viewed as extreme measures.

        Given that most of the Administration didn't have a problem with the Secretary of State using her own personal email server until it was politically advantageous, not a surprise. The only surprise I have is that there isn't more of this. They're too ignorant to know they've been hacked. Surprised they haven't retaliated on the people that found and reported the pwnage.

        My guess is that security firm will never work in DC again.

      2. Anonymous Coward
        Anonymous Coward

        Re: She looks to me like a pure political appointee

        For the most part, those are the only people who testify before Congress. Yeah, at times I've been working on someone's PC while the non-appointed team discusses how to brief the appointee about testifying before Congress. It's even uglier than watching sausage being made.

    2. tom dial Silver badge

      Re: Peter principle

      Like all of the major department and agency directors, Katherine Archuleta is a political appointee. That said, there is no reason that a political appointee, if supported by competent and experienced civil service executives, cannot be quite successful as director. The problem in this case appears to be that the civil service executives had, for years, been inadequate in IT management matters.

      1. perlcat

        Re: Peter principle

        You'll have to excuse me while I laugh and mock the statement: "... there is no reason that a political appointee, if supported by competent and experienced civil service executives, cannot be quite successful as director."

        In other words, competence and experience isn't a requirement for a job that's essentially a payoff. If the job is truly a sinecure, wholly redundant, then she shouldn't have been given enough power to get into trouble. While the realist in me understands that she was placed there to oversee the ideological purge, in a sane universe, she shouldn't also purge the competent and experienced employees in order to preserve her pathetic and incompetent ass. She's been hoist by her own petard, and man, is that funny.

        1. Tom 13

          Re: hoist by her own petard, and man, is that funny.

          No, it's not.

          Granted it would be if she was the only one being hoist. But she's taking a lot of other people with her, and at least a few of them are actually trying to be competent at their jobs.

        2. tom dial Silver badge

          Re: Peter principle

          The head of a major federal (or state) agency like OPM is largely or even primarily a go-between - between the political masters in the executive and legislative branches and those in the agency, mostly senior civil servants with quite a lot of experience, some of it often both good and applicable to the cases at hand. They are not expected to engage much in day to day management, nor should they. They instead convey political and major policy direction to those who do, and advocate for the agency and its mission to executive branch personnel at the cabinet level and to congressional committees and their staffs. They spend the great majority of their time in meetings, much of it outside the agency. Agency directors are more likely in a well-run agency to get in trouble by intervening in operations than by doing their primary, political, job and letting the permanent civil service staff care for the details of policy implementation and daily operations Conversely, in a not-so-well run agency, the director can do little more to effect change than reassign personnel.

          My sense is that in IT matters, OPM had been a mess for some time, and reassignment of the previous CIO (by the previous director) with no immediate replacement probably indicated that OPM management, their superiors in the executive branch, and their congressional overseers knew it. Archuleta took office eight months later, and appointed Seymour a few months later, by which time OPM had an acting CIO for eight or nine months and probably continuied to drift along whatever path led to removal of the prior CIO. To assign major blame to either or both of them is largely misplaced, and dismissing them as likely to perpetuate the damage as correct it.

      2. Anonymous Coward
        Anonymous Coward

        Re: there is no reason that a political appointee,

        Actually, there are lots of reasons. The first one that comes to mind is that her politics are more important than doing the job correctly.

        Yes, it is possible for an appointee to succeed with competent staff supporting them. But first the appointee has to care more about doing the job right than making sure he/she will still have sufficient cred with the party to win his/her next appointment.

        Full disclosure: I fully expect that there is sufficient fail for all political appointees, federal staff, and contract staff to consume as much as the King did in the skit before he asked for a bucket.

  10. Your alien overlord - fear me

    Why is the US gov on the internet in the first place? It's a work enviroment so they should have zero internet access bar one standalone PC and a locally attached printer. If someone needs a webpage, fill in the request form (in triplicate), someone in a haz-mat suit (so they don't get infected with any viruses) enters the URL and prints the page in triplicate. One goes to the requestor, one goes to their boss and one goes to the NSA.

    SImple.

    1. dom_f

      you forgot the two copies for filing....

      1. Anonymous Coward
        Anonymous Coward

        And if all the other departments start complaining of being unable to fill sensitive positions as needed because OPM can't provide documentation quickly enough...?

        1. Bob Dole (tm)

          >>>And if all the other departments start complaining of being unable to fill sensitive positions as needed because OPM can't provide documentation quickly enough...?

          The funny part of that is that the hole's in the OPM system meant that foreign agents could get data on federal employees *faster* than other departments of the federal government.

          It's like they took sharing the admin password to a whole new level and handed it out like candy to the world.

    2. tom dial Silver badge

      The OPM operates web applications for federal civil service retiree support, for applicants for federal employment, for completion of security background investigation requests (these are no longer done in paper form), and for at least one other federal agency. In the main, this is a result of an "eGovernment" undertaking begun (I think) under President Bush and continued under President Obama.

      1. Tom 13

        Re: this is a result of an "eGovernment" undertaking begun

        Nah, that was just the last time it got rebranded. It's been going on for longer than that.

  11. Arctic fox
    Headmaster

    I personally think that this is absolutely hilarious.

    "who are beginning to realise that the country's entire intelligence workforce has been utterly pwned, probably by a hostile nation."

    They were so busy trying to pwn others that they utterly neglected to watch their own backs. Could not happen to a nicer bunch.

  12. Anonymous Coward
    Anonymous Coward

    US Federal systems PWNED

    So......it's absolutely OK for the NSA to hack information about American citizens and foreigners alike.....but when someone else does the same sort of thing.....that's VERY BAD.

    Hypocrisy, anyone?

    1. JonP

      Re: US Federal systems PWNED

      More like hubris - they've been hacking everyone else but didn't make sure they (as in the US) couldn't be hacked. Though it's not like it's happened before or anything...

    2. veti Silver badge

      Re: US Federal systems PWNED

      There's no hypocrisy there. They're not saying the evul furrners did anything wrong - that goes without saying. What they're saying is that their own people screwed up by not stopping them.

      Likewise, they'd say that French intelligence f'd up by allowing the NSA to bug their president. The NSA did nothing wrong there, they did their job - French intel is supposed to stop them, so they're the ones who screwed up.

      This sort of mentally diseased game theory is not even controversial in America - it's accepted wisdom that this is how the world is supposed to work. Anything else would be aberrant.

      1. Anonymous Coward
        Anonymous Coward

        Re: US Federal systems PWNED

        Ah.....it is all the victim's fault!

        The crime of shoplifting is the retailer's fault because the goods are not securely locked up!

        The crime of murder is the victim's fault for letting the bullet enter their body!

        As far as the NSA goes, there's also the little matter of the Fourth Amendment!

        Good try.......but FAIL.

  13. Naselus

    To be honest, with this kind of security in place I'd be amazed if this hack was a hostile nation. This level of incompetence not only doesn't need any serious clout to crack, but would likely fail to spot the hack at all if it was conducted with the remotest bit of finesse; hell, this bunch of clowns would've taken three months to spot the kind of theatrics Lulzsec pulled off, let alone a serious Kremlin heavy mob.

  14. Jack of Shadows Silver badge

    Minor Correction

    'Most devastating known cyber attack in US history. ’

    FTFY. Dear NSA, offense is the easy problem. We've given you pretty anything and everything you've ever asked for. Try something hard. Please.

  15. Stevie Silver badge

    Bah!

    Before heads roll I would like to see how much money OPM has requested in the last decade and how much they were given by the Congress/Senate.

    Then, anyone asking questions must first demonstrate they are completely innocent of ever denying funds to OPM or step away from the Festival of Finger Pointing, lest the finger points at them.

    Also, it would be a pleasant surprise to find that everyone on each of the endless "committees" formed to "ask tough questions" were a) able to frame such questions intelligently and 2) understand the answers.

    But of course we are going to be watching endless rounds of pompous, ponderously slow speechifying by the same sort of people who pondered why we couldn't have a secure encryption scheme that would be wide open to "forces of law and order".

    1. Gene Cash Silver badge

      Re: Bah!

      No kidding. This is exactly like Congress axes funds for NASA's rocket engine R&D and the Commercial Crew program, then bitches about why we still have to buy Russian engines and Soyuz seats.

      My grandfather always used to say "best thing the Russians could do for us would be to lob a nuke right on Capitol Hill!"

      1. Anonymous Coward
        Anonymous Coward

        Re: Bah!

        No they would only regenerate, perhaps a Capitol sized roach motel?

    2. tom dial Silver badge

      Re: Bah!

      OPM management requested money and billet authorization over the years based on needs they identified in the budget request process. They never got everything they wished for (with probability not measurably different from 1.0). Yet the reports have it that they added systems without making them secure (and perhaps without knowing where and how they were attached) and reportedly let maintenance slip rather badly, which many might think unwise. The right question of OPM is not whether they received the resources they requested, but how they managed IT with what they received.

      In the (DoD) agency where I worked, we received annual reductions in both money and billets, but over the years security was gradually and regularly tightened, systems were inventoried, the network maps timely maintained and an increasingly detailed set of security requirements were applied retroactively as well as prospectively. The retro part sometimes was not fully up to date, but existing systems were patched and new ones were compliant with security configuration requirements before being attached to the LAN. The firewalls were quite exclusionary, to the point of irritating developers excluded from consulting external technical web sites classified as "chat". BYOD was not discussed, remote access was by VPN using government owned and maintained equipment only, and (courtesy of the DoD PKI program) two factor authentication was the only way of access other than at system consoles. Development sometimes suffered from this. All that was as directed by the CIO and his director of security, with full support of the agency directors. And that, I think, made a difference, as successful known penetrations were not known to have occurred as of about three years ago.

    3. Naselus

      Re: Bah!

      @ Stevie - have an upvote for noting that denying an agency funding is likely to result in that agency being worse at doing it's job properly. Shame the Republicans will now attempt to cut OPM's funding as punishment for not funding their security properly.

      That said... some of the basic best-practice fails highlighted in this case are ultimately free to implement. Aspects of this whole thing scream wilful negligence.

  16. Someone Else Silver badge
    Trollface

    "Across the government, IT projects too frequently go over budget, fall behind schedule, and do not deliver value to taxpayers," declared Boozman. Unwilling to broach the issue without criticising the Democratic Party, Boozman suggested that the Obama administration "views the federal government as capable of tackling almost every problem the nation faces".

    In prioritising the growth of the size and scope of the federal government, the administration fails to follow through on its existing projects, claimed Republican Boozman.

    OK, Mr. Boozman <small>(snicker!)</small>. When the bill authorizing that $21million comes up for a vote in your august body, are you going to vote for it? No? Didn't think so. then go down to your Republicon cafeteria and order yourself up a nice, steaming bowl of STFU.

    1. Anonymous Coward
      Anonymous Coward

      When the bill authorizing that $21million comes up for a vote in your august body, are you going to vote for it?

      Money isn't the problem. The OPM is run by the same government that's building the Veteran's Administration Hospital in Denver. Here's the headline:

      The Unfinished VA Hospital That's More Than $1 Billion Over Budget

      http://www.npr.org/2015/06/09/413178870/the-unfinished-va-hospital-thats-more-than-1-billion-over-budget

      Original budget: $328 million. Currently projected budget: $1.7 billion - and that number is liable to change. Somehow, an extra $21 million didn't solve the VA's problems, nor did an extra $1.3 billion. Billions of dollars aren't enough to solve problems under some leadership.

      Please consider apologizing for your STFU comment. Be a light unto others.

      1. veti Silver badge

        Well, except that the plans and contract for the Denver VA hospital were drawn up and awarded under the Bush administration.

        And the article you linked clearly describes Congress trying to micromanage the project by approving funding on a week-by-week basis, which is so obviously a way of sabotaging the entire project that frankly I'd be surprised to learn that anyone involved actually bothers to show up to work in the morning.

        So no, the STFU comment stands.

  17. Destroy All Monsters Silver badge
    Trollface

    I just realized....

    Hollywood will never again be able to sell a "hard hack on the Feds done by überskilled nerd" story with a straight face.

  18. Will Godfrey Silver badge
    Happy

    Start from scratch

    Give them an Arduino and tell them they need to make it secure before they'll get any more funding.

    Then give them a RasPi...

  19. Mark 85 Silver badge

    Well.. it's possible (remotely possibe... I'm going for cynical value) that the NSA did the hack and one of their leakers is leaking the files. Perhaps this whole thing was/is to make a point that we can attack but not defend? Penetration testing that ran amok anyone?

    No matter who broke in....let the heads roll and put them on spikes at the White House gates. The problem is, it's a huge problem that starts with the Executive and Legislative branches (priorities and funding) and filters down. Right now, there's probably some poor schmuck with a sysadmin title who's quietly updating his resume because he knows that crap rolls downhill and he's at the bottom of it even though he was powerless to implement anything.

    1. tom dial Silver badge

      It appears that OPM's IT managers have been on indoor annual leave for years. Reports say the OPM doesn't know the systems they have, or how they are connected, and have not done regular patching on some, many, or all of them. If I were updating my resume it would be a tough choice whether to show recent employment there or pretend to have been unemployed since being fired for cause at my previous job.

      They almost certainly have been squeezed for resources, but that is not a fully satisfactory excuse for getting priorities so out of whack. I think the risk of losing control of this data, even the SF86 information, has been overstated. However, I can guess that management in pretty much every agency that has employees in sensitive positions is pretty pissed, partly because most of them hunkered down and managed to map their networks and patch their systems on a fairly regular basis under much the same resource constraints.

  20. tom dial Silver badge

    Katherine Archuleta took office at OPM in October, 2013 - not all that long ago in the context of OPM's IT management troubles. The previous director reassigned then-CIO Matthew Perry in February, 2013, and Donna Seymour was not appointed to the CIO vacancy December, 2013. Nine months is rather long for such a vacancy to remain unfilled, likely due to concurrent lack of a "permanent" director. My experience is that acting agency directors are slow to fill executive vacancies unless they are almost certain to be selected for the top position, something that is quite unlikely when that is a political appointment and the acting director is a civil service employee. Temporary executives like the acting OPM CIO also have a tendency to allow things to drift; that would have aggravated an already bad situation.

    Archuleta did not come from an IT background and IT is not a primary OPM mission. There is no reason to think she would, on her own, realize the mess she had on her hands until informed by her CIO. Seymour probably arrived for duty in January, 2014, and likely would have required some time to become aware of it, and that appears to be close to the time when the penetration began to take root and begin exfiltration of data. And both of them would have had quite a few other matters to deal with. January is four months into the fiscal year, and planning for end of FY expenditure management normally will be starting. Major changes to planned activities are difficult for upper management to undertake for the current year, especially if they are comparatively new on the job and not yet familiar with who on the staff can, and who cannot, execute. It also is well into the planning year for the following fiscal years and late to be making major reallocations.

    As a retiree whose personal information, including SF86, appears to have been taken, I am not at all pleased with this, but also am not inclined to jump on the bandwagon and demand that these two be sacked. Unless they can be shown to be as feckless as their predecessors (and their predecessors' placeholders) it is far from clear that replacing them would do more than extend the disorder and delay correction of the underlying IT management problems. It might be beneficial to insist that they obtain assistance from outside the agency to assist them in evaluating and correcting the situation. Given Ms. Seymour's employment history with DoD, which runs a much tighter operation than what has been reported of OPM, it would be unsurprising if OPM already had done so.

    1. Anonymous Coward
      Anonymous Coward

      @tom dial

      She's a political appointee who paid for her position. You pays your money, you takes your chances. Goes with the territory. And no, I won't accept "unless it is proven she is as feckless...". Because the excrement has already hit the oscillating air mover, unless SHE can PROVE she is not as feckless as her predecessor, out she goes. And I say this because I've worked with someone at her level who was ousted for mistakes made consistently on predecessors' watches but because he happened to be there when the final (not the first, the final and it was about a seven YEAR process) IG report came out, he was the man on duty.

      1. tom dial Silver badge

        Re: @tom dial

        I never have been a fan of punishing those not shown to be guilty. It may please congressmen to demand resignations, and it may resonate with those they hope will reelect them, but there is no evidence that doing so will improve OPM IT operations, which seem to have been inexcusably sloppy for quite a few years before the present managers took up their positions. The damage is largely done and unrecoverable and firing those now trying to fix the underlying problems is more likely to do harm than good.

  21. All names Taken
    Alien

    Typical of ...

    ... an over bureaucratized state?

    1 - the incident only become important when pwage affects employees (bureaucrats in the bureaucracy?)?

    2 - it does not matter a jot what the content or risks to those individuals are (in fact its leaks are worse in effect than its whistleblowers stuff?)?

    I could go on but you get the drift and all it boils down to is a "You did it-No, you did it" whitewash coverup.

    Shame innit?

    You humans - wot yoo like?

  22. Olius

    Snowden off the hook

    So does this mean it is officially not Snowden's fault now?

    Not that it ever was - El Reg was reporting about this breach at the same time the red-tops were reporting that the Russians and Chinese had cracked encryption on some Snowden documents which they never had.

    I'm sure the rest of the press will carry on falling over themselves to blame Snowden for this one...

  23. breakfast
    Facepalm

    Might as well leave the stable door open now

    Given that all the most personal information about everybody in the US intelligence services is now available to at least one hostile nation, why bother with more security infrastructure now? I mean really, how much worse can it get?

    Going to be very interesting to see how things go on as this information starts to be used. Guessing the US are going to have to be bringing a lot of people home from various parts of the world over the next few months...

  24. Tom 13
    Mushroom

    included the theft of Standard Form 86, essentially a biography

    You haven't been keeping up/paying attention. Admittedly they were real coy about the way they slipped it in, but it's even worse than the bad guys just getting the Standard Form 86. But how could it possibly be worse than handing over your personal biography?

    Well it seems they also made off with the files the FBI puts together to VERIFY your Standard Form 86. And that's even bigger than your SF86. And it probably contains enough information to steal the identities of the people you supplied as references or asked to vouch for you.

    Yeah, heads are going to roll on this one. Almost certainly too few and not necessarily the right ones, but heads will roll.

  25. oneeye

    The opm opened all the doors and Windows and left them that way. Here is a quote from the ArsTechnica article. Seems they knew some contractors.

    "Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

    http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/

    1. JCitizen
      Coffee/keyboard

      @oneeye

      Are you kidding? The Chinese have won contracts to service half the sensitive networks in Washington already! Ha! We had our @sses handed to us years ago!

  26. JCitizen
    Devil

    Oh well of course!

    We need Trump to win the Presidency, so he can yell, "YOU'R FIRED!!!". It won't do any good as it takes a 2/3rds majority of congress to fire a GS employee, but it will make everyone feel better! Heh! Heh!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019