Did I miss a meeting? what actually happened and who too? this article is just a load of finger pointing.
As the US realises it's been PWNED, when will OPM heads roll?
Heads are set to roll at the Office of Personnel Management as director Katherine Archuleta continues to receive a grilling from Senate committees, who are beginning to realise that the country's entire intelligence workforce has been utterly pwned, probably by a hostile nation. Archuleta, alongside OPM's Chief Information …
COMMENTS
-
-
-
Thursday 25th June 2015 18:13 GMT Anonymous Coward
Re: finger pointing @ Where not exists
OPM doesn't work for Congress, they work for President Obama. I know the majority of readers on this site are blindly Pro-Obama but it is time to start holding him accountable. Congress can do little more than cut funding or, in a very unused method, impeach they head of the Agency if they were confirmed by Congress.
Just look at the IRS mess. Do you really think that they are that incompetent? They know who they work for.
http://apnews.myway.com/article/20150625/us--irs-lost_emails-47ff44b9ff.html
AC because I don't need the IRS riding my ass anymore than they already are. Yes I know the IRS can find out who I am if they really want to but no need to make it easier for them.
-
Thursday 25th June 2015 22:07 GMT asdf
Re: finger pointing @ Where not exists
While I agree Obama is responsible for this incompetent twit political apointee still having a job it still doesn't invalidate the comment about Congress. As for Obama its ok though from here on out as lame duck means time to hook up the %1ers and hope the dumb base forgets. Ebay time for pardons. Get your contributions in now.
-
Friday 26th June 2015 15:05 GMT Anonymous Coward
Re: finger pointing @ Where not exists
While I agree Obama is responsible for this incompetent twit political apointee still having a job it still doesn't invalidate the comment about Congress.
Yes it does. After the last Congress approved the money for this, it was Obama's poor oversight that resulted in this mess.
Blaming Congress' funding Obama's failure is like blaming the gas station that fueled the car that killed pedestrians.
The desperate actions of the Obama fanbois here to shield Barry from his incompetence is entertaining. But hey, I'm not complaining, I confess I make A LOT OF MONEY off these types of liberals!!!! Their online personas are "adult children" and they are willing to buy anything that confirms their bias while ignoring facts. Capitalism, F**k Yeah!
For each downvote I get, a kitten dies.
-
-
Friday 26th June 2015 02:28 GMT veti
Re: finger pointing @ Where not exists
Last I heard Congress are the ones who control the purse strings, so OPM works for them. If not, then why are they grilling this woman? If she asked for more IT funding and Congress denied it, then they've got no-one but themselves to try desperately to deflect blame from.
And Archuleta's appointment was confirmed by the Senate. In so far as this is her mess, they're as responsible as Obama. Sorry, but if you insist on sharing the power then you have to share the blame too.
-
Friday 26th June 2015 13:33 GMT Tom 13
Re: Last I heard Congress are the ones who control the purse strings
You haven't been paying attention. The 0bamaphiles in the Republican party who go by the names of McConnell and Bohner actually handed control of the purse to The Big 0 as their first act after the elections but before the new class was sworn in. All agencies were fully funded for the next two years. So in order to cut funding, they need to pass legislation that the President would have to sign off on.
But that's okay, we've accepted our fate. Yesterday SCOTUS drove a stake through the heart of the Constitution. If the plain language of a law cannot be counted on as the meaning of the law, particularly when that would be the normal legal reading of a law, the foundations of ordered liberty are dead.
-
Monday 29th June 2015 15:23 GMT Tom 13
Re: then why are they grilling this woman?
Written like the ignorant power slut you are.
They're grilling her for the same reason they should have been allowed to grill $Hrillary over Benghazi: Congress has oversight responsibilities for everybody in the Executive Branch (including 0bozo).
-
-
Thursday 25th June 2015 13:46 GMT SolidSquid
So about those claims that Russia had managed to access the Snowden files and get details on US intelligence officers. Seems quite the coincidence that there's the "most devistating cyber attack in US history" happening on the people who store those details at exactly the same time the Russians apparently managed the decryption
edit: Snowden, not Assange. Bit of a difference there
-
Thursday 25th June 2015 14:32 GMT Anonymous Coward
> those claims that Russia had managed to access the Snowden files
That sounds like complete bullshit to me.
There's no need to spend time and resources on cracking what I would imagine is some very strong crypto - The Snowden Files - when the OPM was running unpatched systems full of known 0-day vulnerabilities.
From what I understood, this attack lasted over a year. Whenever someone obtains free access for over a year, they have plenty of time to steal whatever they want, re-arrange the furniture in the offices, water the plants and play Net-Trek.
Firing the bosses won't fix a single thing - not that they shouldn't be fired. The magnitude of this breach demonstrates crass incompetence at all levels of that organization.
-
Thursday 25th June 2015 15:26 GMT Christoph
The claim that the Snowden files had been cracked by Russia is a ridiculous lie.
-
Thursday 25th June 2015 18:28 GMT Destroy All Monsters
The claim that the Snowden files had been cracked by Russia is a ridiculous lie.
Also seems to have sunk without a trace again after this blatant trial balloon failed to take over the Sphere of Discourse with a 24/7 Emmanuel Goldstein hatefest.
Makes you wonder what is actually true in the Ukraine story and the concomitant East-West escalation, doesn't it?
-
-
Thursday 25th June 2015 16:20 GMT Naselus
"Seems quite the coincidence that there's the "most devistating cyber attack in US history" happening on the people who store those details at exactly the same time the Russians apparently managed the decryption"
Yes, this must be down to a leak, and nothing to do with the OPM requiring an outside instruction to install AV software, run an update schedule, and not hand out the admin password to anyone who happens to ask for it. Seriously, fricking Lizard Squad could've hacked this system, it doesn't take nation-state backing to breach a system running known vulns.
-
-
-
-
Thursday 25th June 2015 15:23 GMT Richard Jones 1
Re: Ha
Given the quality of the recruitment and vetting processes as shown by several recent data runners they need a quarter the staff numbers and ten times the quality. Possibility exist that both figures will need revising the number of bozos downward and the skill level factor upwards.
-
Thursday 25th June 2015 15:44 GMT Anonymous Coward
Re: Ha
The subtlety that you're missing is called free market enterprise. Centralized planning isn't supposed to the the solution to almost every problem, except in a society where people have been stripped of so many liberties that they're incapable of acting on their own behalf. See also invisible hand, Adam Smith, Ludwig von Mises' Bureaucracy.
-
-
Thursday 25th June 2015 16:46 GMT Anonymous Coward
Re: Ha
"Yeah, I'm really looking forward to intelligence services working as a free market. Can't see what could go wrong with that."
That's how they usually work, surely? Information is supplied to the highest bidder. If that is someone other than your current employer, well, that's freedom for you.
-
-
-
-
Thursday 25th June 2015 16:32 GMT Anonymous Coward
Re: Ha
"Federal techies will, from now on, need to install security patches, use anti-virus software, and avoid giving everyone the admin password."
Yep, those are some mighty radical measures.
Whatever next?
Managerial accountability, third party security audits, supplier SLAs, or certifications for suppliers ?
The mind boggles.
-
Thursday 25th June 2015 17:02 GMT Anonymous Coward
Re: Ha
Obama administration "views the federal government as capable of tackling almost every problem the nation faces"
A suitably condescending statement made by a Republican with his knee-jerk reaction to Big Government (except when it's the military, of course). What does he think the alternative is? To outsource to the lowest bidder? I think the Chinese might come in with a very competitive quote, especially since they've already completed the data migration!
-
-
Friday 26th June 2015 07:22 GMT codejunky
Re: Ha
@ Ken Hagan
"The previous administration reckoned that the same problems could be solved by writing blank cheques to just the part of the government that doesn't have to tell us how they spend them."
That is part of what is so disappointing. Bush was an idiot, he did wrong but mostly because he didnt really know what he was doing. Since Obama chooses to carry on with the worst of Bush while adding his own, do we consider him to be a moron as well or does he know what he is doing? I think Obama knows what he is doing, he seems reasonably intelligent.
So the outcome is the same but one does it in stupidity and one does it intentionally.
-
-
-
Thursday 25th June 2015 14:21 GMT alain williams
Re: Shit happens...
Extradite Gary McKinnon. Sorted
More or less what I was going to write. Gary only got in because of hopeless sysadmin practices in the USA (eg not changing default passwords). Have these clowns learned nothing in the decade since then?
It seems not - the hunt is now on for scapegoats and then not bother to smarten up their act.
-
-
Thursday 25th June 2015 14:15 GMT stephajn
Such amazing security measures worth $82bn...
"Federal techies will, from now on, need to install security patches, use anti-virus software, and avoid giving everyone the admin password."
Does this mean that they weren't installing patches, using anti-virus software and WERE giving everyone the admin password?
Wow....
-
Thursday 25th June 2015 14:34 GMT Bucky 2
Re: Such amazing security measures worth $82bn...
My understanding from cocktail party conversations is that government computer systems tend to be so convoluted that people find themselves locked out of the very systems they need to actually do their jobs.
So the administrator password sharing begins.
As for the patches and anti-virus software, I'm also given to understand that every piece of software has to be certified. If a patch isn't certified, it doesn't get applied.
It could just be one department in one office somewhere, so I can't say that this situation applies throughout the government. However, the point is over-application of security dogma can have negative effects.
-
Friday 26th June 2015 13:49 GMT Anonymous Coward
Re: My understanding from cocktail party conversations
Then the people you talk to on the party circuit are some of the incompetents who are to blame for the current mess.
Yes, government systems are locked down. But within most given agencies it isn't difficult to get permissions on systems you need to access. You ask your boss to grant request the permission, he sends it to IT, IT confirms he's authorized to grant it, and it is granted. You only run into problems when you cross agency lines. And if admin passwords are being shared across agency lines, that's even worse than within the agency.
BTW: The NIST standard (which is supposed to govern ALL IT within the federal government) is to change passwords at least once every 90 days. So even when passwords are shared, the reset should somewhat mitigate the problem. Granted too many security buffoons make it impossible to implement this for the local administrator password on Windows*, but that should be an issue on the actual network systems.
*My understanding from our network team is that all documented systems for changing this on Windows essentially require you to temporarily store the password in plain text, so the security buffoons nix the change strategy. Yes it does bother me greatly that I think our local admin password hasn't been changed in more than 5 years, possibly as many as 10. Especially as the account is automatically disabled and scrambled as part of the Group Policy and we have to manually reset it after a new system is joined to the domain.
-
Thursday 25th June 2015 16:24 GMT Naselus
Re: Such amazing security measures worth $82bn...
"Does this mean that they weren't installing patches, using anti-virus software and WERE giving everyone the admin password?"
Yes, but in fairness the admin password had recently been upgraded to 'Password02!'. So it's astonishing that anyone was able to crack it.
-
-
Thursday 25th June 2015 14:44 GMT Anonymous Coward
Katherine Archuleta is lying to Congress!
OPM tells its vendors to do things that it does not even do themselves.
It's in their background investigator contracts to do everything with 2FA, Anti Virus, VPN, no browsing, etc.
This proves that OPM was already aware of the issue and their inability to use any common sense proves that they are incompetent all the way to the top level including their director and the man who is supposed to over see them, the President.
Fire them ALL!
-
Friday 26th June 2015 10:44 GMT breakfast
Re: Katherine Archuleta is lying to Congress!
This is about the only solution to the problem - but not just the OPM, To clear the risks caused by this compromise they just have to to fire everyone who has gone through that vetting system. From what I can tell that means a complete government staff turnover. Should be exciting times watching a completely new civil service try to figure out how to do their jobs...
-
Friday 26th June 2015 14:01 GMT Anonymous Coward
Re: a complete government staff turnover.
Except of course you now have no one to vet the new employees because the vetters themselves have been compromised.
I think the only solution is to not only fire all the employees, but fire all the elected politicians. Then start with a fresh election cycle. Put Senators on the same cycle as when they first ratified the Constitution. Sadly this means I'll probably be looking for new work as well as I am a contractor and probably compromised as well.
-
-
-
Thursday 25th June 2015 16:29 GMT Martin Gregorie
Re: Peter principle
That said I haven't seen a bio/resume for her and the CIO so just an assumption
Career summary is here: https://en.wikipedia.org/wiki/Katherine_Archuleta
She looks to me like a pure political appointee.
In summary: she worked at a Denver law firm, but there is no indication of where she got a law degree or if she has one. She worked for the Clinton administration, was Executive Director of the National Hispanic Cultural Center Foundation and was National Political Director for Obama's 2012 reelection campaign before being made director of the OPM in late 2013.
-
Thursday 25th June 2015 18:15 GMT perlcat
Re: Peter principle
In other words, a political hack of such imbecility that basic IT behavior like the "extreme measures" mentioned are actually viewed as extreme measures.
Given that most of the Administration didn't have a problem with the Secretary of State using her own personal email server until it was politically advantageous, not a surprise. The only surprise I have is that there isn't more of this. They're too ignorant to know they've been hacked. Surprised they haven't retaliated on the people that found and reported the pwnage.
My guess is that security firm will never work in DC again.
-
Friday 26th June 2015 14:04 GMT Anonymous Coward
Re: She looks to me like a pure political appointee
For the most part, those are the only people who testify before Congress. Yeah, at times I've been working on someone's PC while the non-appointed team discusses how to brief the appointee about testifying before Congress. It's even uglier than watching sausage being made.
-
-
Thursday 25th June 2015 21:25 GMT tom dial
Re: Peter principle
Like all of the major department and agency directors, Katherine Archuleta is a political appointee. That said, there is no reason that a political appointee, if supported by competent and experienced civil service executives, cannot be quite successful as director. The problem in this case appears to be that the civil service executives had, for years, been inadequate in IT management matters.
-
Friday 26th June 2015 08:26 GMT perlcat
Re: Peter principle
You'll have to excuse me while I laugh and mock the statement: "... there is no reason that a political appointee, if supported by competent and experienced civil service executives, cannot be quite successful as director."
In other words, competence and experience isn't a requirement for a job that's essentially a payoff. If the job is truly a sinecure, wholly redundant, then she shouldn't have been given enough power to get into trouble. While the realist in me understands that she was placed there to oversee the ideological purge, in a sane universe, she shouldn't also purge the competent and experienced employees in order to preserve her pathetic and incompetent ass. She's been hoist by her own petard, and man, is that funny.
-
Friday 26th June 2015 17:16 GMT tom dial
Re: Peter principle
The head of a major federal (or state) agency like OPM is largely or even primarily a go-between - between the political masters in the executive and legislative branches and those in the agency, mostly senior civil servants with quite a lot of experience, some of it often both good and applicable to the cases at hand. They are not expected to engage much in day to day management, nor should they. They instead convey political and major policy direction to those who do, and advocate for the agency and its mission to executive branch personnel at the cabinet level and to congressional committees and their staffs. They spend the great majority of their time in meetings, much of it outside the agency. Agency directors are more likely in a well-run agency to get in trouble by intervening in operations than by doing their primary, political, job and letting the permanent civil service staff care for the details of policy implementation and daily operations Conversely, in a not-so-well run agency, the director can do little more to effect change than reassign personnel.
My sense is that in IT matters, OPM had been a mess for some time, and reassignment of the previous CIO (by the previous director) with no immediate replacement probably indicated that OPM management, their superiors in the executive branch, and their congressional overseers knew it. Archuleta took office eight months later, and appointed Seymour a few months later, by which time OPM had an acting CIO for eight or nine months and probably continuied to drift along whatever path led to removal of the prior CIO. To assign major blame to either or both of them is largely misplaced, and dismissing them as likely to perpetuate the damage as correct it.
-
Friday 26th June 2015 14:11 GMT Anonymous Coward
Re: there is no reason that a political appointee,
Actually, there are lots of reasons. The first one that comes to mind is that her politics are more important than doing the job correctly.
Yes, it is possible for an appointee to succeed with competent staff supporting them. But first the appointee has to care more about doing the job right than making sure he/she will still have sufficient cred with the party to win his/her next appointment.
Full disclosure: I fully expect that there is sufficient fail for all political appointees, federal staff, and contract staff to consume as much as the King did in the skit before he asked for a bucket.
-
-
-
Thursday 25th June 2015 16:11 GMT Your alien overlord - fear me
Why is the US gov on the internet in the first place? It's a work enviroment so they should have zero internet access bar one standalone PC and a locally attached printer. If someone needs a webpage, fill in the request form (in triplicate), someone in a haz-mat suit (so they don't get infected with any viruses) enters the URL and prints the page in triplicate. One goes to the requestor, one goes to their boss and one goes to the NSA.
SImple.
-
-
-
Thursday 25th June 2015 19:44 GMT Bob Dole (tm)
>>>And if all the other departments start complaining of being unable to fill sensitive positions as needed because OPM can't provide documentation quickly enough...?
The funny part of that is that the hole's in the OPM system meant that foreign agents could get data on federal employees *faster* than other departments of the federal government.
It's like they took sharing the admin password to a whole new level and handed it out like candy to the world.
-
-
-
Thursday 25th June 2015 21:30 GMT tom dial
The OPM operates web applications for federal civil service retiree support, for applicants for federal employment, for completion of security background investigation requests (these are no longer done in paper form), and for at least one other federal agency. In the main, this is a result of an "eGovernment" undertaking begun (I think) under President Bush and continued under President Obama.
-
-
Thursday 25th June 2015 16:16 GMT Arctic fox
I personally think that this is absolutely hilarious.
"who are beginning to realise that the country's entire intelligence workforce has been utterly pwned, probably by a hostile nation."
They were so busy trying to pwn others that they utterly neglected to watch their own backs. Could not happen to a nicer bunch.
-
-
Friday 26th June 2015 03:53 GMT veti
Re: US Federal systems PWNED
There's no hypocrisy there. They're not saying the evul furrners did anything wrong - that goes without saying. What they're saying is that their own people screwed up by not stopping them.
Likewise, they'd say that French intelligence f'd up by allowing the NSA to bug their president. The NSA did nothing wrong there, they did their job - French intel is supposed to stop them, so they're the ones who screwed up.
This sort of mentally diseased game theory is not even controversial in America - it's accepted wisdom that this is how the world is supposed to work. Anything else would be aberrant.
-
Friday 26th June 2015 11:11 GMT Anonymous Coward
Re: US Federal systems PWNED
Ah.....it is all the victim's fault!
The crime of shoplifting is the retailer's fault because the goods are not securely locked up!
The crime of murder is the victim's fault for letting the bullet enter their body!
As far as the NSA goes, there's also the little matter of the Fourth Amendment!
Good try.......but FAIL.
-
-
Thursday 25th June 2015 16:33 GMT Naselus
To be honest, with this kind of security in place I'd be amazed if this hack was a hostile nation. This level of incompetence not only doesn't need any serious clout to crack, but would likely fail to spot the hack at all if it was conducted with the remotest bit of finesse; hell, this bunch of clowns would've taken three months to spot the kind of theatrics Lulzsec pulled off, let alone a serious Kremlin heavy mob.
-
Thursday 25th June 2015 18:04 GMT Stevie
Bah!
Before heads roll I would like to see how much money OPM has requested in the last decade and how much they were given by the Congress/Senate.
Then, anyone asking questions must first demonstrate they are completely innocent of ever denying funds to OPM or step away from the Festival of Finger Pointing, lest the finger points at them.
Also, it would be a pleasant surprise to find that everyone on each of the endless "committees" formed to "ask tough questions" were a) able to frame such questions intelligently and 2) understand the answers.
But of course we are going to be watching endless rounds of pompous, ponderously slow speechifying by the same sort of people who pondered why we couldn't have a secure encryption scheme that would be wide open to "forces of law and order".
-
Thursday 25th June 2015 21:44 GMT Gene Cash
Re: Bah!
No kidding. This is exactly like Congress axes funds for NASA's rocket engine R&D and the Commercial Crew program, then bitches about why we still have to buy Russian engines and Soyuz seats.
My grandfather always used to say "best thing the Russians could do for us would be to lob a nuke right on Capitol Hill!"
-
Friday 26th June 2015 02:25 GMT tom dial
Re: Bah!
OPM management requested money and billet authorization over the years based on needs they identified in the budget request process. They never got everything they wished for (with probability not measurably different from 1.0). Yet the reports have it that they added systems without making them secure (and perhaps without knowing where and how they were attached) and reportedly let maintenance slip rather badly, which many might think unwise. The right question of OPM is not whether they received the resources they requested, but how they managed IT with what they received.
In the (DoD) agency where I worked, we received annual reductions in both money and billets, but over the years security was gradually and regularly tightened, systems were inventoried, the network maps timely maintained and an increasingly detailed set of security requirements were applied retroactively as well as prospectively. The retro part sometimes was not fully up to date, but existing systems were patched and new ones were compliant with security configuration requirements before being attached to the LAN. The firewalls were quite exclusionary, to the point of irritating developers excluded from consulting external technical web sites classified as "chat". BYOD was not discussed, remote access was by VPN using government owned and maintained equipment only, and (courtesy of the DoD PKI program) two factor authentication was the only way of access other than at system consoles. Development sometimes suffered from this. All that was as directed by the CIO and his director of security, with full support of the agency directors. And that, I think, made a difference, as successful known penetrations were not known to have occurred as of about three years ago.
-
Friday 26th June 2015 10:46 GMT Naselus
Re: Bah!
@ Stevie - have an upvote for noting that denying an agency funding is likely to result in that agency being worse at doing it's job properly. Shame the Republicans will now attempt to cut OPM's funding as punishment for not funding their security properly.
That said... some of the basic best-practice fails highlighted in this case are ultimately free to implement. Aspects of this whole thing scream wilful negligence.
-
-
Thursday 25th June 2015 18:22 GMT Someone Else
"Across the government, IT projects too frequently go over budget, fall behind schedule, and do not deliver value to taxpayers," declared Boozman. Unwilling to broach the issue without criticising the Democratic Party, Boozman suggested that the Obama administration "views the federal government as capable of tackling almost every problem the nation faces".
In prioritising the growth of the size and scope of the federal government, the administration fails to follow through on its existing projects, claimed Republican Boozman.
OK, Mr. Boozman <small>(snicker!)</small>. When the bill authorizing that $21million comes up for a vote in your august body, are you going to vote for it? No? Didn't think so. then go down to your Republicon cafeteria and order yourself up a nice, steaming bowl of STFU.
-
Thursday 25th June 2015 19:21 GMT Anonymous Coward
When the bill authorizing that $21million comes up for a vote in your august body, are you going to vote for it?
Money isn't the problem. The OPM is run by the same government that's building the Veteran's Administration Hospital in Denver. Here's the headline:
The Unfinished VA Hospital That's More Than $1 Billion Over Budget
http://www.npr.org/2015/06/09/413178870/the-unfinished-va-hospital-thats-more-than-1-billion-over-budget
Original budget: $328 million. Currently projected budget: $1.7 billion - and that number is liable to change. Somehow, an extra $21 million didn't solve the VA's problems, nor did an extra $1.3 billion. Billions of dollars aren't enough to solve problems under some leadership.
Please consider apologizing for your STFU comment. Be a light unto others.
-
Friday 26th June 2015 04:03 GMT veti
Well, except that the plans and contract for the Denver VA hospital were drawn up and awarded under the Bush administration.
And the article you linked clearly describes Congress trying to micromanage the project by approving funding on a week-by-week basis, which is so obviously a way of sabotaging the entire project that frankly I'd be surprised to learn that anyone involved actually bothers to show up to work in the morning.
So no, the STFU comment stands.
-
-
-
Thursday 25th June 2015 19:06 GMT Mark 85
Well.. it's possible (remotely possibe... I'm going for cynical value) that the NSA did the hack and one of their leakers is leaking the files. Perhaps this whole thing was/is to make a point that we can attack but not defend? Penetration testing that ran amok anyone?
No matter who broke in....let the heads roll and put them on spikes at the White House gates. The problem is, it's a huge problem that starts with the Executive and Legislative branches (priorities and funding) and filters down. Right now, there's probably some poor schmuck with a sysadmin title who's quietly updating his resume because he knows that crap rolls downhill and he's at the bottom of it even though he was powerless to implement anything.
-
Friday 26th June 2015 00:51 GMT tom dial
It appears that OPM's IT managers have been on indoor annual leave for years. Reports say the OPM doesn't know the systems they have, or how they are connected, and have not done regular patching on some, many, or all of them. If I were updating my resume it would be a tough choice whether to show recent employment there or pretend to have been unemployed since being fired for cause at my previous job.
They almost certainly have been squeezed for resources, but that is not a fully satisfactory excuse for getting priorities so out of whack. I think the risk of losing control of this data, even the SF86 information, has been overstated. However, I can guess that management in pretty much every agency that has employees in sensitive positions is pretty pissed, partly because most of them hunkered down and managed to map their networks and patch their systems on a fairly regular basis under much the same resource constraints.
-
-
Thursday 25th June 2015 21:39 GMT tom dial
Katherine Archuleta took office at OPM in October, 2013 - not all that long ago in the context of OPM's IT management troubles. The previous director reassigned then-CIO Matthew Perry in February, 2013, and Donna Seymour was not appointed to the CIO vacancy December, 2013. Nine months is rather long for such a vacancy to remain unfilled, likely due to concurrent lack of a "permanent" director. My experience is that acting agency directors are slow to fill executive vacancies unless they are almost certain to be selected for the top position, something that is quite unlikely when that is a political appointment and the acting director is a civil service employee. Temporary executives like the acting OPM CIO also have a tendency to allow things to drift; that would have aggravated an already bad situation.
Archuleta did not come from an IT background and IT is not a primary OPM mission. There is no reason to think she would, on her own, realize the mess she had on her hands until informed by her CIO. Seymour probably arrived for duty in January, 2014, and likely would have required some time to become aware of it, and that appears to be close to the time when the penetration began to take root and begin exfiltration of data. And both of them would have had quite a few other matters to deal with. January is four months into the fiscal year, and planning for end of FY expenditure management normally will be starting. Major changes to planned activities are difficult for upper management to undertake for the current year, especially if they are comparatively new on the job and not yet familiar with who on the staff can, and who cannot, execute. It also is well into the planning year for the following fiscal years and late to be making major reallocations.
As a retiree whose personal information, including SF86, appears to have been taken, I am not at all pleased with this, but also am not inclined to jump on the bandwagon and demand that these two be sacked. Unless they can be shown to be as feckless as their predecessors (and their predecessors' placeholders) it is far from clear that replacing them would do more than extend the disorder and delay correction of the underlying IT management problems. It might be beneficial to insist that they obtain assistance from outside the agency to assist them in evaluating and correcting the situation. Given Ms. Seymour's employment history with DoD, which runs a much tighter operation than what has been reported of OPM, it would be unsurprising if OPM already had done so.
-
Friday 26th June 2015 14:54 GMT Anonymous Coward
@tom dial
She's a political appointee who paid for her position. You pays your money, you takes your chances. Goes with the territory. And no, I won't accept "unless it is proven she is as feckless...". Because the excrement has already hit the oscillating air mover, unless SHE can PROVE she is not as feckless as her predecessor, out she goes. And I say this because I've worked with someone at her level who was ousted for mistakes made consistently on predecessors' watches but because he happened to be there when the final (not the first, the final and it was about a seven YEAR process) IG report came out, he was the man on duty.
-
Friday 26th June 2015 17:34 GMT tom dial
Re: @tom dial
I never have been a fan of punishing those not shown to be guilty. It may please congressmen to demand resignations, and it may resonate with those they hope will reelect them, but there is no evidence that doing so will improve OPM IT operations, which seem to have been inexcusably sloppy for quite a few years before the present managers took up their positions. The damage is largely done and unrecoverable and firing those now trying to fix the underlying problems is more likely to do harm than good.
-
-
-
Friday 26th June 2015 07:21 GMT All names Taken
Typical of ...
... an over bureaucratized state?
1 - the incident only become important when pwage affects employees (bureaucrats in the bureaucracy?)?
2 - it does not matter a jot what the content or risks to those individuals are (in fact its leaks are worse in effect than its whistleblowers stuff?)?
I could go on but you get the drift and all it boils down to is a "You did it-No, you did it" whitewash coverup.
Shame innit?
You humans - wot yoo like?
-
Friday 26th June 2015 08:12 GMT Olius
Snowden off the hook
So does this mean it is officially not Snowden's fault now?
Not that it ever was - El Reg was reporting about this breach at the same time the red-tops were reporting that the Russians and Chinese had cracked encryption on some Snowden documents which they never had.
I'm sure the rest of the press will carry on falling over themselves to blame Snowden for this one...
-
Friday 26th June 2015 10:40 GMT breakfast
Might as well leave the stable door open now
Given that all the most personal information about everybody in the US intelligence services is now available to at least one hostile nation, why bother with more security infrastructure now? I mean really, how much worse can it get?
Going to be very interesting to see how things go on as this information starts to be used. Guessing the US are going to have to be bringing a lot of people home from various parts of the world over the next few months...
-
Friday 26th June 2015 13:26 GMT Tom 13
included the theft of Standard Form 86, essentially a biography
You haven't been keeping up/paying attention. Admittedly they were real coy about the way they slipped it in, but it's even worse than the bad guys just getting the Standard Form 86. But how could it possibly be worse than handing over your personal biography?
Well it seems they also made off with the files the FBI puts together to VERIFY your Standard Form 86. And that's even bigger than your SF86. And it probably contains enough information to steal the identities of the people you supplied as references or asked to vouch for you.
Yeah, heads are going to roll on this one. Almost certainly too few and not necessarily the right ones, but heads will roll.
-
Friday 26th June 2015 22:48 GMT oneeye
The opm opened all the doors and Windows and left them that way. Here is a quote from the ArsTechnica article. Seems they knew some contractors.
"Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"
http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/