ICD Brief 8.
05.09.2016. – 11.09.2016.
Committee on Oversight and Government Reform
US House of Representatives
The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation
“The government of the United States of America has never before been more vulnerable to cyberattacks. No agency appears safe. In recent data breaches, hackers took information from the United States Post Service; the State Department; the Nuclear Regulatory Commission; the Internal Revenue Service; and even the White House.
None of these data breaches though compare to the data breaches at the U.S Office of Personnel Management (OPM). In what appears to be a coordinated campaign to collect information on government employees, attackers exfiltrated personnel files of 4.2 million former and current government employees and security clearance background investigation information on 21.5 individuals. Additionally, fingerprint data of 5.6 million of these individuals was stolen.”
“Office of Personnel Management acting Director Beth Cobert pushed back against a blistering House report that places heavy blame on the agency for the 2015 breach of OPM systems that compromised the personal information of more than 20 million individuals.
“The cybersecurity report issued today by the Republican members of the House Oversight and Government Reform Committee on the cyber intrusions at the U.S. Office of Personnel Management does not fully reflect where this agency stands today” Cobert said in a Sept. 7 blog post on the agency’s website.
“While we disagree with many aspects of the report, we welcome the committee’s recognition of OPM’s swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies, and processes,” Cobert wrote. “We also appreciate the panel’s willingness to work with us on these important issues and find many of the final recommendations to be useful for OPM and the federal government at-large.”
“The White House on Thursday named a retired U.S. Air Force brigadier general as the government’s first federal cyber security chief, a position announced eight months ago that is intended to improve defenses against hackers. Gregory Touhill’s job will be to protect government networks and critical infrastructure from cyber threats as federal chief information security officer, according to a statement.”
“Defense Secretary Ash Carter and his British counterpart Michael Fallon yesterday signed a first-of-its kind agreement to together advance offensive and defensive cyber capabilities, Carter said in a joint press conference in London as part of his three-day trip to the United Kingdom and Norway.”
“United States president Barack Obama says the nation he leads has the world’s foremost digital arsenal. Speaking at a press conference after meeting Russian president Vladimir Putin at the G20 summit in China, Obama said “We have had problems with cyber intrusions from Russia in the past, from other countries in the past.” He went on to say “we are moving into a new area where a number of countries have significant capacities. And frankly we have more capacity than any other country, both offensively and defensively.”
“While careful not to formally name Russia, FBI Director James Comeysaid Thursday that the bureau is actively investigating whether a “nation-state actor is messing” with the U.S. electoral system. During a panel discussion featuring many of the nation’s top intelligence officials, Comey declined to identify Russia, even though U.S. authorities have long suspected that Russian government operatives were the source of hacking attacks that breached the Democratic National Committee and more recently the voter registration systems in Arizona and Illinois.”
“The Organization for Security and Cooperation in Europe (OSCE), an umbrella body for 57 European, North American, and Central Asian nations in the security field, has chosen Prof. Gabi Weimann of the University of Haifa to plan and establish a new teaching and research framework concerning online terror.”
“An Israeli company was entrusted with countering cyber-attacks at the Rio de Janeiro Olympics. Ahead of the 2020 Tokyo Olympics and Paralympics, both the public and private sectors in Israel have started marketing activities for exporting the country’s cybersecurity technologies to Japan, where there is a shortage of human resources in the field.”
“NHS Digital is set to start expanding the range of cybersecurity services available to UK hospitals and clinics. CareCERT (Care Computer Emergency Response Team) launched in November 2015, offering a national service that helps health and care organisations to improve their cybersecurity defences by providing proactive advice and guidance about the latest threats and security best practices.”
“Ten more finalists for the 2016 UK Cyber Security Challenge have been identified in a recent simulated mobile-based cyber attack in London. They will join 32 other finalists drawn from this year’s competitions who will battle it out in November to be crowned the 2016 champion.”
“Australia is facing an increasing number of cybersecurity threats while simultaneously suffering a severe cybersecurity skill shortage, a pair of reports found. The Center for Strategic and International Studies and Intel Security Inc. produced a joint study on the international cybersecurity workforce that surveyed eight countries: Australia, France, Germany, Israel, Japan, Mexico, the U.K. and the U.S. The study found that 88 percent of respondents in Australia and Mexico believe there is a lack of technical cybersecurity skills, ranking at the bottom of the countries surveyed.”
“In the Baltics, the NATO Warsaw Summit is viewed as a momentous event, marking a shift to a deterrent stance vis-à-vis Russia with the decision to deploy the four multinational battalions to Eastern Europe. This article contributes two new perspectives to the analytical voices discussing the key implications of the Summit. First, it reflects on and contextualizes the narratives and popular perceptions of the Summit in the Baltics that may not be immediately obvious to outside observers. Second, it highlights the views from the Warsaw Summit Experts’ Forum (WSEF) – a high-level Summit sideline event that considered the key agenda items in a less politically charged environment.”
“A Chinese hacking group has been accused of targeting multiple Hong Kong government agencies with cyberespionage operations in politically motivated attacks, according to U.S. cybersecurity firm iSIGHT, a unit of FireEye Inc.”
“Chinese cyberattacks against the United States have declined by about 80 percent, according to panelists speaking at the Atlantic Council on Tuesday. “Long story short, we saw a dramatic decline in activity,” said William Glass, a threat intelligence analyst at FireEye, which noted the decrease in its June 2016 report on Chinese cyber espionage behavior.”
“In an effort to “de-Westernize” and maintain control over internet users and the spread of information, the Iranian government has revealed a state-sponsored internet known formally as the National Information Network. This new service, nicknamed the “halal” (lawful) internet, is another ploy by the Iranian state to limit the spread of information into and around Iran.”
“With the always evolving threat of hacking, it is essential that the public and private sectors take a proactive approach to cybersecurity. To help accomplish this, two EU-funded projects, SHARCS and PQCRYPTO, are working to develop new security paradigms, architectures and software to ensure our ICT systems are secure and trustworthy.”
“The NIS directive on network and information security, which was passed in July and came into effect in August with a two-year transition period, establishes European standards intended to inhibit cyberattacks and improve the exchange of information. According to DEKRA experts, it constitutes a sensible complement to the more general ISO 27001 information security management guidelines and the IEC 62443 technical standard for the integration of industrial systems with communications networks.”
“ Top NATO officials and industry representatives are discussing how to join forces and efforts to combat ever more sophisticated cyber threats at the Alliance’s annual two-day cyber security conference NIAS 16 in Mons, Belgium. Today’s first day of the conference opened on the next steps for NATO’s cyber defence from political, operational and technological perspectives.”
“A new era has dawned for NATO, euronews correspondent Andrei Beketov reports from the Cyber Security symposium in Mons, Belgium. “At the July NATO Summit in Warsaw cyberspace was recognised as the alliance’s fourth operational domain – alongside land, sea and air,” Beketov says. “At the same time the Alliance announced business opportunities worth 70 million euros for dealing with cyber threat. Now’s the time for hi tech companies to offer their goods.”
“MetricStream’s Piyush Pant looks at the complexities of measuring cyber risk and the shortcomings of cyber insurance.
Business risks encompass any factors that can have a negative impact on a company’s performance, operations, revenue and growth. The Brexit vote provides a timely reminder of the impact of these risks and why they must be managed. Many, including the UK Government, were surprised by the leave vote and hadn’t adequately planned for it, creating mass uncertainty across the globe. Multinational corporations remain unsure whether they will relocate staff to other countries in order to ensure access to the single market, for instance, and that hesitation continues to impact the UK’s and global economies.”
“The Brexit vote is a seismic, once in a generation event but far more common risks can be just as devastating to the companies involved. Indeed, in 2016 there is one type of risk that weighs heavily on every business leader in the world, against which traditional forms of business insurance seem to be no match – cyber risk.”
“Last week, we learned that (gasp) U.S. presidential hopeful Hillary Clinton – or her staffers – used a freeware data removal tool to purge emails from her now infamous private email server. The debate around Ms. Clinton’s email practices is getting muddled, if you ask me. If she is to be condemned for hosting her State Department communications outside the State Department’s IT infrastructure because that would expose it to hacking from enemy states like Russia (the most common bugaboo), shouldn’t she be commended for ensuring that they were safely erased?”