The cyber attack on the US Office of Personnel Management was one of the biggest the world has ever seen. The sheer quantity of stolen data was immense: employee data concerning 21 million civil servants, including government workers and FBI agents.
Following the hack, cyber professionals slowly began to realize the severity of the loss. Noticing at one stage, that amongst the stolen data was a method for potentially discovering the names of federal agents working undercover in China. An outcome that left the US with no option but to rapidly call-back those agents, (and leading to the resignation of OPM Director Katherine Archuleta).
With any large-scale government failure of this kind, there is always going to be a certain amount of PR fallout. On this occasion, however, the hack was significant enough to warrant a witch hunt, and despite Archuleta’s resignation – the vultures kept on circling – hungry for another fall guy or girl.
Of course, the role of Information Security Officer at any organisation comes with an elevated risk of failure and embarrassment. Being the head of cyber security at OPM during the Chinese cyberattack, however, meant that you were on a one-way road to resignation.
Funny that the consequences of this hack were career ending, when you consider that last year alone cyber criminals broke into banks, hotels, airlines, insider trading opportunities, dark web marketplace owners, NASA, telecommunications companies, 90% of businesses in Newcastle (UK), Hacking Team (builders of elite hacking tools), a power grid, and just before last Christmas – Sony – a top tier tech and entertainment company.
The OPM hack, however, was for some reason worse. Much ‘worse’ – and the government needed to make an example out of it. For the good of the nation’s cyber bravado, the OPM hack required the public relations equivalent of a cold shower.
Appalling to think that this was happening in the country where IPsec was made in a government project, ESP (a member of the IPsec protocol suite) was developed by DARPA, and SP3 (SDNS3) and NLSP were developed under the NSA’s Secure Data Network System project.
Worth a mention at this stage, is the importance of remembering that the US government is deeply entrenched in the history of the Internet and its security. The US invested in, researched, created, and implemented the Internet’s central protocols (and weaknesses). Which is why for so many people, the moment that Snowden blew the whistle two years ago was not much of a surprise. PRISM was just another part of the US’s muddy history of neglect for privacy and entrenched policies that favour control with backdoors.
When the US invented the Internet’s protocols, those weaknesses were secrets of the agencies that developed them. Inevitably, however, the word got out. The Public and private sectors became enlightened to the protocols that held the Internet together. All over the world, cyber security experts were born, and the illusion of Internet security began to crumble.
For OPM’s chief information officer, Donna Seymour, the past actions of her government had been a deciding factor in her final downfall. Firstly, because of the US’ involvement in perpetuating security flaws for espionage. Secondly, because of a lack of funding for cyber security in government agencies, and thirdly, because of cross-department secrecy.
Behind the scenes, however, all those ingredients had been coming together to create a Captain Hook’s Plank for cyber careers. A plank that Seymour had unknowingly been prodded along until she went teetering over the edge and down towards the hungry crocodile.
House Oversight Committee Chairman, Jason Chaffetz, instantly celebrated Seymour’s removal: an outcome he had been calling for since the middle of last year. Though, it seems fair to say from his comment that there is a bit of the heartbroken lynching party member inside him,
‘While I am disappointed Ms. Seymour will no longer appear before our committee this week to answer to the American people, her retirement is necessary and long overdue. On her watch, whether through negligence or incompetence, millions of Americans lost their privacy and personal data. The national security implications of this entirely foreseeable breach are far-reaching and long-lasting. OPM now needs a qualified CIO at the helm to right the ship and restore confidence in the agency.’
Democrat rep. Elijah Cummings, on the other hand, denounced Seymour’s departure as nothing more than scapegoating,
‘Efforts by Republicans to blame her for the cyber attack on OPM are both unfair and inaccurate, and they set a terrible precedent that will discourage qualified experts from taking on the challenges that face our nation in the future.’
In the end, Seymour resigned just days before her hearing. Perhaps she left her position because she was indeed guilty of negligence. Or, maybe, she quit because despite doing her best with the given resources – she knew she was being shown the door.