Two Truths and a Lie: OPM Breach

The top 20% of cyber attacks are responsible for 80% of the damage

July 2015

We all know about the icebreaker “two truths and a lie,” so, let’s see how it applies to the fall out from the Office of Personnel Management (OPM) data breach.  Before we start our little game, some facts:

  • Over 22 million American citizen’s information is compromised – this is roughly 10% of the American adult population
  • While the White House is not attributing this attack to China, all accounts point East
  • The data stolen include the information contained in the SF-85, SF-85P, and SF-86.  These documents are required to obtain a security clearance with the federal government and include information on non-Federal employees
  • This attack went undetected for nearly a year

This article draws back the curtain to reveal some truth in this whole debacle.  This is an opinion piece and does not propose any recommendations.  Stay tuned for our next article on how to remedy this fiasco!

Truth #1: This is a national security nightmare!


Here is the reality: China wants to avoid the industrial revolution by stealing the intellectual capital of the American people and its corporations, universities, and government.  They are not as interested in monetizing the identities of Americans to make a buck, like the Eastern European criminal rings.  To actualize this goal, the Chinese are stealing security clearance data of American citizens, and their closest friends, coworkers, and companions, which will enable them to steal data and proprietary information in a more clever way to facilitate corporate and economic espionage.  Let us consider a former researcher at the Department of Energy, who is now leading a Silicon Valley based energy-technology company.  The Chinese have his personal information, which means spearphishing him is like stealing candy from a baby.  Imagine the joy of a Chinese hacker as he gains the information on the latest technology passing through this personal computer.  The OPM breach has become a national security and intelligence nightmare, because validating information from individuals and agents is now even more difficult.

Truth #2: Congress is also to blame

Yes, Director Archuletta and Chief Information Officer Seymour of OPM are at fault for not implementing sufficient security to protect the data of American citizens.  Director Archuletta has assumed responsibility and accountability for one of the greatest national security failures in US history by resigning (she was a political appointee).  This is a national security failure because we did not have the foresight and security controls in place to prevent a foe from obtaining critical information. However, Congress has failed to allocate the necessary security budget for departments and agencies to fend off today’s threats. The Department of Homeland Security (DHS) has been tasked by Congress with a mission it is unable to fulfill  - protecting the “.gov” domain.  DHS lacks the authorities and budget appropriations to service the federal civilian government with effective cybersecurity solutions.  The ongoing string of Executive Orders, Presidential Policy Directives, and Office of Management and Budget Memorandums (specifically M-09-32 and M-10-28) are unfunded mandates – Congress has failed to allocate the necessary funds to federal civilian agencies to purchase DHS’s offerings and failed to authorize DHS with the necessary authorities to enforce these policy memos.  DHS’s cyber branch (US Computer Emergency Readiness Team, US-CERT) is actually a service organization for the federal civilian departments and agencies.  It develops and disseminates security technology and services to its customers, the federal civilian government.  The individual federal civilian entities are told to use DHS services through a series of unfunded mandates – in layman’s terms: imagine you are given the catalog to a mediocre retail store without any money to spend on the merchandise.  DHS is the mediocre retailer and OPM is the customer that didn’t even have the money to spend on the clothes.  This is of course 20/20 in hindsight; We can be retroactive, or we can start think about cyber security differently.  Agencies must actually meet a level of cyber security, implement effective and valuable training, and test their systems regularly, like many in the public sector are trying to do (without regulation!) because it is necessary to protect their business operations, maintain compliance, and protect their brand and reputation.  Many are calling for the Department of Defense to protect government-wide security clearance information.  This is an option, but a debate is to be had in the privacy community before any action is taken.

Lie: EINSTEIN and CDM are bullet-proof solutions

In the media DHS is coming out pretty clean through this whole mess with the exception of Richard Bejtlich of TaoSecurity, and several Congressional testimonies (we all know you are glued to C-SPAN).  In fact, Senators are lauding DHS for its cybersecurity technologies, collectively known as the National Cybersecurity Protection System, (EINSTEIN 1 and 2, E3A, and Continuous Diagnostics and Mitigations (CDM)).  EINSTEIN is a series of technologies intended to monitor, detect, and prevent network intrusions; CDM is a dashboard of the vulnerabilities within your network. In fact, Congress is actively considering options to codify the E3A program into law – which would lead to funding of departments and agencies to implement E3A.  E3A is fine, but its capabilities are being sensationalized by everyone - from the White House to Congress to tech experts.  If E3A isn’t the silver bullet, then CDM is definitely not.  Cybersecurity in the Federal Government is outdated, due to poor acquisition processes, compliance regimes masked as risk assessments (cough FISMA cough), poor morale, and, general bureaucracy.  E3A will only be as good as the analysts behind the technology who can continue to detect nefarious actors – the predictive and preventive capabilities are questionable.  So, what can the Federal Government do to improve its cyber security?  The 30-day sprint is helping.  More than anything, this past month has reminded civil servants of their jobs and the duty they have to protect the data in which they are entrusted; and, finally, the Government is implementing key security requirements in Homeland Security Presidential Directive-12 (HSPD-12).  That said, keeping up with security after these 30 days will be difficult.  Regulated industries in the private sector are normally required to conduct annual risk assessment, annual trainings (that actually mean something), pen-tests, and tabletop exercises.  As a nation, we need to begin incorporating these industry tools into the federal civilian government, starting with the most critical programs and systems (e.g., Department of Justice, Treasury, Health and Human Services, Energy, State, Homeland Security).  These are the non-military and non-defense related organizations that are also responsible for American’s health and well being, as well as economic and national security.

Facebook Twitter Google Reddit LinkedIn Pinterest Email

Share this article!

The Truth About Millennials and Online Privacy

Protecting yourself in 20% of the riskiest areas of digital privacy, will provide 80% coverage

June 2015


Researchers for the past few years have been investigating millennials attitude toward privacy. Many assume from contemporary dialogue and commentary that millennials have a deep concern over their privacy. Voices of this generation, including Jon Stewart and Stephen Colbert, were outspoken against the NSA PRISM program. In fact, a core unit of Colbert’s audience was aggravated by the fact that he decided to participate at the RSA 2014 Conference as some claim that RSA was paid $10 million by the US Government to weaken its security algorithm.

The research and articles on privacy and millennials is conflicted: For example, the most prominent survey on this topic by University of Southern California’s Center for the Digital Future group noted that millennials are not concerned with their online privacy and favor convenience over privacy controls.  The survey suggests that millennials are willing to provide personal information in order to receive a benefit, such as a coupon or greater convenience. For instance, millennials “were more like to share their location in order to receive coupons from nearby businesses: 56%, vs. 42% of those 35 and over. And 25% said they would give away personal information to get more relevant advertising, compared with 19% of the 36 and over crowd.” The Center’s director mentioned that this attitude towards privacy is due to the fact that millennials grew up using emergent technology – they are “digital natives.”

On the other hand, Contagious Communication and Flamingo, a brand consulting firm, conducted a study across the US and UK, which “demonstrates that millennials and post-millennials are considerably more concerned about privacy than other generations and this is manifesting itself in how they interact both with their peers, and with brands. Millennials are 28% more likely to switch products or services because of privacy concerns than the rest of the population.” Harris Interactive conducted a similar survey and found: “Seventy-eight percent of users aged 18-34 expressed a wish for privacy, compared to 59 percent of users 35 and up.”

Based on this wide variety of research finding and opinions, the 80-20 Team [M1] embarked to discover the ground truth on millennials attitude and actions on personal online privacy. This article reveals that millennials actions do not reflect a sincere interest in online privacy. Moreover, the findings indicate significant confusion over privacy and security controls[1], as evident in the discussion below. The 80-20 team surveyed millennials, all of which had a social media account, during November and December 2014.   

Smartphone Privacy

Millennials live on their phones – they email, text, call, deposit money, book a trip, and more. Therefore, smartphones and the respective apps have a great deal of personal data stored that most users claim to have knowledge about - but their actions say otherwise. Based on 80-20’s survey, more than half of individuals did not review their phone’s privacy permissions.  As noted, many apps on one’s phone are linked to the phone’s contacts, data, calendar information, photos, type, search history, and more. Review your phone’s privacy settings to ensure that the default data settings between the app and the smartphone meets your privacy and security needs. In particular, geolocation settings are important to review. According to the results, 63% of respondents turned off the geolocation capabilities on their phone.  While there were no follow up questions to this initial question, it is likely that respondents were not aware that there are multiple apps that require the location of an individual – all maps, transportation services, including Uber, and the weather app.

Tutorial: To review the geolocation capabilities of all the apps on their iPhone, follow the steps outlined:

1.      Go to Settings.

2.      Select “Location Services.”

3.      The iPhone allows a user to disable the location services for all apps by choosing the first button labelled “Location Services.” Alternatively, a user can select which apps he/she gives permission to enable geolocation capabilities. 

Browser Privacy

75% of respondents have not turned “ON” the “Do Not Track” feature on their browser. “Do Not Track” is an opt-out service; therefore, most users are unaware that they even have the right to not have their search history tracked online. “Do Not Track” is a web application that will disable tracking between a user and the web site. According to Google, enabling "Do Not Track" means that a request will be included with your browsing traffic. For example, some websites may respond to this request by showing you ads that aren't based on other websites you've visited. Many websites will still collect and use your browsing data - for example to improve security, to provide content, services, ads and recommendations on their websites, and to generate reporting statistics.

Tutorial: To turn “ON” “Do Not Track” follow these steps:

For Chrome –

1. Go to Settings by selecting the three horizontal lines in the top right hand corner of the browser window.

2. At the bottom of the Settings page, click on “Advanced settings.”

3. Check the box that reads: “Send a Do Not Track” request with your browser traffic.

For Firefox –

1.   Go to Options by selecting the three horizontal lines in the top right hand corner of the browser window.

2.   Click on Privacy along the top toolbar.

3.   Select “Tell sites that I do not want to be tracked.”

Other suggestions to minimize one’s search and browser privacy, include:

·        Google Incognito is a fantastic feature if you do not want Chrome to save records of the sites you visited or downloads you made. Incognito is available on computers, Androids, and iPhone/iPads. To open an Incognito window on a computer, click the three horizontal lines in the top right corner and then select “New Incognito Window.

·        If a user considers Google to be too invasive, then there are alternative searching directories, such as DuckDuckGo. This service does not store any web history logs.[2]

Password as a Privacy Protection

As many are aware, passwords are an easy control for most hackers to crack. Despite this well-known fact, 60% of individuals noted that they have not changed their password in the past 90 days. Most online companies do not require their customers to change their passwords; however, changing your password every 90 days is an effective method to restrict unwanted users. Moreover, changing user passwords every 90 days is based on business best practices. An easy solution to password security is to use a service that randomly generates new passwords, such as KeePass, 1Password, PasswordSafe, or LastPass. All passwords should be complex and long – the longer the password the harder it is for the hacker to crack.

In addition to personal passwords for online accounts, nearly 46% of users have not changed the default password for their at-home network router. Most router default passwords are available online for any capable hacker to gain access to one’s home.  Not changing the default password is equivalent to leaving one’s door open.


·        To change the password of your router follow the directions on the OnGuard video here.

·        Additional information to change the password of your network router is available here.

Digital Footprint

Additional actions reveal that millennials do not have their personal privacy as a top priority. Beginning with social media use, 92% of millennials reported being “somewhat to very active” on social media, yet, only 70% read the social media’s privacy policies. Ironically, 70% also claim to be somewhat familiar to familiar with the content that browsers, social media, and retailers collect from customers. Therefore, how can individuals know what the various entities and platforms are collecting about them without actually reading the privacy policies? Another interesting paradox is as follows: while 96% of individuals were aware of the iCloud celebrity photo hacking scandal in summer 2014, 50% did not do anything to protect their photos stored on the cloud following the hack.[3]  So even with knowledge of such an invasion of personal privacy, most millennials did not take reactive or proactive actions to protect their content stored on the cloud. Millennials confusion over privacy and convenience is further evident by the fact that more than two-thirds of participants will use a public WiFi to conduct personal and professional business without a VPN.

Despite the score of breaches against celebrities, the US government, retailers, and critical infrastructure, individuals do not seem to take serious actions to protect their public information. According to the results of this survey, 54% are “somewhat concerned” to “concerned” about their digital footprint, unfortunately though, this leaves 33% not concerned at all with their digital footprint.  So, why don’t millennials actions reflect a need or want for privacy? One can presume that millennials are not highly concerned about their personal online privacy for three possible reasons:

1.      Millennials do not feel the impact from the large-scale data breaches. For example, if a credit card number is counterfeited then the payment card company will resend a new card at no-cost to the consumer; the payment card companies accepts the fee of replacement cards as the cost of doing business. The customer is inconvenienced for a few days before the card is replace, but there is no long-lasting impact. The impact is felt if one’s identity is compromised and an individual is not able to open a line of credit, obtain a loan, or conduct other business.

2.      Millennials favor convenience and a good deal more than their personal privacy.  This reason supports the Center for the Digital Future conclusion that millennials are willing to part with personal details in order to make their daily routines a bit easier. Technologies are continuously pushed to this generation, who are quick to load the latest app without reviewing the security or privacy.

3.      Millennials do not know how to protect their information.  Even though this population may be digital natives they were not brought up with information technology security as a priority. There was no formal education around online or digital security, therefore, most millennials are trying to learn the security controls available as they navigate the new technologies.

The findings of this survey reveal that while contemporary commentary may portray the millennials as a generation concerned about privacy their actions indicate otherwise.  In order to promote online privacy awareness, all generations must be better informed of the actions they must take to protect themselves and their data. While, many online users will continue to favor convenience over privacy, at a minimum users must have knowledge and acceptance of the risks operating online. 

[1] The Center for Digital Future survey had the same finding.


[3] 29% did admit that they do not know how to protect their content stored on cloud services.

Facebook Twitter Google Reddit LinkedIn Pinterest Email