Before becoming the head of OPM, Katherine Archuleta had no background in the kind of work the agency does. Archuleta, a lawyer and former Clinton administration official, was national political director for President Obama’s reelection campaign. She served as the chief of staff to Secretary of Labor Hilda Solís, and was the City of Denver’s lead planner for the 2008 Democratic National Convention. Like the president, she has roots in “community organizing”: She co-founded the Latina Initiative, a Colorado organization aimed at getting more Hispanic voters involved in politics. (In 2011, the Latina Initiative suspended its operations, citing insufficient funding.) Nothing in this record suggests any expertise in the vitally important human resources and record-keeping functions OPM is supposed to serve.

Before the hack, Archuleta’s primary goals at OPM appeared to be increasing the diversity of the federal workforce and implementing Obamacare’s changes to federal workers’ health-insurance options. Her July 2013 confirmation hearing was brief and relatively controversy-free. Senator Mark Udall, (D., Colo.), introduced her and declared, “she has an impressive range of accomplishments that make her completely, totally well-qualified to be director of OPM.” Archuleta mentioned her determination to “build on OPM’s health care experience” including “implementing its provisions of the Affordable Care Act.” She did say she would “prioritize the improvement of the agency’s Information Technology systems” and pledge to create the position of Chief Technology Officer, but that came in the context of a discussion on OPM’s difficulty in moving to a digital system for handling retirement services for federal workers. The topic of cyber security only came up during a brief discussion of whether OPM had sufficiently skilled personnel in that area.

She was confirmed 62 to 35, but most of the Republicans who voted ‘no’ said their objection was not with Archuleta herself but with the Office of Personnel Management deciding that members of Congress were not, in fact, required to enroll in the exchanges under Obamacare — an interpretation most Republicans saw as an unfair exemption that was contrary to the law’s text. Upon her arrival in the post, she was touted by the Obama administration as “the first Latina Director” of OPM. The White House website declared, “Katherine shares President Obama’s vision for diversity and inclusion in the federal workforce” and added, “OPM has recognized and acknowledged the underrepresentation of Hispanics in the federal work force, and the potential and talent they have to offer.” Information technology and cyber-security were not mentioned. “The complex and important work of government requires a diverse and inclusive workforce that is representative of the many important perspectives, talents, and backgrounds of our great nation,”

Archuleta declared upon taking her post. “I am committed to building a diverse and inclusive workforce to serve the American people.” While Archuleta, the administration, and its allies were busy hailing a new era of diversity in the federal government, OPM’s apparently long-standing cybersecurity vulnerabilities remained unattended. Slate has noted that OPM knew as early as 2013 that “sensitive data was not secured” and “security measures were not even tested to make sure they worked.” Worse yet, the agency “was unsure even of how to fix these problems,” and hadn’t fixed them as recently as this past April, years after the system had been repeatedly breached. When news broke of the first of those breaches, in early 2014, Archuleta went so far as to insist in public that there was nothing that needed fixing.

In March 2014, OPM became aware of a partially successful Chinese hack into its systems. On July 9, 2014, the New York Times reported that “Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials, targeting the files on tens of thousands of employees who have applied for top-secret security clearances.” Officials quoted in the story said the hackers gained access to some of OPM’s databases before federal authorities detected the threat and blocked them. Archuleta was quick to downplay the breach, declaring in a July 21, 2014 interview with Washington’s ABC affiliate that, “We did not have a breach in security. There was no information that was lost. We were confident as we worked through this that we would be able to protect the data.”

Archuleta has barely backed off that stance. She repeatedly told the House Oversight and Government Reform Committee two weeks ago that she couldn’t say if any non-personnel information was lost in the 2014 hack. Her answers under oath in front of the Oversight Committee two weeks ago left Republicans and even some Democrats convinced she either knows exceptionally little about the state of her agency’s cyber-security or she’s comfortable lying about it, insisting that breaches aren’t really breaches and that obviously insecure systems are secure.

Read more at: http://www.nationalreview.com/article/4 ... government

2. Why, o why, do we have partisan hacks in charge of anything sensitive

Her answers under oath in front of the Oversight Committee two weeks ago left Republicans and even some Democrats convinced she either knows exceptionally little about the state of her agency’s cyber-security or she’s comfortable lying about it, insisting that breaches aren’t really breaches and that obviously insecure systems are secure

rickyp wrote:Of course the whole article you quote offers a false dichotomy. Vulnerabilities in cyber security were not a result of any program of diversity in the work force. Not directly or indirectly because diversity programs some how diverted resources.... There is no link except in the authors mind.

Slate has noted that OPM knew as early as 2013 that “sensitive data was not secured” and “security measures were not even tested to make sure they worked.” Worse yet, the agency “was unsure even of how to fix these problems,” and hadn’t fixed them as recently as this past April, years after the system had been repeatedly breached.

As for her posturing:

Her answers under oath in front of the Oversight Committee two weeks ago left Republicans and even some Democrats convinced she either knows exceptionally little about the state of her agency’s cyber-security or she’s comfortable lying about it, insisting that breaches aren’t really breaches and that obviously insecure systems are secure

.

If there are security vulnerabilities is she supposed to broadcast them in a committee meeting? Wouldn't that be irresponsible and an invitation to more hackers?

Doctor Fate wrote:Of course, the bigger issue is this: what constitutes an act of war when it comes to cyber crime?

What is irresponsible is to be the repeated target of hackers and do nothing about it.

rickyp wrote:fate

What is irresponsible is to be the repeated target of hackers and do nothing about it.

Your information doesn't say she did nothing about it. It says the problem hasn't been fixed.
Those are two different things.

And it does refer to the diversity program as if that was the reason that the security issues weren't fixed...
Red Herring. But its nice to find a way to fault minorities eh?

Fault her for not fixing the problems. Sure. But not trying? Facts not in evidence..

WASHINGTON (AP) — The independent watchdog for the federal personnel agency that recently suffered one of the worst cyberbreaches in U.S. history says the data could have been encrypted to make it harder to steal.
Photo - Katherine Archuleta, director, Office of Personnel Management, testifies before the Senate Appropriations subcommittee on Financial Services and General Government hearing to review IT spending and date security at the OPM in Washington, Tuesday, June 23, 2015. (AP Photo/Cliff Owen)

Patrick McFarland, inspector general for the Office of Personnel Management, directly challenges the agency director in written testimony to be delivered Wednesday to a House oversight committee.

The director, Katherine Archuleta, told the committee last week that many of the agency's systems were too old to support encryption, a way of putting data in code.

But McFarland testifies that some of the systems involved in the data breach were modern, so encryption could have been used.

You will inevitably will be faulting most managers because security on the Internet is a moving target. As quickly as security is built, some random genius, or a hired gun in China, is finding a way to break it down.

bbauska wrote:

Doctor Fate wrote:Of course, the bigger issue is this: what constitutes an act of war when it comes to cyber crime?

https://www.law.cornell.edu/uscode/text/18/2331

Doctor Fate wrote:

bbauska wrote:

Doctor Fate wrote:Of course, the bigger issue is this: what constitutes an act of war when it comes to cyber crime?

https://www.law.cornell.edu/uscode/text/18/2331

I don't understand your point. I see definitions, but nothing relating to cyber. Is there nothing a country could do cyber-wise that would constitute an act of war?

Feel free to prove that they took some measures which seemed adequate, but fell short

It's just odd to boast about diversity and fail to attend to the heart of your mission

Encryption is just too much to ask, I guess

Among symmetric key encryption algorithms, only the one-time pad can be proven to be secure against any adversary – no matter how much computing power is available. However, there is no public-key scheme with this property, since all public-key schemes are susceptible to a "brute-force key search attack". Such attacks are impractical if the amount of computation needed to succeed – termed the "work factor" by Claude Shannon – is out of reach of all potential attackers. In many cases, the work factor can be increased by simply choosing a longer key. But other algorithms may have much lower work factors, making resistance to a brute-force attack irrelevant. Some special and specific algorithms have been developed to aid in attacking some public key encryption algorithms – both RSA and ElGamal encryption have known attacks that are much faster than the brute-force approach. These factors have changed dramatically in recent decades, both with the decreasing cost of computing power and with new mathematical discoveries.

Aside from the resistance to attack of a particular key pair, the security of the certification hierarchy must be considered when deploying public key systems. Some certificate authority – usually a purpose-built program running on a server computer – vouches for the identities assigned to specific private keys by producing a digital certificate. Public key digital certificates are typically valid for several years at a time, so the associated private keys must be held securely over that time. When a private key used for certificate creation higher in the PKI server hierarchy is compromised, or accidentally disclosed, then a "man-in-the-middle attack" is possible, making any subordinate certificate wholly insecure.

Major weaknesses have been found for several formerly promising asymmetric key algorithms. The 'knapsack packing' algorithm was found to be insecure after the development of a new attack. Recently, some attacks based on careful measurements of the exact amount of time it takes known hardware to encrypt plain text have been used to simplify the search for likely decryption keys (see "side channel attack"). Thus, mere use of asymmetric key algorithms does not ensure security. A great deal of active research is currently underway to both discover, and to protect against, new attack algorithms.

Another potential security vulnerability in using asymmetric keys is the possibility of a "man-in-the-middle" attack, in which the communication of public keys is intercepted by a third party (the "man in the middle") and then modified to provide different public keys instead. Encrypted messages and responses must also be intercepted, decrypted, and re-encrypted by the attacker using the correct public keys for different communication segments, in all instances, so as to avoid suspicion. This attack may seem to be difficult to implement in practice, but it is not impossible when using insecure media (e.g., public networks, such as the Internet or wireless forms of communications) – for example, a malicious staff member at Alice or Bob's Internet Service Provider (ISP) might find it quite easy to carry out. In the earlier postal analogy, Alice would have to have a way to make sure that the lock on the returned packet really belongs to Bob before she removes her lock and sends the packet back. Otherwise, the lock could have been put on the packet by a corrupt postal worker pretending to be Bob, so as to fool Alice.

One approach to prevent such attacks involves the use of a certificate authority, a trusted third party responsible for verifying the identity of a user of the system. This authority issues a tamper-resistant, non-spoofable digital certificate for the participants. Such certificates are signed data blocks stating that this public key belongs to that person, company, or other entity. This approach also has its weaknesses – for example, the certificate authority issuing the certificate must be trusted to have properly checked the identity of the key-holder, must ensure the correctness of the public key when it issues a certificate, and must have made arrangements with all participants to check all their certificates before protected communications can begin. Web browsers, for instance, are supplied with a long list of "self-signed identity certificates" from PKI providers – these are used to check the bona fides of the certificate authority and then, in a second step, the certificates of potential communicators. An attacker who could subvert any single one of those certificate authorities into issuing a certificate for a bogus public key could then mount a "man-in-the-middle" attack as easily as if the certificate scheme were not used at all. Despite its theoretical and potential problems, this approach is widely used. Examples include SSL and its successor, TLS, which are commonly used to provide security for web browsers, for example, so that they might be used to securely send credit card details to an online store.

bbauska wrote:The point is there is no definition of a cyber attack. An act of war is noted there. International terrorism is closer to the act.

Doctor Fate wrote:

bbauska wrote:The point is there is no definition of a cyber attack. An act of war is noted there. International terrorism is closer to the act.

So, if another country decimated our infrastructure (power grid, etc.) with cyber attacks, we would have no right to retaliate? Is that your position?

rickyp wrote:fate

Feel free to prove that they took some measures which seemed adequate, but fell short

Feel free to prove that she didn't bother to have the departments IT people work on improving security.
As usual all you offer in your source is innuendo and insinuations.

Fate

It's just odd to boast about diversity and fail to attend to the heart of your mission

Because a large department with thousands of employees can have a number of targets?
Its not odd to boast about the accomplishment and minimize the failures. That is usual organizational behavior. In private and public organizations.

Fate

Encryption is just too much to ask, I guess

You throw out the word with no apparent understanding of it..

Its a big problem Fate. With no final solution. Only constant evolutionary change to combat constant predatory behavior.
There's no evidence that this department is all that much worse than many other government and private sites.