The director of the Office of Personnel Management (OPM) is coming under heavy fire on Capitol Hill, with lawmakers on both sides of the aisle demanding that she step down for what could be the most devastating data breach in American history.
Director Katherine Archuleta has taken a beating in a series of tense congressional hearings. Lawmakers have accused her of shifting blame for the hack and moving too slowly to correct persistent security problems that were apparently exploited by China in a breathtaking siege of U.S. networks.
“The hurricane has come and gone and just now OPM is wanting to board up the windows,” said House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), during a four-hour hearing Wednesday.
“Personal accountability is paramount,” added Chaffetz, who is leading a growing congressional chorus calling for Archuleta to be fired.
Archuleta at one point sparred with Rep. Stephen Lynch (D-Mass.) over who is at fault for the hack that has shaken the government.
“You also testified that no one is to blame, is that right?” Lynch asked.
“I believe the breach was caused by a very dedicated, a very focused actor who has spent much funds to get into our system,” Archuleta replied.
“I have worked since day one to improve …” she added before Lynch cut her off.
“Yeah I understand that,” he said. “You’re blaming the perpetrators.”
On the other side of the Capitol, Senate Majority Leader Mitch McConnell (R-Ky.) took to the Senate floor Wednesday to berate the agency head, though he stopped short of calling for her removal.
“Let’s be honest, this appears primarily to be a management problem,” he said, describing Archuleta’s testimony thus far as “world-class buck passing.”
For two weeks, OPM and Congress have clashed over the extent of the breach.
When officials first announced the OPM intrusion, they said 4.2 million federal workers had been affected.
But just over a week later, the agency officials said they had uncovered a second breach of a separate system that housed background check information for security clearances — the basis for limiting access to some of the nation’s most closely guarded secrets.
The second intrusion laid bare data on millions of military and intelligence community personnel and, potentially, people outside the government, such as friends and family members who were named in background investigations.
The second hack could have affected up to 18 million people, according to reports.
While the government will not say so publicly, it’s widely believed that Chinese hackers pilfered the data from both systems as part of a broader scheme to build a comprehensive database on U.S. government workers. The sensitive data accessed could be used to imitate officials, stage future cyberattacks, or even recruit informants or blackmail administrators.
Despite repeated inquiries during hearings and classified briefings for the House and Senate, lawmakers had complained that OPM was refusing to provide a specific number for the second breach, let alone provide details about exactly who was affected.
That started to change on Wednesday, with alarming results.
“It is my understanding that the 18 million refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigation data,” Archuleta said before the Oversight Committee.
The estimate of 18 million people does not include friends and family members named in background checks, Archuleta cautioned, meaning the total could grow if the agency decides those people “should be considered individuals affected by this incident.”
Eighteen million “is a number I am not comfortable with at this time because it does not represent the total number of affected individuals,” she said.
Category Archives: Technology
During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.
But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.
Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”
He asked [Donna] Seymour pointedly about the legacy systems that had not been adequately protected or upgraded. Seymour replied that some of them were over 20 years old and written in COBOL, and they could not easily be upgraded or replaced. These systems would be difficult to update to include encryption or multi-factor authentication because of their aging code base, and they would require a full rewrite.
Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM’s systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM’s data breach may just be the biggest one that the government knows about to date.
I hear this everywhere. Virtually every doctor and doctors’ group I speak to cites the same litany, with particular bitterness about the EHR mandate. As another classmate wrote, “The introduction of the electronic medical record into our office has created so much more need for documentation that I can only see about three-quarters of the patients I could before, and has prompted me to seriously consider leaving for the first time.”
You may have zero sympathy for doctors, but think about the extraordinary loss to society — and maybe to you, one day — of driving away 40 years of irreplaceable clinical experience.
And for what? The newly elected Barack Obama told the nation in 2009 that “it just won’t save billions of dollars” — $77 billion a year, promised the administration — “and thousands of jobs, it will save lives.” He then threw a cool $27 billion at going paperless by 2015.
It’s 2015 and what have we achieved? The $27 billion is gone, of course. The $77 billion in savings became a joke. Indeed, reported the Health and Human Services inspector general in 2014, “EHR technology can make it easier to commit fraud,” as in Medicare fraud, the copy-and-paste function allowing the instant filling of vast data fields, facilitating billing inflation.
That’s just the beginning of the losses. Consider the myriad small practices that, facing ruinous transition costs in equipment, software, training and time, have closed shop, gone bankrupt or been swallowed by some larger entity.
This hardly stays the long arm of the health-care police, however. As of Jan. 1, 2015, if you haven’t gone electronic, your Medicare payments will be cut, by 1 percent this year, rising to 3 percent (potentially 5 percent) in subsequent years.
Then there is the toll on doctors’ time and patient care. One study in the American Journal of Emergency Medicine found that emergency-room doctors spend 43 percent of their time entering electronic records information, 28 percent with patients. Another study found that family-practice physicians spend on average 48 minutes a day just entering clinical data.
Forget the numbers. Think just of your own doctor’s visits, of how much less listening, examining, even eye contact goes on, given the need for scrolling, clicking and box checking.
Why did all this happen? Because liberals in a hurry refuse to trust the self-interested wisdom of individual practitioners, who were already adopting EHR on their own, but gradually, organically, as the technology became ripe and the costs tolerable. Instead, Washington picked a date out of a hat and decreed: Digital by 2015.
Fraudsters stole private information from the IRS on more than 100,000 taxpayers and used it to bilk the agency of tens of millions of dollars, Commissioner John Koskinen said Tuesday — though he insisted the breach didn’t affect most Americans.
The criminals gained access to the IRS through a new system called “Get Transcript,” which allows taxpayers to go online and get years’ worth of their own tax records. Mr. Koskinen said the perpetrators used information they already knew about taxpayers to fool the system into believing it was the taxpayer logging in, and then stole the transcripts with even more information.
In thousands of instances the criminals turned around and used that same information to file fraudulent returns, stealing potentially close to $50 million from the government.
“This is not a security breach. Our basic information is secure,” Mr. Koskinen insisted in a call with reporters to discuss the theft, which had gone on for months — dating back to February — but was only caught last week.
It’s the latest embarrassment for the tax agency, which has been dealing with reports of political targeting, wasteful spending and poor management that meant it paid out billions of dollars in bogus tax credit claims.
Verizon Buys AOL, Because Two Lumbering Dinosaurs Who Can’t Figure Out The Modern Internet Must Be Better Together
You might recall that last October, Verizon tried its hand at getting into the media business with the launch of a tech blog by the name of Sugarstring. The bizarre foray into media didn’t last long; editors quickly complained that Verizon was prohibiting them from talking about huge tech issues Verizon played a starring role in, ranging from net neutrality to domestic surveillance. After the media ridiculed the hell out of Verizon’s ham-fisted disregard of editorial firewalls (or just common sense), the website was quietly shuttered, with the telco saying it was just a “pilot project” it was moving on from.
So what is Verizon’s media plan 2.0 going to be? Apparently, it’s a little something called AOL. Verizon this morning announced that the company would be buying AOL for around $4.4 billion, stating the acquisition would be supporting the telco’s over the top video and Internet-of Things ambitions (read: they wanted AOL’s ad empire):
“Verizon is a leader in mobile and OTT connected platforms, and the combination of Verizon and AOL creates a unique and scaled mobile and OTT media platform for creators, consumers and advertisers. The visions of Verizon and AOL are shared; the companies have existing successful partnerships, and we are excited to work with the team at Verizon to create the next generation of media through mobile and video.”
Nobody on Earth flubbed the dial-up to broadband era transition quite as spectacularly as AOL did, so being acquired by a telecom operator ten years too late isn’t without it’s irony. Equally ironic is Verizon suddenly acquiring 2.2 million new dial-up subscribers at a time when it’s desperately trying to back away from the fixed-line broadband business (how many DSL lines would $4.4 billion upgrade?). But AOL’s a very different company these days, and the acquisition makes sense as a mobile advertising play, even if it just feels weird to see the two companies snuggle up in bed together.
Apparently, current AOL CEO Tim Armstrong will remain in command under the freshly-acquired AOL, which will operate as an independent Verizon subsidiary. There’s no declaration of retained editorial independence anywhere, but that may not mean much. From a memo from Armstrong sent to all AOL employees this morning:
“The leadership at AOL is staying and I am staying – enthusiastically, and we made that part of the deal. We have the opportunity to build a unique and globally scaled media technology company with the scale and resources we need to make that happen. Verizon and AOL are very large partners today – in content, in ads, and in the technology. We know their team well and they know our team well. The cultures share very similar values and are both working on very similar ways to do good while doing well.”
Do those “values” and “doing good” include propping up Verizon’s role as one of the most vocal and obnoxious opponents to net neutrality on the Internet? Stay tuned. There’s some chatter that Verizon may want to spin off or sell off the content companies, just using the remaining ad empire to fuel the telco’s new wireless-focus Internet video subscription service expected to launch sometime later this year. If retained, you’d like to think Verizon will play it smart and not aggressively meddle in the daily dealings of websites like The Huffington Post, Engadget, or TechCrunch, but with the telco’s generation-long history of aggressively bad ideas (most recently being a foray into undeletable super cookies), you just never know.
Perhaps, like me, you’ve never really understood the curious ban some airflights and airlines have had on mobile and electronic devices during flights, take-offs, and landings. Perhaps, like our Jefe, Mike Masnick, you’ve dismissed the requests from flight attendants that those devices be fully powered down out of hand, because you too are a rebel the likes for which this world is wholly unprepared. And maybe you too cheered when the FAA summarily dismissed these silly rules way back in 2013, thinking that the madness of a few moments without our favorite devices had finally come to an end.
But then, as you may know, the Association of Flight Attendants sued the FAA in order to retain the ability to lord over your smart-phones, tablets, and computers on flights. Notably, the AFA’s filing made essentially zero claims having anything to do with the safety of electronic devices on the flights. Instead, their argument centered on whether the power to decide whether flight attendants could treat passengers like children who hadn’t finished their vegetables resided with the FAA, or if the AFA should have some input.
Well, the court has ruled and has firmly told the AFA and flight attendants to go dangle.
In this case, it really does not matter whether Notice N8900.240 is viewed as a policy statement or an interpretive rule. The main point here is that the Notice is not a legislative rule carrying “the force and effect of law.” Perez, 135 S. Ct. at 1204. A legislative rule “modifies or adds to a legal norm based on the agency’s own authority” flowing from a congressional delegation to engage in supplementary lawmaking. Syncor, 127 F.3d at 95.
That’s court-speak for “nice try, now go away.” Of course the FAA can make changes to flight rules as it pleases and, when it comes to the use of devices the ban for which has always been cast in the light of flight-safety, an association for flight attendants ought to have about as much input as a doctor’s receptionist should have on medical policy. This tantrum of a suit, which is all it ever was, has been dismissed and we are finally free to play Angry Birds during takeoff. Free at last, free at last.
More seriously, it’s somewhat nice to see some aspect of security theater being done away with regarding anything to do with airplanes and flights. If we could just take this same tact with the rest of airport security, we’d be making a world of improvements.
Cable Industry Tries To Distance Itself From Decades Of Poor Service By Eliminating The Word ‘Cable’
Annoyance with the cable industry appears to have reached the tipping point, with consumers fed up with skyrocketing prices, inflexible programming options and some of the worst customer service in any U.S. industry. The cable industry’s ingenious solution? Stop using the word cable. Last week, the cable industry held its annual trade conference, previously dubbed “The Cable Show.” Trying to distance itself from the aging, negative associations with the word “cable,” the industry has decided to rename the conference The Internet & Television Expo.
Former FCC boss turned top lobbyist Michael Powell “hates” the word cable and wanted to turn the page on the word’s negative connotations:
“I hate the name,” Michael Powell, president of NCTA, the cable industry’s trade group, said Tuesday. “It doesn’t fairly capture what they do.”…This year’s trade show was renamed to “be more centered around its future as it’s associated with the Internet,” Powell said on stage at the conference. The term “cable company,” he said, “has a proud history, but it needs to be retired.”
Of course when your entire business revolves around using coaxial cable to deliver Internet and television service, deciding to drop the word in the hopes of forcing a brand refresh might be an uphill climb. Most attendees of the show couldn’t remember the new name, and just wound up calling the conference by the old name for simplicity’s sake:
“It’s called Internet something something something, right?” said Chris Gagliano, who works at Anvato Inc., which provides online video software. “I don’t even know what it stands for.” Most people preferred to call it the “cable show,” even if that’s not the name anymore. “I’ll probably call it that forever,” said Brian Hanrahan, a regional sales manager at Optelian, which helps build broadband networks. “Until everyone else starts calling it ‘INTX,’ I’m going to call it the cable show.”
Clearly, it’s going to take a lot more than a simple word change to erase memories of waiting days for the cable man or spending four hours trying to get an answer from Comcast’s kafka-esque phone support system. Atrocious customer service certainly isn’t the word “cable’s” fault. It’s thanks to a lack of competition and the resulting apathy, which by proxy results in skimping on subcontractor and support quality. Eliminating the word cable in the hopes of fixing this industry chain of dysfunction is kind of like trying to put out a forest fire by proudly proclaiming it’s a walnut — it’s just not going to get to the root of the problem.
In what Indiana‘s governor and his supporters describe as defense of any given individual’s religious convictions, detractors roundly decry as blatant discrimination against the LGBT community. Possibly the best explanation of Indiana’s Religious Freedom Restoration Act (RFRA) rendered down to two sentences would be that as reported by CBS News on March 30, 2015, “Supporters say it protects a person or business owner from government persecution when following their religious beliefs. But opponents say the measure gives businesses a free pass to refuse gay and lesbian customers on religious grounds.”
Despite the Hoosier State’s Governor Mike Pence stressing the new law wouldn’t legalize discrimination against certain individuals or groups, but instead would protect the religious convictions of service providers such as pro-life pharmacists forced to sell abortifacients (abortion-inducing drugs), a number of high profile pro-LBGT advocates have slammed Pence and the Indiana legislature. One of the more prominent would be Apple CEO Tim Cook, who the Gawker.com news portal tagged in 2011 as “The Most Powerful Gay Man in America.”
As reported by CBS, Cook took to the editorial pages of The Washington Post slam the RFRA as he believes it “goes against the very principles our nation was founded on.” Not done yet, Cook also opined “On behalf of Apple, I’m standing up to oppose this new wave of legislation wherever it emerges. I’m writing in the hopes that many more will join this movement.”
However, Cook made no mention of Apple Inc. expanding to the Kingdom of Saudi Arabia last year. As reported by Arabian Business on Dec. 20, 2014, Apple opened two new stores in Riyadh and Al Khobar. According to Apple’s official website, the corporation has well over 14 retail stores within the Kingdom, as well as numerous other stores the width and breadth of the Muslim World. A number of the same Muslim-majority nations also adhere to Islamic Shari’a law which clearly states homosexuality to be illegal.
The Kingdom of Saudi Arabia takes it a bit further. Saudi Arabia executes homosexuals. Publicly executing homosexuals isn’t the only Shari’a compliant move taken in the oil rich nation. Sheikh Abdul Aziz bin Abdullah, the powerful Grand Mufti of Saudi Arabia, declared in 2012 that it is “necessary to destroy all the [Christian] churches of the region.” Not finished with calling for the death of homosexuals or bulldozing churches, the Sheikh also gave the official thumbs-up for 10-year-old girls to be married off against their will.
Rep. Jason Chaffetz (R-Utah) said Wednesday that it’s possible the Secret Service erased surveillance tapes of two supposedly intoxicated agents driving a vehicle through an active bomb-scene investigation site.
Speaking to CNN and CBS News, the House Oversight Committee chairman said the revelation was made known to several lawmakers during a closed-doors meeting with Secret Service Director Joe Clancy.
“We inquired if there were additional tapes and angles and the director informed us that there may not be because it’s their policy to erase them 72 hours after they record, which is just unfathomable,” Chaffetz told CNN. “I can’t think of any good reason to do that.”
“This is not your local 7-11. This is the White House,” he added.
The Republican lawmaker told CBS News that the news left the entire room in astonishment.
“I don’t think anyone in that room could believe it,” Chaffetz said. “That’s just a stunning revelation that 72 hours after they make a tape they destroy it? That doesn’t make any sense to us.”
Chaffetz also questioned why some tapes would be destroyed, when others were preserved.
“If it’s regular policy to destroy them after 72 hours, why did they have two of the tapes, and where are the rest of the tapes? And so far the Secret Service has not been able to answer the question,” he told CBS News.
The two senior agents — including Mark Connolly, the No. 2 on Obama’s security detail — had been with other agents drinking at a bar last week when they returned to the White House in a government car, a U.S. official said. The vehicle entered an area already closed off by the Secret Service, who were investigating a suspicious package and had put the White House on lockdown. Officers on the scene saw the agents’ car, traveling slowly, make contact with a barrier, the official said.