Bureaucratic Denial of Service and the OPM Breach

OPM Letter

Millions of American citizens received letters over the last two months of 2015, advising them that the US Office of Personnel and Management (OPM) experienced a data breach. Although the US Government realized the breach in June, it took nearly 6 months for the letters’ delivery.  Included in the letter were references to identity theft, as in social security numbers of everyone within the government employee/contractor’s family.  An offer for two years of credit monitoring for all involved softened the blow.

Most experts’ concern centers on the applicants for Top Secret or Special Compartmentalized Information (SCI) sensitive information access, commonly referred to as clearances.  The information disclosed during these background investigations is extensive.  Living in multiple cities for more than a month constitutes grounds for finding five people who can attest to your being there, and interviews as to if you did anything suspect or abnormal.  Since 9/11, the rigor for classified information access easily doubled. Additionally, anything an individual participated in or did that was outside of the legal norm, including drug use, infidelity, hate groups or police charges was fair game.  Candidates who had polygraphs for SCI access listed all of this and more for fear that anything might trip them up and they didn’t want anything unknown in the adjudication process.

The part that was most troubling to this privacy and security professional had nothing to do with identity theft or blackmail.  Included in the letter were details of the breach.  Most interestingly surrounding the fingerprint information: “Our records also indicate your fingerprints were likely compromised during the cyber intrusion.  Federal experts believe the ability to misuse fingerprint data is currently limited.”  Let me offer an application of this information.

People that work for our nation’s government contractors, the people who make things that go boom, or deliver the things that go boom, or support the things that go boom, even in cyberspace, or any other aspect of the military/intelligence agencies, get cleared.  They are working on the most sensitive projects: think of the Manhattan project to stealth plane technology.  Uncle Sam wants to trust these folks and vet them extensively.  America cannot have that information or those people leave the country for the service of another.  It’s called spying or treason.

Let me propose a scenario: What happens when a company wins the support contract for the NSA? They place individuals on site and augment the workforce.  What about the NSA folks themselves? They were vetted prior to access to any classified information.  Unless they were hired within the last 6 months, their fingerprints are on file.  Who watches CSI/NCIS/Law and Order, or any of the other cop shows?  A fingerprint is enough to hold someone for questioning.  The understanding of a Denial of Service is straightforward.  Make more requests for “technical” resources than there are available.  A Distributed Denial of Service uses a lot of technical resources, typically involving botnets, or hoards of hacked computers.  An Economic Denial of Service within a cloud environment requests more technical computing power than the company providing the service can pay for.  Think of it as an anti-competitive technique.  If a startup has an interesting idea, and you have a competing interest, cripple them out of business and take their market share.  There aren’t many documented cases of this in the US; it might be considered for prosecution under the RICO Act.

Why would anyone do all of this? I’d like to propose a Bureaucratic Denial of Service.  Maybe disgrace a competitor in another country – Boeing v. Airbus for instance. All of their key design engineers suddenly find themselves under suspicion of capital crimes near a proposal due date.  Or an advance attack, distracting or again overwhelming the IT staff of an Intelligence Agency prior to the real work occurring.

How would such a situation be protected against? If the adversary abided by the low and slow mantra, and only placed an individual in a specific geographic region under suspicion, would it even be detected until too late?  Corporate Contractor policies forbid proposal/implementation teams working on high priced contracts from taking the same flight for fear of losing a billion dollars in revenue.  How would you protect staff from legal proceedings?  Offer legal services, similar to credit monitoring?  Keep Johnny Cochran on retainer for each and every employee’s failure in judgment just in case? As technology evolves and the specialists become even more skilled, will the talent pool for an attack of this nature be small enough that litigation would even be noticed as anomalous?


Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>