Most of us presume that official intelligence agencies run with deep paranoia, rarified sophistication, and beyond the control of laws that apply to the public at large. Their target is to harvest warnings of enemy penetrations of our security and to discover our enemies’ capabilities and activities. We cannot be sure how well they perform because official intelligence agencies sparingly share information on their victories, tactics, and failures. Their reluctance to share is rooted in the realistic fear that covert methods and sources might be revealed to enemies, thereby putting assets at risk.
There are chilling recent examples of enemy penetrations. In heavy duty routers used to connect Internet backbones, FireEye found unauthorized traffic monitoring software in India, Mexico, Philippines and Ukraine. Internet traffic passing through these nodes (e.g. in-country traffic or traffic between China and Australia, or between Singapore and Rome) is subject to monitoring. Cisco says the implants are so close to the core that the routers’ operating system will need a complete replacement.
The malware’s sophistication points to a nation state as the culprit. The backbone router security holes are outside the normal protection of firewalls. Although data passing through may be encrypted, nation-state actors can crack many forms of encryption. It seems that a network administrator credential played a role in the attack. If they know, our intelligence agencies are not commenting on the identity of the culprits, how the attacks were orchestrated, and how long Internet traffic has been exposed.
The cyber-theft of 4.2 million Office of Personnel Management (OPM) records may be a long-term blow to our security, because the database contained security clearance details for millions of Americans. Clearance details are more effective for blackmail, and more likely to “burn” a covert asset than are mundane job applicant and employee records. Such a trove of security clearance information (especially details for candidates with skills attuned to the Middle East and China) would be of high value to our enemies.
Classified information on nation-state database attackers from our covert intelligence agencies would likely have been no help to OPM because the attackers used social engineering to acquire valid database credentials for use in their attack. Some of the attackers held Chinese passports, although passports can be forged. Better training on how to detect and resist social engineering might have helped. Shrinking the pool of people with access to the whole database might help even more.
Millions of people who registered on the Ashley Madison cheating website were outed by hackers. In the public list, there were hundreds of US government employees, including senior employees in the departments of State, Defense, Justice, Homeland Security and in the Congress and the While House. The website is scummy and the hackers who hacked it are criminals, but the important damage flows from the highly-placed government employees who decided to risk national security for a hot date.
These employees should be smart enough to recognize they exposed themselves to blackmail, putting US security at risk. If that understanding eluded them, they were incompetent. If they were aware of it, they willfully jeopardized the safety of the American public. In either case, they must be removed.
To protect the nation, these cheaters must go through aggressive debriefings to discover past and potentially future blackmail damages they exposed us to. After the damages are identified, they should face criminal prosecution for the damages and then for the picayune stuff – theft of paid time and misuse of government equipment and networks.
Government employee unions must not be permitted to interfere in the criminal prosecution nor in separating cheaters from the workforce. This process must be focused on eradicating security exposures, not coddling criminal cheaters.
The security failure in the backbone routers had its root in the misuse of a network administrator credential. The OPM database attack was made possible by someone falling for a social engineering ploy. The Ashley Madison attack exposed a massive crew of government workers who voluntarily lined up for blackmail. Human failures like these can quickly overpower our strongest advances in defensive software and hardware. No wonder the intelligence agencies hate to share information.