The OPM breach affected over 7 percent of the U.S. population, making it the largest and worst known breach of its kind against virtually all members of our extended national security community. The content and volume of personal information that was exposed is inexcusable, and while offering “identity protection” may satisfy some, this was not a theft of credit card data at the point of sale — it was the theft of information about members of our national security community and as such it requires a different kind of response. An appropriate response would be one that shows an appreciation of what happened, to whom, by whom and what our adversaries will likely do next. Our response needs to help protect that community and their families from additional collection, not rely on asking humans to not make human errors. As a victim myself, and an employer to those affected, I am determined to get the message out that more needs to be done. To that end, I recently had the opportunity to participate in a panel during CyberMaryland 2016 to address this very issue.
Joined by fellow industry thought leaders, Bree Fowler, Associated Press, Brig Gen (Ret) Guy Walsh, U.S. Cyber Command, and Will Ackerly, CTO, Virtru, we took a realistic look at how serious this breach truly is. Unfortunately, we must now assume our adversaries know who we are and are positioned to take advantage of that knowledge to further collect, manipulate, and disrupt us.
This looming and unprecedented in scope threat to our national security community means we can’t simply rely on the protection of a traditional security perimeter at the place of employment. The affected employees and family members have almost without exception, fully exposed cyber access points from which our adversaries can now focus on to know more about them, disrupt their lives and the lives of those around them. An immediate and cost effective step toward expanding the security perimeter into this personal cyber realm would be securing the most likely follow-up attack vector which remains wide open: the vulnerable Internet browser on personal computers. During our CyberMaryland discussion, the panelists shared many ideas on what else the government can do. We have to remember that the OPM hackers have far more damaging data than just credit card numbers and did not steal that data to steal money from us.
Identity protection is not the solution. Highly targeted attacks towards victims in our community must be anticipated and proper defenses need to be deployed.
As a technology provider we understand the nuances that go on behind the scenes that can make it difficult for new security practices to be adopted and implemented. It was encouraging to hear the other panelists talk about the importance of designing solutions that are not only easy to implement, but are not seen as a burden by employees that have to actually put them into practice. Along these lines the use of secure, virtual browsers like Passages was discussed as one of the quickest and easiest ways to help protect victims from future targeted attacks.
To hear more unique perspectives and thoughts on dealing with the ramifications of the OPM breach, check out the full panel discussion podcast here: They Know Who You Are: Enhancing National Security in the Wake of the OPM Breach.