The gargantuan scale of the Office of Personnel Management (OPM) hack, initially thought to have affected 4 million current and former US government workers has now ballooned to over 9 million. The White House announced on Friday that the same group of hackers were responsible for a second infiltration on a different section of the agency’s network. These files are said to include a database filled with Standard Form 86s—a security clearance questionnaire given to prospective government employees. In addition to applicant details, these forms also include extensive information on non-government workers including close acquaintances, friends and family. This has drastically inflated the number of people affected by the breach and has helped fuel the mounting pressure from the media on the Obama administration to ‘retaliate’.
Congress began the cross-examination of senior OPM officials before the House Oversight Committee this morning. When Chairman Jason Chaffetz asked why the sensitive data on OPM’s networks wasn’t encrypted, Director Katherine Archuleta explained that ‘it is not feasible to implement on networks that are too old’. Apparently OPM is now working to rectify the encryption issue, but according to Dr Andy Ozment—Assistant Secretary for Cybersecurity at the Department of Homeland Security—even encryption wouldn’t have saved OPM. He explained to the committee that the intruders had stolen valid user credentials, probably via social engineering, and this, combined with the fact that OPM had failed to implement multifactor authentication, gave the attackers easy access.
Proving that no one is completely secure in cyberspace, computer security giant Kaspersky Labs last week disclosed that that it recently fell victim to an internal network compromise. The company believes the intruders were seeking commercial information, probably connected to the development of its new technologies, but are confident they caught the intrusion in its initial stages. The malware used in the attack was distributed via Microsoft Software Installer files and didn’t write any files to disk ‘but instead resided in affected computers’ memory, making it relatively hard to detect.’ The infiltration attempt also utilised three zero-day exploits—an impressive number considering the significant price a single exploit can garner on the black market.
Switching focus to cyber diplomacy, the Chinese government has been busy in Africa and Southeast Asia. China’s Industry and Information Technology Minister Miao Wei travelled to South Africa to meet with Telecommunications and Postal Services Minister Dr Siyabonga Cwele. The two signed a ‘Plan of Action’ designed to help expand the country’s connectivity via technology, skills and knowledge exchange. It was reported that the agreement also covered everything from cyber security to e-government and intriguingly, internet governance.
Back in Beijing, the Cyberspace Administration of China (CAC) met with Indonesia’s new National Desk for Information Resilience & Cyber Security (DK2ICN).. The meeting sought to explore ways the two countries could build bilateral cyber cooperation, and highlighted the newly-established China–Southeast Asia Data Centre as a potential space for bilateral cooperation.
The Office of General Counsel at the US Department of Defense has released its latest edition of the Law of War Manual. The manual acts as a guide for military and defence officials on customary and treaty law of war, with the last comprehensive manual published in 1956. This edition of the weighty publication (1,180 single spaced pages) includes a chapter on cyber operations. Helpful definitions as to what might constitute a cyber operation, when a cyber attack could constitute a use of force, and what a proportional response might look like in response to such an incident are included in the chapter.