Breach shows government can’t protect data. But FBI wants to abolish encryption anyway.

By now, everyone has heard that the US government was “hacked” by Chinese hackers who may or may not have been affiliated with the Chinese government.   President Obama wasted little time in stirring up the hornet’s nest by pointing the finger at the Chinese premier and demanding that China take responsibility for the breach.  The Chinese premier in turn, pointed the finger back at Obama and essentially told him that his accusations were baseless — and not leave the barn doors open next time.

While the story makes for entertaining geopolitical drama,  corporate security professionals  behind the scenes are shaking their heads at the misplaced blame:  The fault of course is ultimately ours and ours alone.

Security breaches are in 99.9% of cases the fault of the server operators.  The exception being those ultra-rare cases like “Heartbleed”, where a long-undiscovered hole is found to exist in a standard piece of server software.  In the world of online security, one seldom blames the thief as much as one blames the guards.

The Internet will forever be a bad neighborhood full of bad people trying to get your data.   With that having been said, the identity of the hackers is a distant second question to how could we have let this happen?  And that question in turn, is a distant second to the really important question:

Was the government storing unencrypted data?

Storing sensitive data in an unencrypted format isn’t just a big no-no in the security world, it’s patently stupid.  So the question of whether or not the data on the government servers was encrypted is a huge one.

Bloomberg reports:

OPM officials declined to comment on whether the data affected in this incident was encrypted or had sensitive details masked.

Cough. We’re going to read between the lines here and assume that no, the data was not encrypted.  We can’t think of a too many reasons the government would refuse to respond with any good news if they had it.   If the data indeed wasn’t encrypted, this fiasco isn’t just about a lapse in security.  It’s another confirmation that the government is not only incapable of safeguarding data, but the government isn’t even capable of the most basic precautions that even amateur website owners follow.  There may be a very embarrassing revelation on the horizon, if the American people are ever told the truth about whether or not the stolen data was stored unencrypted.

But here’s the irony:

The same government that can’t safeguard their own data, wants to safeguard the keys to everyone’s data

Making the situation particularly surreal is that the same week the OPM sheepishly announced that Chinese hackers had absconded with the private data of millions of government employees,  the FBI was lecturing America about the dangers of encryption, and the necessity of preventing individuals from protecting their own data.

What fourth amendment?

What fourth amendment?

The Guardian reports:

The FBI has again waded into the debate around encryption, with the bureau’s assistant director of counterterrorism telling the US congress that tech companies should “prevent encryption above all else”.

Michael Steinbach, speaking at a hearing before the House Homeland Security Committee, explained how the the FBI uses technology to track and intercept supporters of Isis in the Middle East and elsewhere.

“When a company, a communications company or a ISP or social media company elects to build in its software encryption, end-to-end encryption, and leaves no ability for even the company to access that, we don’t have the means by which to see the content”, he added.

“When we intercept it, we intercept encrypted communications. So that’s the challenge: working with those companies to build technological solutions to prevent encryption above all else.

Dear Congress,   We get that you can’t read our encrypted stuff.   We like it like that.  It also means that the Chinese hackers that will steal the data can’t read it either.    After all, who’s going to protect us?   You?

Steinbach’s comments echo those of his boss, FBI director James Comey, who in March asked Congress to pass a law that would force tech firms to create a backdoor in any tool that uses encryption.

“Tech execs say privacy should be the paramount virtue,” Comey said then, “When I hear that I close my eyes and say try to image what the world looks like where paedophiles can’t be seen, kidnapper can’t be seen, drug dealers can’t be seen.”

“To have a zone of privacy that’s outside the reach of law is very concerning,” Comey added.

First off, if the government has a set of “master keys”, then the hackers will shortly thereafter have a set of master keys.  At which point we’ll have no protection whatsoever.  We have already proven multiple times over that the government can’t protect data.

Somewhat more alarming however is Comey’s last statement:  “To have a zone of privacy that’s outside the reach of the law is very concerning“.

Actually Mr. Comey, it’s very concerning to all Americans that you actually think that.   That so-called concerning level of privacy  happens to be protected by our Constitution, and is a cornerstone of our civil liberties.  And the decision to violate it has not been granted to you, by us.

But here’s where the whole “master key”/backdoor thing gets scary.

The biggest unanswered question is why did China steal the records of millions of government employees?   What’s in it for them?   This isn’t the standard data which can be used by hackers to raid bank accounts, brokerage accounts or retirement funds.    This isn’t your standard Russian mafia hack used to skim millions from poorly protected bank accounts.  This is much scarier:

China needs Spies.

The first step that foreign intelligence services need to take in order to acquire sensitive information is to determine “who has access to what data?“.   It’s safe to say that China now has that information.   This data breach can be seen as a logical first-step to myriad secondary data breaches that are now possible because China now knows, to put it succinctly, who knows what.

As Bloomberg notes:

The hackers accessed information about individuals who applied for or were granted security clearances. Such data often includes detailed interviews with friends and family members as well as information that could disqualify a candidate from receiving a clearance.

The data could be used to target individuals with access to sensitive information.

The OPM provides information on job candidates for agencies across the federal government, including whether those individuals are suitable for government employment, according to the OPM website.

In other words, we may have just witnessed the first step in the cultivation of thousands of new Chinese intelligence assets.   Now they not only know who knows what, but they may have access to employee records which contain, non-public, career-sensitive information which can be used as leverage over thousands of employees who in turn have access to the nation’s most precious secrets.

Sure seems like a bad time to create that master key for all the private information in the world.

 

 

 

  • MichaelB

    What’s scary is they probably *are* building those backdoors and master keys into their own systems that they do have control over.

    And they probably think they’re secure.

  • SecurityProfessional

    I’m glad we have security professionals in the private-sector that understand this issue 100x better than the dumbasses at the FBI: You can not protect a back-door! Once you create it, you have just made the entire system 100% insecure. It’s truly an all-or-nothing proposition.

    These FBI jackasses are ironically the biggest threat to our nation’s security!!!

  • BCkid

    Imagine if there was a “back door” into all kinds of encryption. There would be no more Bitcoin or cryptocurrencies. Oh wait… now I understand.

  • Digitalmoney need Encryption

    Backdoors = the end of cryptocurrencies. Don’t underestimate how hard they will push for this.

  • Declined to comment

    The government “declined to comment” on whether the data was being stored unencrypted? How obvious can you be? Fail.