The shock of the massive OPM breach led to numerous discussions on cyber protections, and in the final legislative week of the year, the US Congress is poised to pass legislation to incentivize private sector cyber threat information sharing.
After Edward Snowden’s leaks of the National Security Agency’s (NSA) collaboration with US technology companies to carry out massive spying, privacy advocates and technology companies fought back against the push for information sharing mandates that would give US law enforcement new access to private users’ data.
"The massive and prolonged hacking of employee records held by the Office of Personnel Management underscores the intensity of assaults on government IT systems," Central Intelligence Agency Director John Brennan said in November.
Brennan stated that given the cyber threat environment, the US government and private sector "should be sharing a lot more information," warning that "programmatic, technical, and legal challenges, as well as concerns about privacy and the role of government have hampered progress."
US FEDERAL GOVERNMENT HACK AT OPM
On June 4, the OPM publicly acknowledged that its servers had been hacked, compromising the personal information of more than 21.5 million current and former federal employees. OPM described the data breach as "criminal acts committed by unknown adversaries for criminal purposes."
Two months after the hack, OPM revealed that the fingerprints of as many as 5.6 million US federal personnel had been compromised in the hack. Detailed profiles of federal officials, including their financial histories, family and friend networks, and security clearance interviews, were also compromised.
After the OPM hack, not a single high-ranking US federal law enforcement, intelligence, or administration official would state for the record who was responsible for the breach. At a June intelligence symposium, Director of National Intelligence James Clapper named China as "the leading suspect."
In July, Homeland Security Secretary Jeh Johnson told press that in the wake of the OPM breach, he hoped the Congress would pass "cyber legislation which will give [the US government] additional authorities to do the job that we need to do."
Before their summer recess, the Congress put the Cybersecurity Information Sharing Act (CISA) on the agenda, to boost Department of Homeland Security (DHS) cooperation with private tech companies who would be given incentives to share cyber threat data with federal law enforcement agencies.
CYBER SECURITY INFORMATION-SHARING ACT
As CISA was making its way through the Senate in July, privacy advocate and US Senator Ron Wyden warned the press, "If you have [cybersecurity] information sharing without vigorous privacy safeguards, millions of Americans are going to consider that to be a surveillance bill."
In its original form, CISA drew widespread criticism. The DHS, which was to be the lead agency in charge of the information sharing, opposed CISA, arguing it "could sweep away important privacy protections."
DHS further took aim at the bill for potentially compromising "personally identifiable information by spreading it further." By sharing information, the government would be spreading private users’ data across multiple federal agencies, ultimately exposing even more user data to the type of security failure that occurred at OPM.
Privacy advocates, technology companies and concerned lawmakers rejected the initially broad information sharing provisions. Despite being pressed to take action following the massive OPM hack, lawmakers struck the bill from the agenda.
The changes were satisfactory to congressional critics, private sector partners, some privacy advocates and the bill passed through the US Senate with a broad margin of support and the blessings of the Obama administration.
The final cybersecurity legislation will be tucked into the $1.1 trillion must-pass government spending bill, which will almost certainly be signed into law at the end of this week.
ENCRYPTION AS THE NEXT HURDLE IN CYBERSECURITY REFORMS
Asked what the next step in cybersecurity will be for lawmakers, US House of Representatives Homeland Security subcommittee Chairman Peter King told Sputnik that "the private sector has to find a way to allow the government to break the encryption when there is a court order."
Following the highly coordinated, but undetected terrorist attacks in Paris, France and San Bernardino, California, US homeland security hawks, members of the intelligence community and President Barack Obama himself, have all renewed their focus on private sector technology leaders providing them commercial encryption tools.
Senate Intelligence Committee chairman Richard Burr told Sputnik that ideally, technology companies would give the US government keys to access encrypted data, but "short of that, we are going to have to figure out a way to do it either legislatively or on a cooperative level."
Finding technology industry partners willing to provide backdoor security entrance into encrypted devices and applications may prove a difficult hurdle for the US government, despite rising public concerns over terrorism.
In recent months, US technology leaders were hit with renewed pressure from lawmakers, intelligence and law enforcement officials, who called on them to provide encryption keys, so that secured data could be retrieved under court order or similar law.
The Information Technology Industry Council (ITIC), a leading voice for top IT companies in the United States, warned that creating security backdoors for "the good guys would actually create vulnerabilities to be exploited by the bad guys."
In a public statement released in November, ITIC argued against government anti-encryption efforts stating "weakening security with the aim of advancing security simply does not make sense."
According to the most recent DHS data, US federal agencies were hit with more than 640,000 cyber-related incidents in 2014. The private sector loses billions of dollars annually from malicious cyberattacks.
Though many of the attacks on US government targets have been characterized as traditional espionage, data theft and network penetration, officials have repeatedly raised concerns about the number of destructive cyberattacks.