OPM Data Breach - Whitehouse Petition - Help Wanted
My apologies in advance to any here who might feel that this is off topic... I don't personally believe that it is. Frankly, I don't know of that many mailing lists where the subscribers are likely to care as much about network security (and/or the lack thereof) as the membership of this list does. By now, most of you will have read about the massive federal data breach at the U.S. Government's Office of Personnel Management (OPM), and also the fact that (by OPM's own preliminary estimates) this massive data breach affects at least four million federal government employees... but perhaps as many as 14 million current and former employees. However as this story is still evolving, even as we speak, you may perhaps not be familiar with the following additional important facts that have just come out: *) In addition to ordinary government personel records, including the usual kinds of frequently-hacked personal information (e.g. social security numbers), an as-yet undetermined number of highly detailed 127-page government security clearance forms (SF86) containing vast and intimate details of virtually every aspect of the lives of essentially EVERYONE who has applied for or been granted a government security clearance at any time within THE PAST 30 YEARS have also been hacked/leaked. (Experts seem to agree that this security clearance data constitutes and absolute gold mine and treasure trove of information for foreign intelligence services, opening up vast possibilities for phishing, blackmail, and on and on.) *) The Director of the Office of Personnel Management, Ms. Katherine Archueta was warned, repeatedly, and over several years, by her own department's Inspector General (IG) that many of OPM's systems were insecure and should be taken out of service. Nontheless, as reveled during congressional testimony yesterday, she overruled and ignored this advice and kept the systems online. Given the above facts, I've just started a new Whitehouse Petition, asking that the director of OPM, Ms. Archueta, be fired for gross incompetence. I _do_ understand that the likelihood of anyone ever getting fired for incompetence anywhere within the Washington D.C. Beltway is very much of a long shot, based on history, but I nontheless feel that as a U.S. citizen and taxpayer, I at least want to make my opinion of this matter known to The Powers That Be. I *really* would like some help from members of this list on this endeavor. In particular, if you agree, I'd appreciate it if you would sign my petition, and, whether you agree or not, I sure would appreciate it if you would all share the following URL widely: https://petitions.whitehouse.gov//petition/immediately-fire-office-personnel... Note that Whitehouse petitions do not even get properly or completely published on the Whitehouse web site until such time as they receive at least 150 signatures. I am hoping that members of this (NANOG) mailing list will help me to get past that threshold. Thanks for your attention. Regards, rfg
I think it would be great if you were to include some source links in your petition/email so that folks unaware of the specifics can educate themselves in a non-partisan and factual manner. Just my $0.02. Cheers, Harry On 6/17/15 8:54 PM, Ronald F. Guilmette wrote:
My apologies in advance to any here who might feel that this is off topic... I don't personally believe that it is. Frankly, I don't know of that many mailing lists where the subscribers are likely to care as much about network security (and/or the lack thereof) as the membership of this list does.
By now, most of you will have read about the massive federal data breach at the U.S. Government's Office of Personnel Management (OPM), and also the fact that (by OPM's own preliminary estimates) this massive data breach affects at least four million federal government employees... but perhaps as many as 14 million current and former employees. However as this story is still evolving, even as we speak, you may perhaps not be familiar with the following additional important facts that have just come out:
*) In addition to ordinary government personel records, including the usual kinds of frequently-hacked personal information (e.g. social security numbers), an as-yet undetermined number of highly detailed 127-page government security clearance forms (SF86) containing vast and intimate details of virtually every aspect of the lives of essentially EVERYONE who has applied for or been granted a government security clearance at any time within THE PAST 30 YEARS have also been hacked/leaked.
(Experts seem to agree that this security clearance data constitutes and absolute gold mine and treasure trove of information for foreign intelligence services, opening up vast possibilities for phishing, blackmail, and on and on.)
*) The Director of the Office of Personnel Management, Ms. Katherine Archueta was warned, repeatedly, and over several years, by her own department's Inspector General (IG) that many of OPM's systems were insecure and should be taken out of service. Nontheless, as reveled during congressional testimony yesterday, she overruled and ignored this advice and kept the systems online.
Given the above facts, I've just started a new Whitehouse Petition, asking that the director of OPM, Ms. Archueta, be fired for gross incompetence. I _do_ understand that the likelihood of anyone ever getting fired for incompetence anywhere within the Washington D.C. Beltway is very much of a long shot, based on history, but I nontheless feel that as a U.S. citizen and taxpayer, I at least want to make my opinion of this matter known to The Powers That Be.
I *really* would like some help from members of this list on this endeavor. In particular, if you agree, I'd appreciate it if you would sign my petition, and, whether you agree or not, I sure would appreciate it if you would all share the following URL widely:
https://petitions.whitehouse.gov//petition/immediately-fire-office-personnel...
Note that Whitehouse petitions do not even get properly or completely published on the Whitehouse web site until such time as they receive at least 150 signatures. I am hoping that members of this (NANOG) mailing list will help me to get past that threshold.
Thanks for your attention.
Regards, rfg
This is the government... you have to put on your bizarro-economics and bizarro-ethics glasses for the State to make sense. It does not operate like a market. Failure results in people being shuffled around, and larger budgets. Failure justifies more control and power. People get taken down for political reasons, not based on a lack of ability or lack of virtue. I would hope this measure succeeds and to see something meaningful come out of it, I just don't see it happening. On Wed, Jun 17, 2015 at 8:56 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
My apologies in advance to any here who might feel that this is off topic... I don't personally believe that it is. Frankly, I don't know of that many mailing lists where the subscribers are likely to care as much about network security (and/or the lack thereof) as the membership of this list does.
By now, most of you will have read about the massive federal data breach at the U.S. Government's Office of Personnel Management (OPM), and also the fact that (by OPM's own preliminary estimates) this massive data breach affects at least four million federal government employees... but perhaps as many as 14 million current and former employees. However as this story is still evolving, even as we speak, you may perhaps not be familiar with the following additional important facts that have just come out:
*) In addition to ordinary government personel records, including the usual kinds of frequently-hacked personal information (e.g. social security numbers), an as-yet undetermined number of highly detailed 127-page government security clearance forms (SF86) containing vast and intimate details of virtually every aspect of the lives of essentially EVERYONE who has applied for or been granted a government security clearance at any time within THE PAST 30 YEARS have also been hacked/leaked.
(Experts seem to agree that this security clearance data constitutes and absolute gold mine and treasure trove of information for foreign intelligence services, opening up vast possibilities for phishing, blackmail, and on and on.)
*) The Director of the Office of Personnel Management, Ms. Katherine Archueta was warned, repeatedly, and over several years, by her own department's Inspector General (IG) that many of OPM's systems were insecure and should be taken out of service. Nontheless, as reveled during congressional testimony yesterday, she overruled and ignored this advice and kept the systems online.
Given the above facts, I've just started a new Whitehouse Petition, asking that the director of OPM, Ms. Archueta, be fired for gross incompetence. I _do_ understand that the likelihood of anyone ever getting fired for incompetence anywhere within the Washington D.C. Beltway is very much of a long shot, based on history, but I nontheless feel that as a U.S. citizen and taxpayer, I at least want to make my opinion of this matter known to The Powers That Be.
I *really* would like some help from members of this list on this endeavor. In particular, if you agree, I'd appreciate it if you would sign my petition, and, whether you agree or not, I sure would appreciate it if you would all share the following URL widely:
https://petitions.whitehouse.gov//petition/immediately-fire-office-personnel...
Note that Whitehouse petitions do not even get properly or completely published on the Whitehouse web site until such time as they receive at least 150 signatures. I am hoping that members of this (NANOG) mailing list will help me to get past that threshold.
Thanks for your attention.
Regards, rfg
-- Tyler W. Mills Infrastructure and Network Engineer Atlanta, GA.
In message <CAOxD=zU=i2UMEdLixOOnqYW-3cF9RDFF4eN+KJG_sDcwDip_7A@mail.gmail.com> Tyler Mills <tylermills@gmail.com> wrote:
This is the government... you have to put on your bizarro-economics and bizarro-ethics glasses for the State to make sense.
It does not operate like a market. Failure results in people being shuffled around, and larger budgets. Failure justifies more control and power. People get taken down for political reasons, not based on a lack of ability or lack of virtue.
I would hope this measure succeeds and to see something meaningful come out of it, I just don't see it happening.
Thanks for your support. And yes, I agree that most probably nothing will come of this, but it is worth a try. Consider this, if even just one out of every forty (1/40) of the affected 4+ million (now hopefully pissed off) federal workers signs this petition then it will get past the 100,000 signature point and then the Whitehouse will HAVE to respond to it. Of course, even in that case, the WH might very well just put off their response, you know, until that proverbial "cold day in hell"... just as they have done, and continue to do, with the "Pardon Snowden" petition... however as it that case, their mere lack of response... basically ignoring their own rules which they made for themselves relating to these petitions... would itself call more attention to their utter failure, not only to prevent such breaches, but to even deal with them in a sensible way afterwards. (If this utterly unqualified ethnic-checkbox woman had done this in the private sector, there's no doubt that her ass would be out the door already. As far as I have been able to tell in my limited research, she never managed _anything_ in her life before being named as the head of OPM... not even a Denny's... with the only possible exception being that she may have managed some portion of the President's re-election campaign.) Regards, rfg P.S. I just learned that the story on this breach is even worse than I already thought it was when I started the petition. From ArsTechnica: http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-... ... A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'" Un-bleeping believable! There's nothing else that I can say about the quote above... at least nothing else that I can say in polite company.
On Jun 17, 2015 8:56 PM, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
*) The Director of the Office of Personnel Management, Ms. Katherine Archueta was warned, repeatedly, and over several years, by her own department's Inspector General (IG) that many of OPM's systems were insecure and should be taken out of service. Nontheless, as reveled during congressional testimony yesterday, she overruled and ignored this advice and kept the systems online.
Given the above facts, I've just started a new Whitehouse Petition, asking that the director of OPM, Ms. Archueta, be fired for gross incompetence. I _do_ understand that the likelihood of anyone ever getting fired for incompetence anywhere within the Washington D.C. Beltway is very much of a long shot, based on history, but I nontheless feel that as a U.S. citizen and taxpayer, I at least want to make my opinion of this matter known to The Powers That Be.
Idk whether she was wrong or not. They were running "COBOL" systems - I'm guessing AS/400 (maybe even "newer" zSeries) which are probably supporting some db2 apps. They also mention this is on a flat network. So stopping the hack once it was found was probably real interesting (I'm kinda impressed they minimized downtime as much as they did really). I'm ok saying they were incompetent but not too sure you can do *this* much to mess up a network in <2 years (her tenure). I'd actually be interested in a discussion of how much you can possibly improve / degrade on a network that big from a management position. If the argument is that she should've shut down the network or parts of it - I wonder if anyone of you who run Internet providers would even shut down your email or web servers when, say, heartbleed came out - those services aren't even a main part of your business. One could argue that it would've been illegal for her to shut some of that stuff down without an act of Congress. I'm not saying you're dead wrong. Just that I don't have enough information to say you're right (and if you are, she's probably not the only head you should call for).
From the sound of it, she ran into the ceiling of available workers that were willing to work for the pay grade that the government offers for those
Have to agree with Shawn on this. If you watch her testimony in front of Congress, it is clear that she was completely flustered at the inability to hire competent people, and the lack of her superiors to prioritize the modernization project she had so passionately advocated for. When I've worked for organizations larger than - say - four or five office locations in diverse parts of the U.S., I've started to see how difficult it can become to get all of them to coordinate on *anything*, and I'm not even talking government here. positions, which is usually much less than private industry offers and - as a consequence - they are not nearly as familiar with migrations of that size. I do not envy her position, and doubt in the ability of anyone in her position to do more than she has attempted. Give her some credit. On Thu, Jun 18, 2015 at 11:02 AM shawn wilson <ag4ve.us@gmail.com> wrote:
On Jun 17, 2015 8:56 PM, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
*) The Director of the Office of Personnel Management, Ms. Katherine Archueta was warned, repeatedly, and over several years, by her own department's Inspector General (IG) that many of OPM's
systems
were insecure and should be taken out of service. Nontheless, as reveled during congressional testimony yesterday, she overruled and ignored this advice and kept the systems online.
Given the above facts, I've just started a new Whitehouse Petition,
asking
that the director of OPM, Ms. Archueta, be fired for gross incompetence. I _do_ understand that the likelihood of anyone ever getting fired for incompetence anywhere within the Washington D.C. Beltway is very much of a long shot, based on history, but I nontheless feel that as a U.S. citizen and taxpayer, I at least want to make my opinion of this matter known to The Powers That Be.
Idk whether she was wrong or not. They were running "COBOL" systems - I'm guessing AS/400 (maybe even "newer" zSeries) which are probably supporting some db2 apps. They also mention this is on a flat network. So stopping the hack once it was found was probably real interesting (I'm kinda impressed they minimized downtime as much as they did really).
I'm ok saying they were incompetent but not too sure you can do *this* much to mess up a network in <2 years (her tenure). I'd actually be interested in a discussion of how much you can possibly improve / degrade on a network that big from a management position.
If the argument is that she should've shut down the network or parts of it - I wonder if anyone of you who run Internet providers would even shut down your email or web servers when, say, heartbleed came out - those services aren't even a main part of your business. One could argue that it would've been illegal for her to shut some of that stuff down without an act of Congress.
I'm not saying you're dead wrong. Just that I don't have enough information to say you're right (and if you are, she's probably not the only head you should call for).
On Thu, 18 Jun 2015 16:34:46 -0000, Cryptographrix said:
From the sound of it, she ran into the ceiling of available workers that were willing to work for the pay grade that the government offers for those positions, which is usually much less than private industry offers and - as a consequence - they are not nearly as familiar with migrations of that size. I do not envy her position, and doubt in the ability of anyone in her position to do more than she has attempted. Give her some credit.
Look at the average lifespan of heads of cybersecurity in the federal space - they don't seem to last more than 18-24 months before their foreheads are permanently damaged from banging against the wall...
Having worked for several departments like this, I can assure you her flustsration was not about her "inability to hire competent people" or "the lack of her superiors to prioritize the modernization project". Unless you have worked for the Federal Government it's almost impossible to understand the mindset - Politics is job #1, Office Politics is job #2, "doing your job" is not a priority. The issue here was 100% looking bad - the worst possible offense a political appointee can commit. Firing this one person is pointless, she's one of 1,000,000 clones, not a one should be employed. I wish I had some simple solution, but I don't, it's going to require years, probably decades, of hard work by a motivated and skilled team. Also, a stable of unicorns. Nick On Thu, Jun 18, 2015 at 12:34 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Have to agree with Shawn on this. If you watch her testimony in front of Congress, it is clear that she was completely flustered at the inability to hire competent people, and the lack of her superiors to prioritize the modernization project she had so passionately advocated for. When I've worked for organizations larger than - say - four or five office locations in diverse parts of the U.S., I've started to see how difficult it can become to get all of them to coordinate on *anything*, and I'm not even talking government here. From the sound of it, she ran into the ceiling of available workers that were willing to work for the pay grade that the government offers for those positions, which is usually much less than private industry offers and - as a consequence - they are not nearly as familiar with migrations of that size. I do not envy her position, and doubt in the ability of anyone in her position to do more than she has attempted. Give her some credit.
On Thu, Jun 18, 2015 at 11:02 AM shawn wilson <ag4ve.us@gmail.com> wrote:
On Jun 17, 2015 8:56 PM, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
*) The Director of the Office of Personnel Management, Ms.
Katherine
Archueta was warned, repeatedly, and over several years, by her own department's Inspector General (IG) that many of OPM's
systems
were insecure and should be taken out of service. Nontheless,
as
reveled during congressional testimony yesterday, she overruled and ignored this advice and kept the systems online.
Given the above facts, I've just started a new Whitehouse Petition,
asking
that the director of OPM, Ms. Archueta, be fired for gross incompetence. I _do_ understand that the likelihood of anyone ever getting fired for incompetence anywhere within the Washington D.C. Beltway is very much of a long shot, based on history, but I nontheless feel that as a U.S. citizen and taxpayer, I at least want to make my opinion of this matter known to The Powers That Be.
Idk whether she was wrong or not. They were running "COBOL" systems - I'm guessing AS/400 (maybe even "newer" zSeries) which are probably supporting some db2 apps. They also mention this is on a flat network. So stopping the hack once it was found was probably real interesting (I'm kinda impressed they minimized downtime as much as they did really).
I'm ok saying they were incompetent but not too sure you can do *this* much to mess up a network in <2 years (her tenure). I'd actually be interested in a discussion of how much you can possibly improve / degrade on a network that big from a management position.
If the argument is that she should've shut down the network or parts of it - I wonder if anyone of you who run Internet providers would even shut down your email or web servers when, say, heartbleed came out - those services aren't even a main part of your business. One could argue that it would've been illegal for her to shut some of that stuff down without an act of Congress.
I'm not saying you're dead wrong. Just that I don't have enough information to say you're right (and if you are, she's probably not the only head you should call for).
On Thu, Jun 18, 2015 at 1:15 PM, Nick B <nick@pelagiris.org> wrote:
Having worked for several departments like this, I can assure you her flustsration was not about her "inability to hire competent people" or "the lack of her superiors to prioritize the modernization project". Unless you have worked for the Federal Government it's almost impossible to understand the mindset - Politics is job #1, Office Politics is job #2, "doing your job" is not a priority. The issue here was 100% looking bad - the worst possible offense a political appointee can commit. Firing this one person is pointless, she's one of 1,000,000 clones, not a one should be employed. I wish I had some simple solution, but I don't, it's going to require years, probably decades, of hard work by a motivated and skilled team. Also, a stable of unicorns.
Mmmm, most people (gov or private) do their jobs - the problem seems to be policy makers and getting money for things that no one is going to see (security). This has been a well documented issue in the private but idk anyone has realy said how bad gov is (I'd suspect worse than public at this point). My point was that idk you can blame someone for not implementing security in a place that big w/in 2 years. I'd've liked to have seen a roadmap, but I don't suppose you want your attackers to know that, so...
On Thu, Jun 18, 2015 at 7:50 PM, Stephen Satchell <list@satchell.net> wrote:
On 06/18/2015 10:15 AM, Nick B wrote:
I wish I had some simple solution, but I don't, it's going to require years, probably decades, of hard work by a motivated and skilled team. Also, a stable of unicorns.
Not to mention an Act of Congress. Oh, wait...
If anyone cares to fix government tech (and not just whine about it on mailing lists), the US Digital Service is probably the best way to make an impact: https://www.whitehouse.gov/digital/united-states-digital-service Damian
In message <CAPPYGuwCB-r3OzYTHM+ywTApgdtYOn+j3L6t+N0A7eaF6_chFA@mail.gmail.com> Cryptographrix <cryptographrix@gmail.com> wrote:
If you watch her testimony in front of Congress,...
I did, actually. And it pissed me off so much that I started the petition (to get her fired). I encourage everybody to watch the video of her congressional testimony on Tuseday. She how she tries to stonewall simple questions like "Why wasn't the data encrypted?"
From the sound of it, she ran into the ceiling of available workers that were willing to work for the pay grade that the government offers for those positions, which is usually much less than private industry offers and - as a consequence - they are not nearly as familiar with migrations of that size. I do not envy her position, and doubt in the ability of anyone in her position to do more than she has attempted. Give her some credit.
I _do_ understand the point you are making. But if you are charged with the safekeeping of untold millions of extraordinarily detailed personal data files, and if you don't have the resources to do your job properly, wouldn't the Right Thing To Do be to either (a) resign in protest or else (b) at the very least send a letter to members of Congress telling them just how effed up things really are, so that they will understand what is at risk? This lady did neither, as far as I can tell. She just followed the first rule of government service: To get along, you go along. In most cases, that course of action would not have resulted in any great harm. But in this case the result was provably and absolutely catastrophic. If there were any justice in the world, Mr. Snowden would be back home in the U.S.A. now, and Ms. Archuleta would now be hiding out in Russia. Regards, rfg
On Thu, Jun 18, 2015 at 04:34:46PM +0000, Cryptographrix wrote:
From the sound of it, she ran into the ceiling of available workers that were willing to work for the pay grade that the government offers for those
Have to agree with Shawn on this. If you watch her testimony in front of Congress, it is clear that she was completely flustered at the inability to hire competent people, and the lack of her superiors to prioritize the modernization project she had so passionately advocated for. When I've worked for organizations larger than - say - four or five office locations in diverse parts of the U.S., I've started to see how difficult it can become to get all of them to coordinate on *anything*, and I'm not even talking government here. positions, which is usually much less than private industry offers and - as a consequence - they are not nearly as familiar with migrations of that size. I do not envy her position, and doubt in the ability of anyone in her position to do more than she has attempted. Give her some credit.
She will have some large number of Civil Service Rockets "working", or at least on the TO&E below her: "Won't work; can't be fired." -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin
18.06.2015 18:00, shawn wilson wrote:
I'd actually be interested in a discussion of how much you can possibly improve / degrade on a network that big from a management position.
That's quite an interesting topic, isn't it ? Dilbert still has his job so it might as well be immutable. :-)
I think one of their major issues is that they look at too much of the network at a time. If they decided they were going to secure a particular data center or building, they might be much better off. If they start with defending the servers from internal as well as external threats and then move toward the perimeter they might make progress. I think they look at the entire comprehensive network and end up with a number or a project that is too big to fathom. First thing would be current IDP/IDS technology so they would at least know where and what the threats are. Steven Naslund Chicago IL 18.06.2015 18:00, shawn wilson wrote:
I'd actually be interested in a discussion of how much you can possibly improve / degrade on a network that big from a management position.
Good point. It's a massive job, and sometimes it is best to look at those piecemeal. Start with small goals, and pick low hanging fruit--your example of the server room is good. Set it up with and IDS, a firewall, harden the hosts by turning off/removing unused/unneeded services, setting up tripwire, and encrypt all data on the drives, then look to password policy enforcement. Then start actively securing it (monthly audits, daily log checks, etc.). Doable. Then pick the next lowest hanging fruit and repeat. --patrick darden -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Naslund, Steve Sent: Friday, June 19, 2015 8:31 AM To: Stepan Kucherenko; nanog@nanog.org Subject: [EXTERNAL]RE: OPM Data Breach - Whitehouse Petition - Help Wanted I think one of their major issues is that they look at too much of the network at a time. If they decided they were going to secure a particular data center or building, they might be much better off. If they start with defending the servers from internal as well as external threats and then move toward the perimeter they might make progress. I think they look at the entire comprehensive network and end up with a number or a project that is too big to fathom. First thing would be current IDP/IDS technology so they would at least know where and what the threats are. Steven Naslund Chicago IL 18.06.2015 18:00, shawn wilson wrote:
I'd actually be interested in a discussion of how much you can possibly improve / degrade on a network that big from a management position.
On Fri, Jun 19, 2015 at 9:55 AM, Darden, Patrick <Patrick.Darden@p66.com> wrote:
Good point. It's a massive job, and sometimes it is best to look at those piecemeal. Start with small goals, and pick low hanging fruit--your example of the server room is good. Set it up with and IDS, a firewall, harden the hosts by turning off/removing unused/unneeded services, setting up tripwire, and encrypt all data on the drives, then look to password policy enforcement. Then start actively securing it (monthly audits, daily log checks, etc.). Doable. Then pick the next lowest hanging fruit and repeat.
You left out: Formulate Bid Solicitation team Procure funding for Bid Solicitation team Request Congressional approval for Bid Solicitation team Request funding for team to win Congressional approval of Bid Solicitation team Receive first round funding for team to win Congressional approval..... Director retires, project status in limbo New round of higher funding sought Congressional recess, projects in limbo Bid process begins, 3 of 4 are non-GSA and require further funding for new approval process After 2 years of paperwork, initial funding for 2 year old IDS v1.1 (that's what was approved!) is approved. repeat, ad nauseam -Jim P.
No I intentionally left those out. Here is why. If they would do small incremental work, they don’t get into the areas of congressional approval and GSA. You can just do the small incremental projects under your IT operations budgeting. There is a big misconception that everything requires congressional approval or a lot of red tape to get done, it is all about thresholds. If you wanted to replace an old obsolete switch or router, you don't need to go there. If you propose to replace 10,000 switches and routers, then you would. Steven Naslund Chicago IL
On Fri, Jun 19, 2015 at 9:55 AM, Darden, Patrick <Patrick.Darden@p66.com> wrote: Good point. It's a massive job, and sometimes it is best to look at those piecemeal. Start with small goals, and pick low hanging fruit--your example of the server room is good. Set it up with and IDS, a firewall, harden the >>hosts by turning off/removing unused/unneeded services, setting up tripwire, and encrypt all data on the drives, then look to password policy enforcement. Then start actively securing it (monthly audits, daily log checks, etc.). >>Doable. Then pick the next lowest hanging fruit and repeat.
You left out: Formulate Bid Solicitation team Procure funding for Bid Solicitation team Request Congressional approval for Bid Solicitation team Request funding for team to win Congressional approval of Bid Solicitation team Receive first round funding for team to win Congressional approval..... Director retires, project status in limbo New round of higher funding sought Congressional recess, projects in limbo Bid process begins, 3 of 4 are non-GSA and require further funding for new approval process After 2 years of paperwork, initial funding for 2 year old IDS v1.1 (that's what was approved!) is approved. repeat, ad nauseam
-Jim P.
On Fri, Jun 19, 2015 at 10:43 AM, Naslund, Steve <SNaslund@medline.com> wrote:
No I intentionally left those out. Here is why. If they would do small incremental work, they don’t get into the areas of congressional approval and GSA. You can just do the small incremental projects under your IT operations budgeting.
This is only possible when you take all the policies developed to comply with both the law and executive orders and chuck them right out the window. At that point you're operating with no authority and all of the responsibility, which is grounds for termination even if what you do actually works. Especially if you're a contractor as the majority of operations folks in the Federal government are. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Wrong. I was a government (US Air Force) network engineer for over 10 years (not a contractor, a full time employee). There is an O&M budget created for the day to day operation and maintenance of IT systems. This is approved along with your department's budget annually. If you classify updating equipment as an O&M function (which it routinely is) then you have no issues. You purchase your equipment off pre-existing purchasing agreements in place with your agency or the GSA. If your purchases exceeds certain threshold or the amount available under your O&M funding, then you need to go out and negotiate a project and contract it out. Trust me I know how this works, I was also a contracting inspector for communications systems during my time with the US Air Force. For example, I want to connect one new building to my infrastructure including the installation of fiber to the building and purchasing network switches and routers. The organization that wants to do this can eat that cost under their IT O&M budget without issue or breaking any rules. It could also be contracted under the buildings construction project if it is new construction. If I want to replace an existing failed or obsolete firewall with something under a current GSA schedule, I can do that as well. The only thing that matters here is that I do not cross certain dollar thresholds (which vary per department) and that I can absorb the cost into my O&M funding. These all comply with existing contracting law. Let me give you another example. The Air Force Pacific Command wanted to unify several disparate TDM Voice/Video/Data networks into a single ATM switched infrastructure on fiber rings. The cost of that project ran to over 50 million dollars and was done with any additional congressional approval. Air Force Pacific Commander absorbed the entire cost under their existing authorization for maintenance of command and control systems. The construction of manholes and duct work was put out for bid to local construction companies under the Air Force Contracting Regulations. If fact, the DoD was told this was being done (since it modified the engineering of some existing systems) and they agreed to commit some of their O&M dollars to it as a prototype for other commands. None of that work required GSA or congressional scrutiny because it was all conducted under pre-existing authorizations. Project went from concept to full production in under two years. If you want new PCs, the Department of Defense negotiates contracts that you can purchase off of agency wide. It is a common misconception that everything has to go out to bid every time. Things that are purchased routinely (PCs, printers, routers, switches, etc.) are negotiated in large multiyear contracts that are already available to the purchaser. You only need to go back to Congress is you are looking for money that is not already appropriated to you. If my budget appropriation includes $10 million for IT security, I can go ahead and spend that money on IT security devices and services without any more approval through the existing procurement system. In my experience it is more about some government wonk that would rather tell you to launch a $100 million project rather than get off his ass and do something small and useful. Rather than work, just make it so hard to start that it never happens. Steven Naslund Chicago IL
This is only possible when you take all the policies developed to comply with both the law and executive orders and chuck them right out the window. At that point you're operating with no authority and all of the responsibility, >>>which is grounds for termination even if what you do actually works. Especially if you're a contractor as the majority of operations folks in the Federal government are.
Regards, Bill Herrin
On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve <SNaslund@medline.com> wrote:
There is an O&M budget created for the day to day operation and maintenance of IT systems. This is approved along with your department's budget annually. If you classify updating equipment as an O&M function (which it routinely is) then you have no issues. You purchase your equipment off pre-existing purchasing agreements in place with your agency or the GSA. If your purchases exceeds certain threshold or the amount available under your O&M funding, then you need to go out and negotiate a project and contract it out. Trust me I know how this works, I was also a contracting inspector for communications systems during my time with the US Air Force.
I'm fairly certain that new IDS purchases, for an org as large as OPM, which would also include project-term Support contracts, isn't going to fit into any pre-approved O&M day to day budget... other than maybe an AF budget :-) -Jim P.
Here is their 2013 budget https://www.opm.gov/about-us/budget-performance/budgets/2013-budget.pdf Glancing through it they had a 2.1B total appropriation with 90.5M dedicated to salaries and expenses where IT would fall. It appears that their CIO also has a multi-year fund around 70M separately allocated to systems modernization. One telling issue is that the budget talks about their priorities and within all of their goals around ensuring diversity, treating their employees well, providing good customer service, etc; there is not one mention of IT security. It is just about setting priorities. I would bet you that there are plenty of IDP contracts out there that they could ride on. This saves them from the entire RFP and evaluation process by simply stating that their needs are equivalent and a usable contract is already in place. Often in government contracts, support for a fixed period of time is rolled into the purchase price. This is done because the government often cannot commit dollars in forward years. So, when you buy your IDP device you pay for five years of support because you know you have the money this year but do not have next year's appropriation yet. Most government contracts have very sweet support and maintenance options because vendors often differentiate themselves that way without laying down on the up front price and hurting cash flow. They can bury the hidden costs of supporting the devices and just claim a huge number for sales in their current quarter. Here is the best analogy I have ever heard about how government contracting really works : ***Paint is peeling on your house. You use your own authority to buy a can of paint and touch it up with no other approval (your O&M budget) ***You let the peeling paint slide too long and now you need to replace all of your siding. You got to your wife and she tells you to wait until next spring when you have the money in the budget (department level O&M money) ***You let the peeling paint slide WAY too long and now you need to rip out entire walls and while we are at it we might as well put in an addition. You got to the bank to get a home improvement loan (congressional line item budgeting). This is where they have let their systems get too. Agency heads like to shift blame by going to congress and saying I can't do this because I need a huge appropriation to even start. The correct question from congress is to ask that agency head why they did not ask for an IT budget that included enough money to support and maintain a secure infrastructure. They should also ask, what small steps have you taken so far within your own IT budget to address security concerns. For example, do you routinely replace desktops over a certain age, is your malware protection software in place and up to date, is your firewall on the latest code release? If you ran a company would you not fire an IT director that came to you and said "we need to replace all of our network, servers, and PCs because they are all obsolete NOW...TODAY? Wouldn't you wonder what he had been doing with the O&M budget you give to him every year? The truth of this is that most agency heads do not care about IT security, they just do not. The only exception might be DoD because they are well aware that they have enemies that are looking to take them out and it is their primary responsibility to fight enemies. Most other agencies don't have the mindset of having a adversary looking at them and don't care because they don't get hurt, the citizen who's data is lost takes the hit. It might not change things immediately to fire the head of this agency but it does let other agency heads know that if you ignore IT you could lose your job. Steven Naslund Chicago IL
On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve <SNaslund@medline.com> wrote: There is an O&M budget created for the day to day operation and maintenance of IT systems. This is approved along with your department's budget annually. If you classify updating equipment as an O&M function (which it routinely >>is) then you have no issues. You purchase your equipment off pre-existing purchasing agreements in place with your agency or the GSA. If your purchases exceeds certain threshold or the amount available under your O&M funding, >>then you need to go out and negotiate a project and contract it out. Trust me I know how this works, I was also a contracting inspector for communications systems during my time with the US Air Force.
I'm fairly certain that new IDS purchases, for an org as large as OPM, which would also include project-term Support contracts, isn't going to fit into any pre-approved O&M day to day budget... other than maybe an AF budget :-)
-Jim P.
Here is a great quote straight out of the OPM budget of 2013. ----------------------------------------------------------------- Human Resources Line of Business (HR LOB) The Human Resources Line of Business (HR LOB) leads the government-wide transformation of HR Information Technology by focusing on modernization, integration, and performance assessment. The HR LOB is a model for its cross-agency collaboration which achieves HR service delivery improvements and cost savings results. ----------------------------------------------------------------- I guess being the model for cross-agency collaboration means providing all of the employee data any Chinese agency wants :) Steven Naslund Chicago IL
On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve <SNaslund@medline.com> wrote: There is an O&M budget created for the day to day operation and maintenance of IT systems. This is approved along with your department's budget annually. If you classify updating equipment as an O&M function (which it routinely >>is) then you have no issues. You purchase your equipment off pre-existing purchasing agreements in place with your agency or the GSA. If your purchases exceeds certain threshold or the amount available under your O&M funding, >>then you need to go out and negotiate a project and contract it out. Trust me I know how this works, I was also a contracting inspector for communications systems during my time with the US Air Force.
I'm fairly certain that new IDS purchases, for an org as large as OPM, which would also include project-term Support contracts, isn't going to fit into any pre-approved O&M day to day budget... other than maybe an AF budget :-)
-Jim P.
Here is another great document, their Strategic IT Plan http://www.opm.gov/about-us/budget-performance/strategic-plans/strategic-it-.... I especially like this excerpt from Page 9. ----------------------------------------------------------------------------- Phase 3 – Assess (December 2014): We will baseline and begin routinely reporting against our performance outcomes: • Compliance with laws, policies, and successful practices; • User and stakeholder satisfaction with improved IT capabilities; and • Cost per IT service or transaction. No additional funding or manpower is required to implement these initiatives. Stronger IT leadership will result in cost avoidance and cost savings that will allow us to shift valuable, scarce resources to high priority programs. ---------------------------------------------------------------------------- I guess money is not the problem according to this. I guess their "Stronger IT Leadership" is not strong enough. Steven Naslund Chicago IL -----Original Message----- From: Naslund, Steve Sent: Friday, June 19, 2015 12:30 PM To: Naslund, Steve; Jim Popovitch; nanog@nanog.org Subject: RE: OPM Data Breach - Whitehouse Petition - Help Wanted Here is a great quote straight out of the OPM budget of 2013. ----------------------------------------------------------------- Human Resources Line of Business (HR LOB) The Human Resources Line of Business (HR LOB) leads the government-wide transformation of HR Information Technology by focusing on modernization, integration, and performance assessment. The HR LOB is a model for its cross-agency collaboration which achieves HR service delivery improvements and cost savings results. ----------------------------------------------------------------- I guess being the model for cross-agency collaboration means providing all of the employee data any Chinese agency wants :) Steven Naslund Chicago IL
On Fri, Jun 19, 2015 at 12:12 PM, Naslund, Steve <SNaslund@medline.com> wrote: There is an O&M budget created for the day to day operation and maintenance of IT systems. This is approved along with your department's budget annually. If you classify updating equipment as an O&M function (which it routinely >>is) then you have no issues. You purchase your equipment off pre-existing purchasing agreements in place with your agency or the GSA. If your purchases exceeds certain threshold or the amount available under your O&M funding, >>then you need to go out and negotiate a project and contract it out. Trust me I know how this works, I was also a contracting inspector for communications systems during my time with the US Air Force.
I'm fairly certain that new IDS purchases, for an org as large as OPM, which would also include project-term Support contracts, isn't going to fit into any pre-approved O&M day to day budget... other than maybe an AF budget :-)
-Jim P.
I believe, if the fruit is small enough, you could sneak some of this in through the cracks. Bull it through via sheer determination. But I understand what you mean.... The more official it is, the more visible it is, the more difficult it is.... The same for any bureaucracy, but a quantum leap here. -- patrick darden -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Jim Popovitch Sent: Friday, June 19, 2015 9:12 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: OPM Data Breach - Whitehouse Petition - Help Wanted On Fri, Jun 19, 2015 at 9:55 AM, Darden, Patrick <Patrick.Darden@p66.com> wrote:
Good point. It's a massive job, and sometimes it is best to look at those piecemeal. Start with small goals, and pick low hanging fruit--your example of the server room is good. Set it up with and IDS, a firewall, harden the hosts by turning off/removing unused/unneeded services, setting up tripwire, and encrypt all data on the drives, then look to password policy enforcement. Then start actively securing it (monthly audits, daily log checks, etc.). Doable. Then pick the next lowest hanging fruit and repeat.
You left out: Formulate Bid Solicitation team Procure funding for Bid Solicitation team Request Congressional approval for Bid Solicitation team Request funding for team to win Congressional approval of Bid Solicitation team Receive first round funding for team to win Congressional approval..... Director retires, project status in limbo New round of higher funding sought Congressional recess, projects in limbo Bid process begins, 3 of 4 are non-GSA and require further funding for new approval process After 2 years of paperwork, initial funding for 2 year old IDS v1.1 (that's what was approved!) is approved. repeat, ad nauseam -Jim P.
On Thu, Jun 18, 2015 at 11:00:00AM -0400, shawn wilson wrote:
If the argument is that she should've shut down the network or parts of it - I wonder if anyone of you who run Internet providers would even shut down your email or web servers when, say, heartbleed came out - those services aren't even a main part of your business.
Yes, I would. We did (at Purdue) one day in November 1988, when we knew that we had a problem and we had very good reason to believe we were a serious hazard to the rest of the 'net. Confronted with a similar situation today, I would do the exact same thing. It is the highest duty of everyone on the 'net, whether they're running one laptop or a 50,000-server cloud, to ensure that their operation isn't an operational menace to everyone else. And it is the failure of many to discharge that duty, above all others, that is directly responsible for many of the issues we face every day. ---rsk
On Wed, Jun 17, 2015 at 8:54 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
My apologies in advance to any here who might feel that this is off topic... I don't personally believe that it is. Frankly, I don't know of that many mailing lists where the subscribers are likely to care as much about network security (and/or the lack thereof) as the membership of this list does. By now, most of you will have read about the massive federal data breach at the U.S. Government's Office of Personnel Management (OPM), and also the fact that (by OPM's own preliminary estimates) this massive data breach affects at least four million federal government employees...
Hi Ronald, I'm of the opinion that the whole thing is your fault. The security inadequacies of your network are obviously what allowed the Chinese Super Hackers to break in with their false BGP advertisements and source address spoofing. Well, maybe not, but just imagine if that was true: your post would be on-topic for the mailing list! Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Wed, Jun 17, 2015 at 8:54 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I've just started a new Whitehouse Petition, asking that the director of OPM, Ms. Archueta, be fired for gross incompetence.
Hi Ronald, The core problem here is that the Authority To Operate (ATO) process consumes essentially the entire activity of a USG computing project's security staff. The non-sensical compliance requirements, which if taken literally just about prevent you from ever connecting any computer to any other, get in the way of architecting systems around pragmatic and effective security. There's no use blaming the director for a broken system she's compelled to employ, one far out of her control. The next warmer of that seat is constrained to do no better. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Absolutely Bill, That is always the case with the government (I have worked with them a lot). They build lots and lots of procedure and process and dumb standards (mandatory POSIX compliance?!?!?, that was a good one) when step one would have been to get current firewall technology in place, have current operating systems, and patch known vulnerabilities (which is why you want the current operating systems). Instead, they go out and commission multi-million dollar consulting contract that spend time drawing up blueprints for the be-all end-all systems that no one is going to fund. When you look at the way the government goes about things like simply setting up the Healthcare website, it is miraculous that they even knew they got hacked. I will bet for every documented breech like this there are hundreds of continuous vulnerabilities being exploited that they don't even know about. These are just the weak ones that got caught. They still tend to look at these systems like their old mainframe based systems instead of looking at desktops, servers, and networks as separate independently upgradable parts. This makes all of their planning so massive that it can never be implemented so no one ever starts. Eventually the desktop OS gets too old to support, the servers have to stay compatible with the old desktops, the software application can't be upgraded because it does not run on the old database, etc etc etc... until the whole system collapses and you have to get the forklift. This director has nothing to do with it. I think they might need to eliminate some useless department and create or hire an IT organization that operates like a service provider to all of these agencies. Steve Naslund Chicago IL
Hi Ronald,
The core problem here is that the Authority To Operate (ATO) process consumes essentially the entire activity of a USG computing project's security staff. The non-sensical compliance requirements, which if taken literally just about >prevent you from ever connecting any computer to any other, get in the way of architecting systems around pragmatic and effective security.
There's no use blaming the director for a broken system she's compelled to employ, one far out of her control. The next warmer of that seat is constrained to do no better.
Regards, Bill Herrin
Based on prior work in this space, the problems are as follows: 0. Political appointees don't stick around for long, therefore they can always point to the last guy as the problem. They are also gone, before impact of lack of security focus impact their jobs. 1. Executives and middle managers are not compensated or recognized for have secure systems, there for operations and missions take priority. This includes disabling all security if the operation requires it, and the PM justifies it. 2. Architecture of systems seldom includes a security architect from the beginning, with security added later at a substantial expense. 3. Test plans are inadequate and at times the wrong test plan for the technology being audited. 4. Third party contractor performing audits and assessments, are paid by the IT department to provide a favorable report, as quick as possible. To accomplish this, the testing is minimal, the qualifications of the staff are low, and the contractors PM has the ability to change findings to ensure the customer looks good. 5. System and network admins - they too are not compensated for secure system, only that the system are operating. This forces prioritizing operations over security. 6. Developers are not held accountable for secure code, and their contractors ignore the issues, even in the few instances where a security clause is included in the contract. 7. Many architectures are build around a security product, and not the risk profile. 8. Stovepipes - Many organization have competing political goals, and spend time CYA instead of making this secure by default. 9. Contractor staff training – contractors promises training to customer facing staff, but instead never budget for that training. Instead the contract companies see this as OJT on the taxpayer dime.
From a game theory standpoint, it turns security always loses.
Joe Klein "Inveniam viam aut faciam" On Thu, Jun 18, 2015 at 1:35 PM, William Herrin <bill@herrin.us> wrote:
On Wed, Jun 17, 2015 at 8:54 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I've just started a new Whitehouse Petition, asking that the director of OPM, Ms. Archueta, be fired for gross incompetence.
Hi Ronald,
The core problem here is that the Authority To Operate (ATO) process consumes essentially the entire activity of a USG computing project's security staff. The non-sensical compliance requirements, which if taken literally just about prevent you from ever connecting any computer to any other, get in the way of architecting systems around pragmatic and effective security.
There's no use blaming the director for a broken system she's compelled to employ, one far out of her control. The next warmer of that seat is constrained to do no better.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
participants (17)
-
Cryptographrix
-
Damian Menscher
-
Darden, Patrick
-
Harry Hoffman
-
Jim Popovitch
-
Joe Klein
-
mikea
-
Naslund, Steve
-
Nick B
-
Rich Kulawiec
-
Ronald F. Guilmette
-
shawn wilson
-
Stepan Kucherenko
-
Stephen Satchell
-
Tyler Mills
-
Valdis.Kletnieks@vt.edu
-
William Herrin