now browsing by tag
Interesting article that states the impact of the OPM breach could cause an impact for the next 40 years.
I’m just going to say, after some conversations I’ve had with some people over this past weekend, I think the breach could last a whole lot longer than 40 years. In fact, I would go so far as saying that the damage caused by the breach, will never be repaired. Think of the long-lasting impact this will have on family members of those affected by the breach. If someone was able to pull up all the information, on say, your Grandpa, and was able to give you any/all information, you could ever want to know about him, wouldn’t that effect your trust with that person, and wouldn’t you be slightly more likely to release other information to him, as you see they already have a bunch of information? From an intelligence gathering operation, the amount of information contained in the SF-86 form, is crazy; there is so much information in the SF-86, it literally took me 3 days to fill out that form.
From the Article at FedScoop:
The theft of background investigation data on millions of federal employees and contractors has created a massive threat to U.S. national security that will last for decades and cost billions of dollars to monitor, current and former intelligence officials said.
The Office of Personnel Management announced last week that personal data on 21.5 million individuals was compromised by the hack of the agency’s background investigation database. That includes 19.7 million individuals that applied for a security clearance, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.
But while the focus continues to be on OPM’s efforts to fix vulnerabilities in the system used to manage background investigation data, known as Electronic Questionnaires for Investigations Processing (e-QIP), as well as the 30 day cybersecurity sprint ordered by the Office of Management and Budget, intelligence experts say there is little the agency can do to reverse the damage that has already been done.
Source: Yonhap News Agency
According to this report by the Yonhap News Agency, the U.S. did conduct a cyber operation against North Korea, in retaliation for their alleged attack against Sony.
From the article:
North Korea’s Internet connections suffered outages for days in late December after U.S. President Barack Obama blamed the communist nation for the massive hack on Sony and promised a “proportional response.”
If this is true, it is actually quite a scary situation for everyone involved. If you consider that a U.S. company, like Sony, has the U.S. Government to do its bidding for it; it really makes you think. I’m not concerned that that the U.S. has a cyber operations center, we’ve known about it for quite some time; what we haven’t known, is how, when, or why it would lead an attack against a nation. Now we know, all your nation-state has to do, is attack a very large corporation in the U.S. and it will draw the eye of U.S. cyber operations.
What do you think? Do you think the U.S. should launch a full scale cyber assault on a nation because it was behind a supposed “attack” on a large corporation. What is the precedence being set here? If my small business gets attacked by a group in North Korea, will the U.S. launch a full-scale attack against them? What size does my business need to be, where the U.S. government will carry out a full-scale cyber attack against North Korea to defend my business?
Source: Rapid7 – Security Street
I read this post on Rapid7’s Security Street today, and it made me think about all the hardships, and difficulty I’ve had working with clearances in the past. Not to mention the contractor -> civilian -> contractor -> civilian -> contractor messes I’ve seen in regards to clearances.
This article covers the very tip-top of issues associated with getting a US Government security clearance, and doesn’t dive much deeper than the wading pool of issues associated with getting a government security clearance.
So, with my past experience with government security clearances, here are my issues, with them, in no particular order; and these are all associated with either me, or close friends of mine.
1. Lack or reciprocity between clearances. For this example, I bring up something similar to the Department of Energy (DOE) Q clearance vs. the Depart of Defense (DoD) Top Secret (TS) clearance. On paper, and responsibilities, many similarities between the two, many say they are 100% reciprocal with one another. However, that is not the case. Many security officers in the DoD are completely unfamiliar with what a Q clearance is; and are completely unaware of any reciprocity that exists between the two clearances. But the big question is, why is there 2 different clearance systems associated with the U.S. government? Why is there not a single standard (I’m guessing since the Top Secret clearance in the DoD is much more well-known, that it would be the predominant one)?
Many might say, the access I have with a DOE Q is different than what I have with a DoD TS, which is true, however, there are many different categorizations of each of these individual clearances that a person must get cleared for as well (You can read more about SCI here).
Not only do you have the differences between the DOE Q vs DoD TS, but you have differences between TS clearances. Completely theoretical here, but if you have a TS clearance that you received as a DoD contractor and then you were to go work for the FBI, with your TS clearance, they would need to start the entire process over again, to get you vetted for your FBI TS clearance. I’m not even talking any of the SCI programs here, just clearances in general.
So, specifically relating to the article at Rapid7; if a person has their Q clearance (because their primary business role is associated with the DOE), and the FBI wants to talk to them, about a sensitive subject, that requires a TS, they would be unable due to differences in clearances. Same could also apply for a DoD contractor in speaking with the FBI or the CIA.
2. Time to get clearances. When I original got my clearance, it took well over 18 months for them to process the paperwork, do the background information checks, and everything else associated with my clearance. Why would it take so long? At some point, you are going to blame government bureaucracy; and you’d probably be right.
Time becomes a very critical issue when you’re dealing with computer threats, and if you need to wait any significant amount of time, in order to get vetted for what the government is going to tell you, then it’s already taken far too long.
3. How about all the issues needed to get a clearance in the first place. How easy is it, for a “regular” non-governmental business (or employees of) to get clearances? I’m going to go out on a limb here, and guess extremely difficult. I found it hard enough to get clearances when working for contractor, that required clearances, let alone, a business that doesn’t specifically require clearances. I can only imagine the entire vetting process for a business like this to get clearances would be pretty extreme.
4. After the Snowden revalations, the government began to cut-back on the number of clearances they issue. How does this affect “regular” businesses attempting to get clearances? You’ve began restricting clearances to those people that need them, through their direct work with the DoD or the DOE, and now you want to offer them to general businesses that may, or may not have direct ties to any government agency?
5. What are the actual requirements to get a clearance anyways? Who knows all the guidelines? If you want to see the official cases on why people are denied or granted clearances, you can check out this website: Industrial Security Clearance Decisions
Are these reasons for people not getting clearances acceptable in your mind, or are they too stringent. That’s not for me to decide, but should be something you think about when applying for a clearance.