July 9, 2015:
In June the United States revealed that there had been a major hack of U.S. government personnel databases earlier in the year. The U.S. openly named China as the chief suspect and admitted that the hackers made off with government databases containing personal information on nearly twenty million government employees (active and retired.) This included data collected for people applying for security clearances.
The most embarrassing aspect of this incident was the revelations of how incompetent were the officials in charge of Internet security for this data. The key officials had apparently ignored years of warnings by technical personnel (both inside and outside the government) about the urgent need to do something about some very fundamental security problems. It turned out that most of the senior appointed officials didn’t understand what they were dealing with and a lot of the advice and criticism from people who did was largely ignored because it was simply not understood. This is not a new problem but it has become more common in the last few decades as new technology has become so crucial in so many areas. At the same time senior management in many firms has not adapted to these changes and all too often ignores serious problems or delegates them to subordinates who really don’t have the authority or management skills to implement changes. This is a major part of what caused the 2008 financial crises and there are warnings that another such disaster is brewing and there is still not a lot of attention being paid at the top.
The core problem for the government is that these senior Internet security positions are considered “political appointments” and even in highly technical areas the main criteria for selection remain political, not technical or managerial. Few people in government want to confront this issue openly.
This came be seen in the U.S. government response to this latest Internet security disaster. So far the official response of the American government is “full confidence” in the senior officials who presided over this epic debacle and pronouncements from these officials does not indicate any realization of what they did or, rather, did not do.
Meanwhile China has officially denied any involvement. Hackers can use this stolen information for various types of online larceny, or espionage or both. What is particularly worrisome (and making China more likely the culprit) is the fact that none of that data has shown up on the Internet black market. Aside from Internet based fraud, the other major use of that data is espionage.