Saturday, June 27, 2015

OPM Gives Edward Snowden a Pass...

As much as I hate the villainous traitor to our country, Edward Snowden, as described in my blog June 2013 blog, “American Hero, Idiot, or Traitor”, I hate the data breach at the Office of Personnel Management (OPM) even more.  It’s easy to hate a person, such as Snowden, but difficult to hate an institution.  Can you really just say we hate the head of OPM, Katherine Archuleta, fire her and call it good? Was it the head of OPM that violated the sacred trust with the entire corps of Government employees?  Yes, she should go.  She should resign.  But, that is a far cry from making it good. There is something else to blame and something so more insidious that the aftermath of this issue will resonate for the next 40 or 50 years.  Then entire government work force will have to essentially age out before the data obtained in the SF 86 of every government employee ages out of it’s usefulness to the foreign government that now unlawfully owns this information.  I can imagine the celebration that is now going on in said Country. Goodness can you imagine the hacker who brought that package home?  They are true National Heroes in their Country...Back here in the US,  perhaps, we would call that particular Dark Visitor, public enemy number one.  If we can track who did it, maybe we can pursue them directly, and individually, as we do all cyber criminals, but within their Country, they are heroes.  No doubt if I met that particular hacker or hackers I would have to shake their hand, as if just being defeated in a game of chess, and say, well done! At least they had to work for it.  The scumbag Edward Snowden, on the other hand, gave it away.

But I get ahead of my rant today…to fully understand the ramifications of this information you have to start at the beginning...for me that would be 1987, when I entered the USAF, when I was first finger printed, and when I first penned the details of my life onto a Government form, thus entering the collective of US Federal employees and surrendering any autonomy of life, perhaps confessing a life on the Lamb, if I would to later choose a life of crime, would be difficult.  I was in the system.  Big brother now had my facts...these days they also have plenty of mugshots and of course scans of my retina.  DNA is soon to follow.  Little did I know, back in 1987, I would also be surrendering these details to another Country.  I’ve lived a relatively tame life, so I’m not really saying my SF-86 is full of lurid details of a secretive life worthy of any blackmail, unless the addresses of places I’ve lived and the people I’ve known are sufficiently worthy of a Hollywood Blockbuster, but, there are things, like my mother’s maiden name, dates of birth, etc, that could be used by an industrious hacker, such as those of “We Are Anonymous” fame, to hack most of my web accounts.  This data, used in social engineering, is also how websites secure our logins with “Challenge Questions”.  The city of your first elementary school for example.  I can change all that though, as well as to begin using technology, such as 2-Step Verification, on all my email and other accounts.  Most financial institutions have already instituted some version of 2-Step verification already, so don’t get too wrapped around the axle.  But definitely change your passwords and your challenge questions if you are in doubt.  But this blog is not about enhancing your security moving forward...it’s about trust.  The trust we must have to put our data in the hands of a third party.  As we do every time we swipe a credit card at Target, every time we punch in the pin for our cash card at 7/11, and as it turns out, every time we give the Federal government our Personally Identifiable Information, or PII.  For years, as Federal employees we are trained on the correct handling of PII.  A social security number (SSN) being the most readily identifiable piece of PII.  Seems like only yesterday I had my SSN printed on the tops of my checks, for convenience, because when you wrote a check at the store, if it wasn’t already on the top of the check, you would hand them your drivers licence and they would hard scribe it on top of the check anyway.  The vast numbers of people writing their SSN’s on the top of their checks is what gave us safety.  We hid in the mass of numbers out there in the public.  Yes the bad guy, could pull a check from a drawer, and try to write a couple of bad checks with your info, but the probability of that happening to you personally, was one in many millions.

For several years now, it’s been clear to me, that Google, was perhaps a better place to hide.  Hide plain sight.  Hide among the trillions of bits of information surging through cyber space.  The USAF, of which I’m most familiar, instituted a different technique.  Consolidate all the information and secure it behind layers of security. Just like OPM, except without the layers of security. The key word here is consolidate.  Whenever you consolidate, you create a more valuable target.  If you want to hide, disperse.  It’s the opposite of trying to defend everywhere.  The immortal words of Frederick the Great, “He who defends everywhere defends nothing”,  is turned on it’s head.  An attacker is only interested in what’s behind the defense...if you defend nothing, nothing, perhaps is of interest. But as we learned in Pearl Harbor, if you pack everything in, it’s easy to wipe out.  Nobody is calling this data breach at OPM the cyber Pearl Harbor we’ve been long awaiting, but isn’t it?  Didn’t they just wipe out the usefulness of preserving the privacy of 18 million government employees.  We never believed, that a cyber Pearl Harbor, amounted to large dramatic explosions.  But we did think that a cyber Pearl Harbor would wipe out Wall Street for instance, in which “markets will crash crash, financial empires will crumble crumble”, stealing the best lines from the movie Hudson Hawk...that hasn’t happened exactly in one dramatic event, but hasn’t as Pearl Harbor of sorts just occurred?

To me it’s time for a change….but first we must return to Edward Snowden.  Snowden, as are all government employee who have security clearances, give up their privacy so they are trusted with national secrets.  We give up our privacy and are granted trust and a paycheck to have access to the Nation's secrets.  The Nation, thus is presented with our personal secrets which they should also protect.  And they do try...right?  We sit through PII training on an annual basis. But after OPM,  should we be protecting PII any longer?  It doesn’t make much sense for me to protect my PII much anymore...just like I was unafraid to put my SSN on the top of my check, maybe I should now put it on a billboard, as the folks at LifeLock would have me do.  Well, we've all been on the hook to protect PII, and we pussy foot around, not emailing SSN or making lists, with various people at different levels of comfort, and having to endure the annual refresher training...meanwhile, the entire organization responsible betrays the fundamental trust with us...they pull us through the keyhole while the basic rules don't apply to them...are there folks out there, government employees who have gotten in trouble, gotten fired perhaps, been made scapegoats for compromising PII? And all the while it's been a sham?  Government employees have been held to a higher standard with regard to protecting PII than our counterparts in the citizenry...they also take an oath upon employment...and feel...beyond doubt (or as I have) that if we are trusted to protect the government's secrets, the government is compelled to protect our secrets...so beyond the breach of contract for which we could rightly end our employment, moving forward,  anyone who compromises anything, including security at this point, has a case that there is no longer a contract, the contract has been breached, and thus we are no longer bound to keep our Nation’s secrets, secret...since they don’t protect ours.  And with felons like Edward Snowden out there...how long before he makes a similar argument.  No doubt Edward Snowden's SF-86 was in the stack that was breached...does he now have a legal case against the US?  As class action lawsuit, to which we are now all party, at least 18 million of us, including Edward Snowden.  Perhaps the remaining 300 million have a suite as well, because, isn’t the entirety of  the US now less secure if the security of every employee of the United States Government has been compromised.   What Edward Snowden did to us pales in comparison to the breach of contract with our Government and certainly, in my mind, gives him some breathing room.

As much as I think Edward Snowden is a traitor to our country, I no longer think we can  hunt him down, prosecute him, and if found guilty, execute him for his war crimes.  OPM may have just  handed him his pardon...his ticket to a long life...and he will be smugly rejoicing from his hovel deep inside Russia. Nevertheless, if  I were in the room with him, I would still beat the smug off his face with an American made baseball bat, carved out of northern White Ash, and leave him lying half dead and bleeding on his cheap linoleum tiled floor.  Then I would throw his SF-86, stapled in the corner, dog eared, and with his updated contact information, his address in Russia,  and signed in pen, on top of him, and tell him he's excused...