CIA pulled officers from Beijing after breach of federal personnel records (opens in new tab)

But who would you prosecute for what? It is easy to start pushing people under the bus, but when you look at cases like this you often find that it is an organisational failure, not an individual one.

That's why I really like the NTSB's style of investigation (they're the people who investigate air crashes). Instead of going in and trying to pin it on one person, they look at procedures, organisational communications, chains of command, the whole works.

Most of their reports don't come out and say "engineer John Smith caused the accident by forgetting to tighten this bolt!" They say, we looked at John Smith, we found the mistake, then we looked at how John Smith's work is monitored, the procedures for this repair, the training given, what their manager did, their working conditions, etc.

Then finally they come up with some recommendations so it cannot happen again. These are normally procedural, training, and organisational changes, rather than simply saying "nobody should make mistakes ever again or jail!"

This is what we need for information security leaks like this. We need an NTSB-style org to come in, pull apart the organisation and how they operate, give everyone criminal immunity so they talk openly, and then generate concrete changes so this never happens again (and ideally send these changes to other departments).

... Or just jail everyone, whatever...

Isn't that what this article is about? We are pretty certain that this was an act of espionage by another nation state. Criminal investigations are not how you respond in those cases (unless we found the agent on our soil, which AFAIK we did not).

What is curious is that we aren't sure what the norms are for how to respond to cyber espionage, unlike with in person espionage which had a whole set of responses we could fall back on.

For what it's worth, the CIA is the only federal agency that keeps their own employee records. Everyone else goes through OPM. They (rightfully) assumed that OPM couldn't keep secrets and that's where we find ourselves today. It's probable that these records are printed, locked in a vault.

James Clapper, the DNI, heads 16 intelligence agencies under him, one of which (CIA) didn't have their records stolen. Though the budget breakdowns are not disclosed, arguably, they are the largest of the bunch and only ones that have deployed field operatives.

Being bad at defense doesn't necessarily imply being bad at offense. Security is hard because you have to win 100% of the time. Being good at cyberespionage means getting a win now and then. I'm not saying the US is good at it, just that neither the OMB breach nor the Snowden incident bear on that. And a lot of the info released by Snowden indicate they were pretty good at it (at least targeting their own citizens) or those disclosures wouldn't be such a big deal.

I imagine Clapper was more focusing on offensive capabilities here. Not to mention, Clapper's quote is taken out of context, he wasn't bragging, he was arguing against a tit-for-tat retaliation.

Defensive is interesting considering how many federal departments there are and how they're all pretty autonomous in regards to IT. Going after employment records was especially devious as they aren't classified, so whatever requirements OPM had to follow weren't very stringent.

The real issue here, and something that affects the private sector as well is why are we not treating all IT data as classified? Why all the half measures? I think we're still in the early stages of digitization and automation and have to learn security lessons the hard way.

Also in autocratic states where information is tightly controlled, hacks like this don't make the news. We have no idea what the NSA is actually doing in these countries outside of Snowden, whose data is mostly (all?) domestic programs. And the stuff we do know about like Stuxnet, only come out because certain people wanted to turn it into a political football.

Yesterday I was wondering why encryption is not the default. Government shmovernment, but I remember looking up how to password-protect directories in Windows 95 (sorry to everyone else on HN who got started on an Apple II). It wasn't until college that I figured out that you can easily navigate the directory structure in another machine by just plugging in hard drives to a machine running a different OS. I look at people's nude pics of themselves by PC/phone repair people, and I'm convinced that there is no good reason why data should be stored in plain text. But now search comes into the picture, and it's expected and we're probably stuck with it for my lifetime

I believe you're talking about https://news.ycombinator.com/item?id=10291691

That smells fishy, as it would be something exploited immediately by any anti-submarine vessel.

Be thankful for that. Cyberattacks are so hard to trace back that it's very easy to set up a false-flag operation. Framing someone else for your attack would become a simple way of starting a war between two of your opponents.

What makes you think we're not already responding in kind?