This is gold:
"OPM CIO Donna Seymour said that systems couldn't simply have encryption added because some of them were over 20 years old and written in COBOL."
Agreed. It is fascinating to me, having been on the other side of the "it would cost too much to re-implement" discussion when I was at Sun and NetApp and talking to some large enterprise type customers, the flip question is "What does it cost for the current implementation to fail?"
Few people have direct experience with that, remember that many of these systems are essentially the "second" generation of automation that has gone on in government. Systems built in the 90's were not even imagining the kinds of drive by side-load sandbox hopping attacks that are routine today. I expect it to get worse before it gets better but the new Digital Service has some interesting ideas there. I fear such things will lead to nationalizing the Internet as well and that bothers me, I still believe (perhaps naively) that it is possible to secure large networks from even persistent threats given the tools at our disposal.
It is kind of interesting that on one hand people are talking about how rewriting is bad (especially managers like to think that any subpar solution should be kept around just because it works 90% of the time) and the other side is how much money you can lose because you refuse to reimplement.
When it comes to security I think it is extremely dangerous go for the first one as the example shows.
"It would be incorrect to say that these older systems (especially the COBOL code) couldn't be updated to support encryption, however. There are numerous software libraries that can be used to integrate encryption schemes into older applications, including libraries from PKWare. Other government agencies and financial institutions already utilize such software, according to Matt Little, VP of Product Development at PKWare. The problem is that, as DHS Assistant Secretary for Cybersecurity Andy Ozment noted during his testimony, OPM didn't have the kind of authentication infrastructure in place for its major applications to take advantage of encryption in the first place. Encryption, he said, would "not have helped in this case."
This is probably just part of the story. The other part is that most systems that are that old are probably black boxes by now. Everyone who knew at one point in their life what those systems actually do has retired by now. 'Simply' adding encryption, even with other libraries as mentioned in another comment would require knowing what these systems actually do. There is no magic encryption blanket that you can just toss over things.
Speaking as someone personally affected by all this, I can tell you that encryption most certainly would have helped if used in a system designed with modern security principles in mind. But (especially in government) there is no incentive to redesign a functioning system. There isn't any money available to fund the work, and there is no specific legal liability that poses a risk if you don't.
It's not surprising that corporations and governments don't take steps to avoid these problems when an 18-month membership in some identity theft insurance program is considered equitable compensation for losing 10-years' worth of personal information.
6 comments
[ 3.4 ms ] story [ 23.9 ms ] threadFew people have direct experience with that, remember that many of these systems are essentially the "second" generation of automation that has gone on in government. Systems built in the 90's were not even imagining the kinds of drive by side-load sandbox hopping attacks that are routine today. I expect it to get worse before it gets better but the new Digital Service has some interesting ideas there. I fear such things will lead to nationalizing the Internet as well and that bothers me, I still believe (perhaps naively) that it is possible to secure large networks from even persistent threats given the tools at our disposal.
"It would be incorrect to say that these older systems (especially the COBOL code) couldn't be updated to support encryption, however. There are numerous software libraries that can be used to integrate encryption schemes into older applications, including libraries from PKWare. Other government agencies and financial institutions already utilize such software, according to Matt Little, VP of Product Development at PKWare. The problem is that, as DHS Assistant Secretary for Cybersecurity Andy Ozment noted during his testimony, OPM didn't have the kind of authentication infrastructure in place for its major applications to take advantage of encryption in the first place. Encryption, he said, would "not have helped in this case."
It's not surprising that corporations and governments don't take steps to avoid these problems when an 18-month membership in some identity theft insurance program is considered equitable compensation for losing 10-years' worth of personal information.