OPM - Other People's Metadata

If your enterprise trades in sensitive information, especially as it pertains to security clearances with the U.S Government and its employees, business associates, or vendors, it's safe to assume you are under cyber attack right now. Actually, considering the facts and risks, it's probably reckless not to.

It's always nice to be quoted along with an ex-head of the Central Intelligence Agency, especially when it's a four-star general, and you share the hometown of Pittsburgh, PA. Michael Hayden commented on the OPM breach and its impact on the private sector in the AFP's online letter by Andrew Deichler. 

Last week, the U.S. Office of Personnel Management (OPM) revealed that it had incurred a second data breach that compromised more than 21.5 million people—much larger than the other hack the agency recently endured. The incident has severe implications for the multitude of private companies that contract with the federal government.

Michael Hayden, former head of the Central Intelligence Agency and a keynote speaker at the 2011 AFP Annual Conference, believes that the effects of the OPM hack could last for nearly half a century. 

According to Hayden and other former CIA officers, the data breach has created a massive counterintelligence threat that could easily last 40 years — until the youngest members of the federal workforce enter retirement.

Dan Verton, Fedscoop.com, July 12, 2015

We chimed in.

“If your company works for the government and has employees and contractors with security clearances, it’s essential to review the flow of this information up, down, in and out of the organization with a particular focus on individual operators and perimeter operating environments.”

Your enterprise is either being explicitly targeted by hackers because you are in a business that includes dealing in security clearance level data, or, you are on the radar of a vast net thrown over a volume of strategically aligned targets for the sake of potentially something much more contrived and sinister. 

Mark the moment, its time: the amnesty period is over. There is no risk-elimination, only mitigation. Breaches will happen, we will pay the price, learn, evolve, and drive the easy money out, but the tolerance for any lack of serious preparation and preventative measures is over.

• Review information gathering, processing, and storing procedures, and individual accountability for compliance.

• Determine where the information flows in and out of the enterprise, especially as it pertains to non-IT managed networks and devices and add measures that may be outside the IT department’s scope or purview.

• Have conversations and open the lines of communication, particularly at these junctures.

• Be sure your incident reporting process is bulletproof.

• Repeat.