Written by Dan Verton

In Plame site

Another prominent former member of the U.S. intelligence community has come out swinging on what she calls gross negligence in the wake of the massive data breach at the Office of Personnel Management.

Valerie Plame had a successful career at the CIA working to combat nuclear proliferation until her identity as a covert agency officer was deliberately leaked to the media in 2003 as part of an orchestrated campaign by senior members of the George W. Bush administration to discredit her and her husband, former ambassador Joseph Wilson, for work that contradicted the administration’s claims at the time that Iraq was seeking to acquire nuclear materials.

Plame recently joined the advisory board of Global Data Sentinel, a New York-based cybersecurity firm that develops an end-to-end data encryption capability for data at rest and in transit. And in an exclusive interview with FedScoop’s Inside Scoop, Plame says the OPM data breach has created threats for federal workers and their family members that will last a lifetime.

“There are endless vulnerabilities to the government workers and their families whose identities and personal data have been breached, and these will last a lifetime, since the information cannot be reverted,” Plame told Inside Scoop. “This information was not stolen to open fraudulent credit cards and make illegal purchases. It was taken in the hopes of identifying millions of top level government workers – rendering them ineffective in doing their jobs, or worse using the information to either blackmail or co-opt them into providing valuable security information,” she said.

According to Plame, few intelligence professionals are surprised by the fact that a foreign intelligence service targeted OPM data. She is surprised, however, by OPM’s inability to protect what many have called the crown jewels of federal data.

“Hackers are stealthy and proficient at what they do – they often work in teams in underground networks – so this information is already available on a global basis and could be anywhere for any group or foreign government entity to utilize as they see fit,” Plame said. “The IT technology employed by OPM could not track the breach, alert the proper authorities, or retract and protect the files after they left the server – so it is impossible to know where the information was sent and who it was shared with.

“Hacking and data theft have become so commonplace that shock, surprise and promises to do better are no longer meaningful excuses for not having the proper cybersecurity systems in place to alert, prevent and track a breach as it is happening,” said Plame. “Any excuse is unacceptable. Also, my understanding is that OPM did not even have a head of IT security until 2013. This is simply incompetence and gross mismanagement.”

OPM challenged on encryption — again

Inside Scoop isn’t the only one calling out OPM and the Department of Homeland Security for towing the ‘encryption isn’t possible on legacy systems’ party line.

The Institute for Critical Infrastructure Technology recently delivered to Congress a detailed report on the OPM breach that challenges the conventional federal wisdom when it comes to encrypting data on legacy systems.

“OPM Chief Information Officer Ms. Donna Seymour testified that encryption was

not possible on the COBOL legacy systems in OPM’s care. In actuality, libraries exist, such as

PKWare, that integrate modern encryption on antiquated systems,” more than a dozen technology experts wrote in the ICIT report,

Handing Over the Keys to the Castle. “The process may not have

been cheap, but encryption was possible. Additionally, DHS Assistant Secretary for

Cybersecurity

Dr. Andy Ozment testified that encryption would not have helped in this case

because the actors had valid credentials. Even though this response is accurate to the current

situation, it is not an admirable stance that other agencies should emulate.”

New Pentagon access cards

The Pentagon recently alerted the press corps to new access card requirements.

“After Labor Day (Sept. 7), you will no longer be able to use your current Pentagon building pass to access the Pentagon,” states an email from the Defense Department’s press office. “The badging office will replace your current blue Pentagon badge with a Pentagon Facilities Alternative Credential, or PFAC. In order to receive the PFAC, you will need to enroll in the Privilege Management Program (PMP), which allows for the transition from building pass to the PFAC for physical access to the building.”

The interesting thing about the PFAC is that it will require all Pentagon employees to provide an iris scan and a fingerprint biometric, a Pentagon source told Inside Scoop. Luckily for Defense Department employees, Inside Scoop has learned that the biometric data will be stored by the Pentagon Force Protection Agency, not OPM.

On the move

Aaron Hughes has been appointed to serve as the next deputy assistant secretary of defense for cyber policy. Hughes previously served as vice president for intelligence community support at In-Q-Tel.

Arsenio T. Gumahad II, has been appointed deputy director of intelligence, surveillance and reconnaissance in the Office of the Under Secretary of Defense for Acquisition, Technology and Logistics. Gumahad previously served as the chief executive officer of Manassas, Virginia-based IC Vets Inc.

Got an Inside Scoop? Email me at dan.verton@fedscoop.com or Follow me on Twitter @DanielVerton