Hacking John Brennan, Hacking OPM

In Salon, I’ve got my take on the hack of John Brennan’s AOL account by a 13-year old stoner.

While I think it sucks that WikiLeaks posted unredacted data on Brennan’s family, I’m not at all sympathetic to Brennan himself. After all he’s the guy who decided hacking his SSCI overseers would be appropriate. He’s one of the people who’ve been telling us we have no expectation of privacy in the kinds of data hackers obtained from Verizon — alternate phone number, account ID, password, and credit card information — for years.

But most of all, I think we should remember that Brennan left this data on an AOL server through his entire Obama Administration career, which includes 4 years of service as Homeland Security Czar, a position which bears key responsibility for cybersecurity.

Finally, this hack exposes the Director of the CIA exercising almost laughable operational security. The files appear to date from the period leading up to Brennan’s appointment as White House Homeland Security Czar, where a big part of Brennan’s job was to prevent hacks in this country. To think he was storing sensitive documents on an AOL server — AOL! — while in that role, really demonstrates how laughable are the practices of those who purport to be fighting hackers as the biggest threat to the country. For at least 6 years, the Homeland Security Czar, then the CIA Director — one of the key intelligence officials throughout the Obama Administration — left that stuff out there for some teenagers to steal.

Hacking is a serious problem in this country. Like Brennan, private individuals and corporations suffer serious damage when they get hacked (and the OPM hack of Brennan’s materials may be far more serious). Rather than really fixing the problem, the intelligence community is pushing to give corporations regulatory immunity in exchange for sharing information that won’t be all that useful.

A far more useful initial step in securing the country from really basic types of hacking would be for people like Brennan to stop acting in stupid ways, to stop leaving both their own and the public’s sensitive data in places where even stoned kids can obtain it, to provide a good object lesson in how to limit the data that might be available for malicious hackers to steal.

I would add, however, that there’s one more level of responsibility here.

As I noted in my piece, Brennan’s not the only one who got his security clearance application stolen recently. He is joined in that by 21 million other people, most of whom don’t have a key role in cybersecurity and counterintelligence. Most of those 21 million people haven’t even got official notice their very sensitive data got hacked by one of this country’s adversaries — not even those people who might be particularly targeted by China. Like Brennan, the families of those people have all been put at risk. Unlike Brennan, they didn’t get to choose to leave that data sitting on a server.

In fact, John Brennan and his colleagues have not yet put in place a counterintelligence plan to protect those 21 million people.

If it sucks that John Brennan’s kids got exposed by a hacker (and it does), then it sucks even more than people with far fewer protections and authority to fix things got exposed, as well.

John Brennan should focus on that, not on the 13 year old stoner who hacked his AOL account.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

12 replies
  1. orionATL says:

    more relevant to the nation’s political future, and more delighfully ironic, wasn’t it john-the-butcher’s cia whose very punctillious decisions about the proper classification (including what can be called “retrograde classification”) of some of the emails sent to sec clinton’s at-home computer network fueled herr congressman-prosecutor gowdy’s “let’s get clinton” witchhunt?

    will prosecutor gowdy inquire of these brennan-works-at-home matters also?

    hint: offers a great opportunity to slog thru benghazi one more time.

    • phred says:

      Petro!!! Nice to see you : ) And thanks for the reminder of our dear skdadl : ) Good vibrations, indeed : )

    • Jim White says:

      .
      Petro! So great to see you. Hope this autumn finds you and yours doing well.
      .
      Skdadl was such a delightful intellect. Thanks for the reminder of her.

      • orionATL says:

        florida power probably (actually, certainly) has in place something called “peak pricing” or the like. this means that homeowner gets reductions in monthly bill because owner (previous?) agreed to save money by not having the water heater use electricity in “peak use” time, eg, for florida, all spring, summer, and fall, day and night – just kidding. peak overload is, in florida, whenever ac’s (industrial and comercial as well as residential) are demanding lots of juice. that’s when utiities have to pay the expenses to run those “little” standby generators.

        you can probably dump it if you want (unless code), but you actually might want to call florida power and talk with one of their engineers to see what better they have now. a local electrical inspector can aso be helpful, if knowledgeable and personable?

        actually, if you have lived thru teens showering in your house, you likely don’t have antything to worry about.
        but, with reduced load (fewer teens and fewer complaints:) ), you might save money by signing up for an even more rigorous load control program (not just w.h., but a.c. also). i believe monitoring is done by sending certain frequencies thru the electrical wires, same as usage meter reading in many places. if you already know all this, maybe this is will reinforce signing up to go further and save more :)

        my bias – time-of-day pricing is good environmently, which, like cfl and led bulbs, bad greatly matured technically and cost-wise.

  2. phred says:

    I have a different view of the exposure of Brennan’s family… I don’t think it sucks at all. I think it provides a teachable moment.
    .
    The blithering idiots who carry on about “having nothing to hide” are obviously wrong and I won’t rehash well trodden ground. However, I think what often gets overlooked is the interconnectedness of digital information. Email, texts, facebook posts, tweets, etc., don’t exist in isolation. They are forms of communication that link everyone. How many times have privacy advocates been chided that “if they don’t like it, they can opt out”. Except we can’t.
    .
    I have friends, family, and professional contacts that share information about me digitally, simply because that’s the way information works. There is no opting out for any of us. Not for me. Not for Brennan’s kids. That is why privacy and data security are so important. No one should have to read about their lives in such a public forum. Maybe Brennan’s kids will teach him a lesson. But I doubt it.

    • orionATL says:

      i agree.

      it is not the same as wishing evil on someone to say “serves him right”. might his family being included – which i doubt bothers john-the-butcher a witt – be an object lesson in collateral damage?

      not heartbreaking though, as with the collateral-damage mutilations at a droned desert wedding party.

  3. bloopie2 says:

    Soon we’ll all be stoners, and then, hacking away.
    .
    Christian Science Monitor: “Pot use doubled as laws slackened – even before all out legalization” As more states consider legalizing recreational marijuana, a study published Wednesday confirms that a higher percentage of marijuana dependence and abuse corresponds with increased user statistics.
    .
    And I agree wholeheartedly with phred that this is truly a teachable moment. We can do more of those, to prove to the powers-that-be. Film their children coming and going from school (yikes, shades of Law & Order) (just like license plate readers and surveillance cameras). Hire investigators to build dossiers on IC folk and their kin, from publicly available information (just like NSA programs). Etc. Turnabout is fair play.

  4. omphaloscepsis says:

    “Most of those 21 million people haven’t even got official notice their very sensitive data got hacked”

    They have been sending out letters to those affected. But they’re only 25% through their projected timeline for doing so, so “most” is probably correct.

    https://www.opm.gov/cybersecurity/

    “We have begun sending notifications to the 21.5 million individuals impacted by the cyber intrusion involving background investigation records. Due to the number of people impacted and because the nature of the information stolen has national security implications, it important that we take the time necessary to make sure the notification process is carried out carefully. We ask for your patience, as we estimate notifications will continue for approximately 12 weeks.”

    https://www.opm.gov/blogs/Director/2015/10/1/Notifying-Those-Impacted-by-the-Recent-Cyber-Intrusion

    “1 Oct 2015

    Yesterday, we began mailing notification letters to the individuals whose personal information was stolen in a malicious cyber intrusion carried out against the Federal Government. Impacted individuals will be notified by OPM via U.S. Postal Service mail. Email will not be used.”

    They modified an existing contract with a company in Portland OR:

    https://www.opm.gov/news/releases/2015/09/opm-dod-announce-identity-theft-protection-and-credit-monitoring-contract

    “Tuesday, September 01, 2015

    WASHINGTON, D.C. – The U.S. Office of Personnel Management (OPM) and the U.S. Department of Defense (DoD) today announced the award of a $133,263,550 contract to Identity Theft Guard Solutions LLC, doing business as ID Experts, for identity theft protection services for 21.5 million individuals whose personal information was stolen in one of the largest cybercrimes ever carried out against the United States Government. These services will be provided at no cost to the victims whose sensitive information, including Social Security numbers, were compromised in the cyber incident involving background investigations.

    ID Experts will provide all impacted individuals and their dependent minor children (under the age of 18 as of July 1, 2015) with credit monitoring, identity monitoring, identity theft insurance, and identity restoration services for a period of three years.”

    That works out to less than $7 per person.

    GSA price list for each task in the second link below (e.g., $741 per case for “ID Recovery Services”):

    http://elibrary-test.fas.gsa.gov/ElibMain/contractorInfo.do?contractNumber=GS-23F-0037T&contractorName=IDENTITY+THEFT+GUARD+SOLUTIONS%2C+LLC&executeQuery=YES

    https://www.gsaadvantage.gov/ref_text/GS23F0037T/0JDA7V.2AK4D5_GS-23F-0037T_GS23F0037TIDEXPERTSSCHEDULE.PDF

    Co-founder of the company:

    https://www.linkedin.com/in/ricklkam

    https://twitter.com/rickkam

    More free advice from the government:

    http://www.consumer.ftc.gov/blog/opm-data-breach-what-should-you-do

    • emptywheel says:

      Thanks for the links! I know of a number of people who’ve not got noticed who are probably particularly exposed for one or another reason.

  5. Evangelista says:

    In regard to concerns for the privacies of persons whose emails are hacked by “unauthorized” hackers [instead of by the same, or worse, ilk who are government-employed (by a usurping exo-Constitutional imperial, instead of republican, and so, in fact, illegal, government) and so “authorized” hackers, whose purpose is to do more than only blow your private-life into the public realm], unless the Federal Aviation Agency has changed its procedures since I was issued a pilot’s license, pilot’s license numbers are the recipient’s social security number. For this, all SSno. “guarded” information of people who fly aircraft, or ones who were licensed to before any change, if there has been one, is accessible through calling up their license information and then running with the nine-digit number appropriately hyphenated.

    “Privacy” in the Modern Computer Age Imperial United States is in the mind of the believer and nowhere else.

Comments are closed.