It has been well-known now that in April 2015, the Office of Personnel Management suffered a data breach of millions of government employees’ and contractors’ personal information. Since that time, the Director of OPM has stepped down, and the government has begun to send notices of the breach to those affected. There is even a bill introduced in Congress to offer significant relief to those whose information was lost. But, the one thing that hasn’t happened is the disclosure of the identity of the hackers, and it appears that may not change.
While it privately points the finger at China for massive hacking into the personal data of millions of federal employees, the U.S. government does not plan to publicly blame Beijing, U.S. officials said on Wednesday.
President Barack Obama’s administration is still debating how it should respond to the breaches, which American officials acknowledge were huge and damaging. China denies any involvement in hacking U.S. databases.
Obviously, this breach is somewhat different from breaches into Anthem, or Target, in that the breach occurred against the federal government. And if it is true that a foreign sovereign government perpetrated it, there is a layer of national security to be guarded. But, if the US government knows the perpetrator, does it not have a duty to identify its findings to the actual victims of the breach for their own safety and security?
The most similar data breach to the OPM breach might be the Sony hack. When North Korea hacked Sony, the US government offered evidence that North Korea was behind the attack.
There is “not much in this life that I have high confidence about,” Comey said at the International Conference on Cyber Security at Fordham University in New York. “I have very high confidence about this attribution — as does the entire intelligence community.”
The FBI last month attributed the attack to North Korea — a rare instance in which the U.S. government has publicly accused another government of carrying out a specific cyberattack. In a statement, the bureau cited a “technical analysis” of malicious software used in the operation. The analysis revealed links to other malware used previously by North Korean actors, the bureau said. The FBI also said the attack was linked to several Internet protocol addresses “associated with known North Korean infrastructure.”
So, if National Security did not preclude pointing the finger at the known perpetrators, why does it preclude it now? And when will the government offer its findings to the victims of the data breach itself?