Clarke said that while the breach has been traced to China, that doesn't mean it was necessarily the Chinese government. He said that there's a difference between what data they managed to access and what they took.
"I haven't talked to anyone who said that they took any security clearance information," Clarke said. He added that all we'll know for sure until a thorough forensic analysis is complete is that they got some personally identifiable information.
Jean Taggart, senior security researcher at Malwarebytes, agrees. "Because of the data that was breached, everyone is pointing to possible involvement by nation-states," he says. But unless the U.S. government says that was the case, it's just not possible to make that assumption. In addition, Taggart wonders how anyone could have exfiltrated 4 million dossiers without anyone noticing, considering the bandwidth utilization.
While OPM has promised credit monitoring and identity theft protection for the affected employees, the reality is that those are the least of their worries. Instead, those federal employees will have to be on guard against social engineering attacks the likes of which they've never seen before.
The attackers will have the information they need to look like anyone in a person's present or past. They will be able to weave convincing stories, some so good that the temptation to click on a link will be nearly irresistible.
In fact, this breach may result in some drastic measures on the part of federal IT managers, such as deactivating all embedded links in email so that they cannot be clicked on. But there is a lot more to phishing than just clicking on email links.
Because the stolen information includes addresses and phone numbers, these same employees will be subject to phishing phone calls and even fraudulent mail. These employees could be besieged by an unending flood of attacks from a number of sources.
And unfortunately, all it takes is one mistake by one employee to open the gates to even greater data theft. Clearly, the level of security needs to get higher, and it needs some fundamental change.
The whole idea that you can keep people out of a government-owned network is clearly false, but what needs to be done goes beyond perimeter defenses anyway. Now it's time to view the whole network and watch for anomalous behavior.
The idea that you can protect the network itself is clearly wrong. As Clarke has said repeatedly, the bad guys are going to get in, so the best you can hope for is keeping them from getting anything that's important.
Clarke suggests that one important change would be to stop using Social Security numbers as a basis for identification. "They have to stop," he said. "They have to come up with some other method." Meanwhile, Clarke wonders why OPM didn't encrypt the data to make it useless if it was taken. "Why can't you pass a law that you can only store in an encrypted database?"