As the adage goes, politicians can simply never let a good crisis go to waste. So it was no big surprise when formerly infosec-apathetic lawmakers seized upon last year's dramatic Office of Personnel Management (OPM) hack to bolster the languishing and controversial Cybersecurity Information Sharing Act (CISA). But contrary to the pro-CISA crowd's claims, "insufficient sharing" of our personal data by corporations and government agencies had nothing to do with the failure at OPM—and a new joint report from the FBI and the Department of Homeland Security (DHS) makes this clear. No, according to these agencies, we can blame the OPM failure on good, old-fashioned bureaucratic incompetence.

Sean Lyngaas of FCW obtained the report, which identifies a "lack of strong IT policies" as a key factor that led to the breach and still leaves OPM at a "high risk for future intrusions." And what do DHS and FBI believe would help? Not CISA-style information sharing but better identity-management controls and data-analysis tools.

Overall, the report lends more support to what information-security experts have held throughout the CISA debates: organizations do not get hacked for a lack of government data extraction.

Continue reading