It would now appear that last year's government employee database break in was far worse than it originally appeared.
It seems that whomever broke into the database got the names, personal information and Social Security numbers of every single federal employee. As well as many former members of the military.
That's right, even your postman got his private information stolen.
If you're a vet, there's a good chance you did to.
So who did the hacking?
Well it would appear that once again it was the Chinese, at least according to Senate Minority Leader Harry Reid.
Now, I'm no fan of Reid's, but in this case he's probably correct — even though he's mealy-mouthing it by stating he's not sure whether it was the Chinese government or private citizens.
As if there's a difference in this case.
The problem here is that we're not treating cybersecurity at all like we should.
First we rely entirely too heavily on passive defense — firewalls, passwords and such.
Certainly those are important, but the real issue is that we — as a nation — do not look at cyberthreats the way we should.
First, we need to quit hamstringing ourselves. I don't claim to be an expert on the technical details of cybersecurity, however the fact that counter-hacking is illegal in the U.S. strikes me as incredibly stupid.
We're currently doing the equivalent of a school-yard kid getting smacked in the nose by the bully and standing up and saying "please sir, may I have another."
When we get hit, we do — essentially — nothing. We try to find the hole the hackers got in through and plug it (often creating other vulnerabilities in the process) and pray they don't get in again.
Then we prosecute the offenders, if we can catch them, which, usually, we can't.
What we need to do is allow counter-hacking. We need to allow security professionals the ability to track an attack back to its home system and then counterattack.
We also need to stop treating nation-state cyber attacks as a criminal matter.
Given the interconnected nature of the world, and the civilized world's reliance on technology and the net, a cyberattack is really no different than a physical one.
Stop and think for a minute — why would the Chinese want personal information on government employees?
Simple. With that information they can do untold damage. They can figure out passwords, come up with information allowing them to blackmail employees. They can do untold damage to our national security, secrets can be stolen, ever more secure databases can be accessed.
I've written before about how trust is the basis of civilization. It's also the basis of modern technic society.
We trust that when we enter a credit card number into Amazon it's secure. We trust that when we give personal information online or to the government it won't be stolen.
Nearly all commerce goes through the internet at some point these days, nearly all personal information is stored somewhere online.
Now imagine what happens when we can no longer trust any of that. Go ahead, I'll wait.
This is what I mean when I say we have to stop treating cyberattacks as a criminal matter. They are acts of war and should be treated accordingly.
Now I'm not suggesting we invade mainland China. I am suggesting, however that we are already in a cyberwar with China, the Russians and the Iranians just to start. (There's some indication the Iranians have a very sophisticated cyberwar capability) and we're losing, because we're not fighting.
We need to hit back, and hit back hard, to make clear the costs of attacking us far outweigh the benefits. Before it's too late.
All IMHO, of course.
— Patrick Richardson is the managing editor of the Pittsburg Morning Sun. He can be emailed at email@example.com, or follow him on Twitter @PittEditor.