Encyption security

We might all be focused on cybersecurity, hackers and other malign online actors, but one shouldn’t forget the biggest threat to privacy is one’s own government.

Plenty of Swedes are discovering that today after a remarkable security breach during the privatisation of the IT system of the Swedish Transport Agency was revealed. The breach happened in 2015, when the outsourcing process at the agency meant many of the records related to both military vehicles and people with protected identities were openly available to IT workers in eastern Europe. Details on security planning might also have been made available.

“What happened in the transport agency is a disaster. It is extremely serious,” the Swedish Prime Minister said yesterday. The outsourcing company, IBM, was not responsible for the breach. Instead, according to a BBC report, the Director-General of the Transport Agency, Maria Agren, who has since left, decided at the time of the privatisation to ignore Sweden’s National Security, Personal Data and Publicity and Privacy Acts. Agren has since been fined the equivalent of $8000.

The breach demonstrates that agencies ostensibly unrelated to national security can pose a significant threat to it. In 2015, the US Office of Personnel Management (OPM) was hacked by the Chinese government, with personnel data on over 20 million Americans stolen. The OPM did security clearances for the federal government — but didn’t handle clearances for military or intelligence workers. Except, problematically, many workers in both defence and intelligence agencies have often worked, or rotated into and out of, non-defence and intelligence agencies elsewhere in the US government, meaning their details would have been in the vast quantities of data downloaded in Beijing.

The hack of the OPM turned out to have been caused by the fact that its IT systems were antiquated because the US government hadn’t bothered funding it properly for years. In December 2016, the General Services Administration which provides admin, HR and IT services for a number of agencies including OPM, announced it was outsourcing its IT services. The winner of the contract? IBM.