I wrote the following up in response to a mailing list thread on some sort of anti-OPM petition campaign. I think the original email and a subsequent follow-up from me to a bunch of replies deserve repeating here:

Part 1:

I’m calling shenanigans. Why are we picking on OPM???

We’re seeing numbers like “76% of organizations breached in past 12
months”.  Or “97% of networks have been breached” etc (the numbers are
coming from all over – and back up anecdotal evidence – so whichever
source you do or don’t believe, it’s still “a whole damn lot”).

Many of these organizations do have sucky security. Many … do not.
Many are, actually, pretty good at it.

What does this mean? It means that, in today’s world, keeping your
network clean, over time, is next to impossible.  It requires a level
of competency and diligence that few organizations have in any other
respect than their core business competencies.  It also means that
bemoaning the state of government cybersecurity over that of private
industry cybersecurity is just…talk.  *Everyone* is getting owned,
at some point or another.

Publicly flaying OPM does absolutely nothing good and it harms our
collective ability to get better in the future.

How/Why?

Because one of the major roadblocks to real improvement is the infrequency of organizations willingly
admitting – publicly or even, often, to themselves – that they’re having a
really tough time with security…..mainly because exactly this
type of villagers-with-torches response occurs when they do.

Being unable to admit difficulty/failure, they’re unable to work publicly together
or with other institutions and organizations to collectively figure out a way
forward.

Im sure OPM committed all sorts of infosec sins. Im sure they acted
with classically government idiocy in some respects.

But they would have been compromised anyway by the people who
compromised them in order to get the data that was gotten. Just like
everyone else.

If we can stop making things so damn adversarial, maybe we’ll be able
to get together and stop….losing….so badly.

Part 2 (Response to a lot of dialogue):

Thanks for all the thoughtful responses so far. FWIW, I suggest
taking my points in total, as they were meant to be:

1. L* and A* are right, you can protect “the crown jewels” if you
try hard enough. But, that’s really not enough to reduce the
environmental conflict level, so it really is only an intense holding
pattern.

2. While this is possible, everyone is making mistakes anyway – it’s
just a matter of degree of mistakes. In fact, that’s the deep nature
of the problem: It’s too hard to not screw up eventually (even
protecting crown jewels).

3. Some companies make “better” mistakes than others
(Kaspersky/LastPass’s post exploitation activities being a good
example of “better mistakes”), but it’s a matter of degree of mistake
vs a matter of “not doing some  that we
know sustainably works with a sufficiently low error rate”

4. Although the government (or any organization with important data)
should, from a “fairness” perspective, be held to a higher level of
accountability, from a practical standpoint, that’s actually not
*helpful* at this stage – which was the central point of my original
post.  This is because:

5. …even if we hold everyone who needs to be held accountable to
make the “best mistakes” possible, it doesn’t get us where we need to
be ***and*** has the side affect of creating an environment which is
hostile to admission of failure.

6. Without candid admission that “we need a whole new re-think of this
problem space”, we’re going to keep doing the insane – more of the
same and expecting different results. Further investing in infosec as
we know it, or limiting protection to crown jewels, simply delays the
inevitable.

7. The “inevitable” without change is a level of constant hostility
and conflict that will escalate until even protecting the crown jewels
will not be sufficient for people to be able to do business
economically online (or until the profitability/value curve for the
adversaries flattens).

8. So instead of beating up OPM, we should be taking a long hard look
at the very long list of crappy companies and excellent companies who
have been breached and ask ourselves “What’s missing”

9. Because, right now, a list of “InfoSec Best Practices” is a list of
activities that aren’t sustainably working.