The wholesale assignment of these privileges to people ·who did not need them demonstrated by their lack of access–-creates a security and privacy hazard. Regardless of whether the individuals given this access exercised it, the fact that the privileged credentials were issued in the first place creates risk.
13. The risks are not limited to abuse committed by the authorized holders of the privileged access; credentials can be stolen or compromised and abused. 1he Principle of Least Privilege is also about minimizing the “attack surface” of an agency by minimizing the number and value of targets.
14. That the Defense’s declaration contends that the access was originally appropriate underscores that the Government does not understand or appreciate the risks that the Privacy Act was created to mitigate, and telegraphs that they could easily decide to repeat the same decisions at any time. For this reason I support enjoining them until the Court can ascertain ·whether their behaviors comply with the law.
18. For n1e to possess administrative access over OPM’s data systems for no reason
other than my role as Deputy CIO would have been an egregious violation of good security
practices, as I had no need for any special access or privileges on these systems, even in a
position of authority over the teams operating them.
21. I observe that Mr. Hogan himself was granted sweeping “Global Admin” privileged access to OPM systems. See Document 64-1, at 9-10. While this is consistent with the defense’s incredulity that I didn’t do something similar during my tenure, it underscores that the administration is prioritizing absolute control over risk management or compliance with the law.
Lambert here: “Mr. Hogan, do you know what a ‘thumb drive’ is?”
Add new comment