[discardorama]

When Chelsea Manning leaked the documents, noone was put in danger.

When Snowden leaked the documents, no one was endangered.

This breach, and lots of people are endangered.

But are you getting calls for criminal investigation? Are heads rolling (other than the head of OPM, who was hated anyways)?

[Someone1234]

But who would you prosecute for what? It is easy to start pushing people under the bus, but when you look at cases like this you often find that it is an organisational failure, not an individual one.

That's why I really like the NTSB's style of investigation (they're the people who investigate air crashes). Instead of going in and trying to pin it on one person, they look at procedures, organisational communications, chains of command, the whole works.

Most of their reports don't come out and say "engineer John Smith caused the accident by forgetting to tighten this bolt!" They say, we looked at John Smith, we found the mistake, then we looked at how John Smith's work is monitored, the procedures for this repair, the training given, what their manager did, their working conditions, etc.

Then finally they come up with some recommendations so it cannot happen again. These are normally procedural, training, and organisational changes, rather than simply saying "nobody should make mistakes ever again or jail!"

This is what we need for information security leaks like this. We need an NTSB-style org to come in, pull apart the organisation and how they operate, give everyone criminal immunity so they talk openly, and then generate concrete changes so this never happens again (and ideally send these changes to other departments).

... Or just jail everyone, whatever...

[kasey_junk]

Isn't that what this article is about? We are pretty certain that this was an act of espionage by another nation state. Criminal investigations are not how you respond in those cases (unless we found the agent on our soil, which AFAIK we did not).

What is curious is that we aren't sure what the norms are for how to respond to cyber espionage, unlike with in person espionage which had a whole set of responses we could fall back on.

[pasbesoin]

Criminal negligence?

Certainly, negligence that should incur public disgrace.

Also arguably demonstrating one of the points made by the whistleblowers: You can't trust the government to properly manage all the information they collecting.

[irq-1]

This isn't negligence. Instead of trying to protect data and networks the US government has made "cyber crime" a military issue. They've been doing it deliberately and publicly, for over a decade. Domestically they followed the same plan: companies get protection (financial, legal, image,) discouraging them from taking security seriously, and individuals get the CFAA which has a similar effect. They want data and network security to be a military problem, not to encourage security.

We can't blame the OPM for the security issues. They were a victim of a bad national strategy.

If you "see something, say something" unless its about cyber security.

[pasbesoin]

Purposeful negligence?

It should be prosecuted, in the court of public opinion if no one will bring it to a judicial court.