CYBEREYE
BY BRIAN ROBINSON
The final word
on the OPM breach?
WHEN THE DATA BREACHES at the Office
of Personnel Management were revealed in 2015, it took some time for people to come to terms with the damage that had been wrought. In the end, more than 20 million government employee and contractor records were compromised, and OPM executives lost their jobs.
A report released Sept. 7 by the Republican majority staff of the House Oversight and Government Reform Committee claims that the loss of background inves- tigation information and fingerprint data “will harm counterintelligence efforts for at least a generation to come.”
That’s unlikely to be the last word. The Democrats on the committee have al- ready rejected at least some parts of the report, claim- ing factual deficiencies and insufficient blame attached to federal contractors. OPM asserts the report doesn’t reflect how much progress it has made on security since the breaches were discovered.
Nevertheless, the report is the most comprehensive official account to date of what happened at OPM, and it presents what could turn out to be a model
for what not to do and a template for how to design
security to prevent future breaches.
As far back as 2005, OPM’s inspector general warned that agency data was vulnerable to hackers. The risk was upgraded to a “significant deficiency” in 2014. Even as recently as November 2015, months af- ter the breach was revealed, the IG was still complaining that OPM was not meeting
except that by focusing
on the first hacker, OPM missed another who, posing as a contractor, installed malware and created a backdoor. The agency even- tually tackled the threat posed by the first hacker, but the second hacker went unnoticed and remained in the system — and success- fully stole data.
The agency used tools
continuous monitoring program and working with the Defense Department to construct a new IT infra- structure for background checks.
Notably, OPM has
also brought on a senior cybersecurity adviser who reports to OPM’s direc-
tor and has centralized cybersecurity resources and responsibilities under a new
8 GCN OCTOBER/NOVEMBER 2016 • GCN.COM
A House report on the massive data breaches at OPM should lead to major reforms in how agencies tackle cybersecurity.
the requirements of the Federal Information Secu- rity Management Act.
Furthermore, OPM used multifactor authentication for only a small fraction of its staff, despite a policy from the Office of Manage- ment and Budget issued several years before the breach. OPM also allowed key IT systems to operate without a security assess- ment and a valid authority to operate.
The U.S. Computer Emergency Readiness Team notified OPM as early as March 2014 that someone was snatching data from its network. OPM then moni- tored the hacker for two months to get a better idea of the threat. Fair enough,
from Cylance but only after the breach caused by the second hacker was identi- fied — despite the fact that OPM’s security director had recommended using the Cylance tools way back in March 2014, after the dis- covery of the first hack.
OPM, to its credit, seems to have hustled to repair both its security and its reputation. Acting Director Beth Cobert has listed a se- ries of steps the agency has taken, including imposing multifactor authentication for anyone accessing the agency’s network, shoring up the web-based systems used to gather information for employee background investigations, implement- ing the government’s
chief information security officer. Those moves are as important as any security technology. As the House reports notes, the breaches at OPM represent “a failure of culture and leadership, not technology.” The secu- rity tools that could have prevented the breaches were available, but OPM officials failed to recognize their importance.
The publication of the House report and its damn- ing details should lead to major reforms in how agen- cies tackle cybersecurity. If those reforms don’t come about after what is widely considered one of the big- gest security failures ever, then you have to wonder what it will take. •