Republicans on the House Oversight and Government Reform Committee issued a report on the 2014 hack against the Office of Personnel Management (OPM), which resulted in the theft of data on 21.5 million federal employees. While the report is pretty scathing, it includes a number of cybersecurity recommendations for the agency that should be standard best practices for any large organization.
One of the suggestions included in the 12-point plan is to ensure that CIOs are empowered to affect change, and retained for longer than the current average tenure of just two years. The report also suggests reducing the use of Social Security numbers as identifiers; reducing the barriers to implementing IT security policies; stronger security on federal Web sites; and modernizing existing legacy information technology assets.
Glacial Response Time
The timeline laid out in the report paints a unflattering picture of the OPM’s response to the breach. The attackers first gained access to OPM systems in July 2012, thanks to the installation of the Hikit malware package on its network. Evidence of adversarial activity on the network goes back as far as November 2013.
But OPM wasn’t notified of the malicious activity until March 2014. Even then, the attacker was allowed to gain a foothold on the network in May of that year, at which point the hacker installed a backdoor to download the confidential personnel information and began downloading it in July 2014. The attackers continued to steal confidential personnel data from the system until March 2015 but the agency didn’t even realize what had happened until May of that year.
The CIA ultimately pulled many of its officers out of Beijing following the hack fearing that their identities may have been compromised. The Chinese government is widely thought to be behind the attack.
“The lax state of OPM’s information security left the agency’s information systems exposed for any experienced hacker to infiltrate and compromise,” according to the report. “Had OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft.”
We’ve Gotten Better
The OPM struck back at many of the report’s conclusions, arguing that those conclusions failed to reflect the progress the agency had made following the attack. “Over the past year OPM has worked diligently with its partners across government and made significant progress to strengthen our cybersecurity posture, and reestablish confidence in this agency’s ability to protect data while delivering on our core missions,” Beth Cobert, acting director of the OPM, wrote on the agency’s blog today.
Cobert said the agency has added both a senior cybersecurity advisor who reports to OPM’s director and hired a new chief information officer as well as a number of new senior IT leaders. The agency has also centralized its cybersecurity resources under a new chief information security officer, whose sole responsibility is to take the steps necessary to secure and control access to sensitive information, Cobert said.
OPM has also implemented a number of technological improvements, including requiring employees to use multi-factor identification to log onto OPM systems; implementing the Continuous Diagnostics and Mitigation program developed by the U.S. Department of Homeland Security to proactively detect cyber attacks; and improving its legacy IT infrastructure.