Congressional report faults OPM over breach preparedness and response

The massive breach at the US Office of Personnel Management (OPM) might have been prevented had the agency followed basic cyber-security guidelines, a congressional investigation claimed.

Lax security technology and ineffective leadership led to the exfiltration of personnel data, a congressional report determined.
Lax security technology and ineffective leadership led to the exfiltration of personnel data, a congressional report determined.

The massive breach at the US Office of Personnel Management (OPM), announced in June 2015, might have been prevented had the agency followed basic cyber-security guidelines, according to the findings of a congressional investigation.

The 231-page report [pdf], "The OPM Data Breach: How the Government Jeopardised Our National Security for More than a Generation," signed by three Republican members of the Committee on Oversight and Government Reform, US House of Representatives, 114th Congress, faults the federal agency for lax security, ineffective leadership and outdated technology which led to the exfiltration of personnel data on 4.2 million government employees, security clearance investigation material on 21.5 million individuals (as well as fingerprint data on 5.6 million of those individuals).

The report slams the OPM, the agency responsible for HR functions within the federal government, for not moving fast enough to contend with early signs of an attack that consequently enabled hackers to make off with highly revealing personal information – in particular, data submitted on SF-86 forms, used in background investigations. For example, James Comey, director of the FBI, is quoted in the report stating that his SF-86 form lists "every place I've ever lived since I was 18," as well as details on each of his family members.

Though the report commends the OPM for cyber-security improvements over the past year, it issued a number of recommendations on how the agency could bolster its network capabilities. These include longer tenures for senior security officers, a reduction in the use of Social Security numbers, and a "zero trust model" to bolster controls on employee access to data on the network.

While welcoming the committee's acknowledgement of the OPM's progress, Beth Cobert, acting director at the OPM, disagreed with the committee's findings in a blog post published on the OPM site on Wednesday, responding that the report does "not fully reflect where this agency stands today."

"Over the past year OPM has worked diligently with its partners across government and made significant progress to strengthen our cyber-security posture, and reestablish confidence in this agency's ability to protect data while delivering on our core missions," she wrote.

Improvements, she pointed out, include a requirement to use strong multifactor identification forms, the rebuilding of the agency's web-based application system, as well as the institution of mitigation policies developed by the DHS that would bolster detection and prevention of attacks. Additionally, the department has added "seasoned cyber-security and IT experts to our already talented team," Cobert wrote.

These moves include the hiring of a CIO and a senior cyber-security adviser reporting to the director of OPM, as well as centralising cyber-security resources under a new CISO, whose "sole responsibility is to take the steps necessary to secure and control access to sensitive information," she said.

"The report basically comes down to missed opportunities to detect or prevent using existing tools," Dimitri Sirota, CEO of BigID, a security company, told SCMagazine.com in an email on Wednesday. "While there is no question that more protection and detection tools could always reduce risk of breach, the report fails to highlight one critical cultural problem that the Office of Personnel Management shares with many enterprises: The OPM did not treat personal personnel data as a critical asset that it needs to manage."

Today, Sirota added, companies treat physical objects, like laptops and phones, as hard assets they both protect – through physical security, login management – but also through asset management, so they detect loss or misuse. Digital assets need to be managed like physical assets, he told SC. "That's true for IP and especially true for identity data belonging to customers or employees. By rethinking protection around the data, organisations will have better visibility and control over how the asset gets accessed and used." 

The theft of OPM data once again reinforces the position that some data repositories simply don't belong connected to the internet, Michael Patterson, CEO of Plixer, a security analytics company, wrote in an emailed statement to SCMagazine.com. "If even one file is found to have been manipulated, the entire set of 21.5 million background reports may need to be reviewed." 

The inconvenience to the individuals whose background reports may have been modified could be substantial, Patterson stated. "To try and avoid being a victim, all organisations need to monitor for cyber-theft constantly.”  

Rick Hanson, the executive vice president of sales at security startup Skyport Systems, had praise for the OMB's bolstering of a zero trust model. "[It] is essential for not only government employees accessing their core system but also as part of the government's overall compute platform," he said in a statement emailed to SCMagazine.com. "Federal agencies need to rethink how users are granted trust in their systems, and design their systems this way as well. As we enter a more riskier threat landscape, the model for trust needs to evolve. All trust should be earned both on the user side and the compute side - never implicitly granted."