OPM Hacking Report Says Agency Missed One Set Of Attacks, Spent Little On Cybersecurity

from the security:-always-worth-taking-seriously-AFTER-the-damage-is-done dept

The twice-hacked Office of Personnel Management has had little to offer but promises of “taking security seriously” and free identity theft protection for the thousands of government employees whose personal information was pried loose by hackers.

Twice-hacked, because there was one breach the OPM did discover, and one it didn’t. While it spent time walling off the breach it had detected, another went unnoticed, leaking enough info on government employees that the CIA began worrying about the safety of agents located abroad.

A new report [PDF] by the Committee on Oversight and Government Reform (which AP refers to but, oddly, does not feel compelled to LINK to, despite it being a completely PUBLIC document) details where the OPM initially went wrong.

The government discovered the first hacking in March 2014. A Homeland Security Department team noticed suspicious streams of data leaving its network between 10 p.m. and 10 a.m. — the online equivalent of moving trucks hauling away filing cabinets containing confidential papers in the middle of the night. The government’s Einstein intrusion warning system detected the theft.


For the next few months, the personnel office worked with the FBI, National Security Agency and others to monitor the hacker to better understand his movements. Officials developed a plan to expel the hacker in May 2014. That effort included resetting administrative accounts, building new accounts for users who had been compromised and taking offline compromised systems.

Good moves in the wake of a breach, although I’m sure the thousands affected would have preferred a more proactive approach — like using available cybersecurity tools to help prevent breaches from occurring in the first place. Those tools are what detected the second, still-ongoing breach that the OPM failed to notice when patching up the first hole.

[F]our people familiar with the investigation said the breach was actually discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services, which has a networks forensics platform called CyFIR. CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.

Or, as the report puts it, the malicious code-detecting tool “lit up like a Christmas tree” when deployed. Despite this tool finding malicious code in about one out of every five OPM devices, the report notes the OPM didn’t think it was worth paying for. It allowed the trial period to expire before deciding the toolset that found the second breach might be a valuable security asset.

Despite housing the personal information of thousands of government employees — including those with high-level security clearances — the OPM didn’t take security quite as seriously as it claimed to while handing out free credit reporting, post-breach. Jenna McLaughlin of The Intercept points out that the OPM spent less money — quite a bit less — than many other government agencies on network security.

The personnel agency spent just $2 million in 2015 to prevent malicious cyber activity, while the Department of Agriculture doled out $39 million. The departments of Commerce, Education, and Labor also spent more in this area. Among the categories of cybersecurity spending delineated by the committee — preventing malicious cyber activity, detecting, analyzing, and mitigating intrusions, and shaping the cybersecurity environment — only the Small Business Administration spent as little as OPM (although Small Business Administration spent more overall on cybersecurity).

The OPM has responded to the report by stating it fails to account for the agency’s, post-double-breach cybersecurity awesomeness. And one contributor to the Committee feels there’s just not enough buck-passing in the report.

OPM responded by saying the report does not actively reflect the progress the agency has made since the hack, and Rep. Elijah Cummings, D-Md., the ranking Democrat on the House Oversight Committee, insisted the report was flawed, in part because it failed to place blame on or otherwise account for the contractors involved in the agency’s cybersecurity.

That the OPM would want the report to focus on its barn door-closing efforts, rather than its eminent hackability, is understandable. But it’s also stupid to insist a report detailing past mistakes not spend more time speculating on the agency’s presumably glowing cybersecurity future. The report’s title is uncharacteristically (for a Congressional report) brutal and does nothing to spare the feelings of an agency that didn’t appear to care until it was too late:

The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation

But there’s nothing to be gained by complaining that no one cares about the stuff you’re doing correctly now — not when it’s been revealed that an agency that should have known it was, and will always be, a prime target for malicious hackers spent very little on cybersecurity and didn’t deploy even the most basic security tools until well after the fact.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “OPM Hacking Report Says Agency Missed One Set Of Attacks, Spent Little On Cybersecurity”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Makes sense

I mean it’s not like the OPM systems contain any sensitive data, why would they spend money securing a system that has no important data and that’s likely to never be attacked as a result?

You spend time and money protecting things of value, and since the OPM doesn’t have any valuable data of course they’re not going to spend more than pocket change protecting it.

Norahc says:

And now we see

And now we see the full details of what Director Comey and the going dark crowd have planned. If your sensitive data gets stolen because the encryption had a back door, they will offer you “identity theft protection” after the fact. Instead of offering it before the hack when it would have been useful and is as simple and cheap as strong encryption.

Anonymous Coward says:

After having read through the majority of the report it is clear that the OPM breach was a crazy turn of events any way you slice it.

Repeated warnings from the auditors were ignored, systems in production without authorizations to operate, no two factor authentication (when it was required), deploying new security products under the guise of a demo as an incident response strategy, and limited communication between appropriate internal OPM groups.

All this on the heels of an under developed security program for an organisation that really should have known better. Can we say that we’re surprised?

tjnolin (user link) says:

goes well beyond Gov staff

Unfortunately the OPM breaches go well beyond direct US Gov employees. It affects every person that has ever received security clearance to enter a secure facility, even on a temporary basis.

That includes most mil supplier technical staff. Scientists and engineers assisting at NASA centers were also impacted. Even visitors to research centers like Los Alamos National Labs.

The data not only included your personal information, but the names and addresses of your references, family, past employers and more.

Hard to imagine a more complete data set for ID thieves to go after. Apparently the emphasis on `security’ rather than `clearance’ was largely theatrical.


breaches, peaches

The CHRI database in Pasadena was a prime target of this exact, politicized laissez faire approach between 2001-2016, as were many such databases.

And, that DB was breached over a period of decades by #theGoodPeeple, while under 3M Cogent control.

Sometimes the breach was, “innocent ” wherein the (D ) operatives “mistakenly ” sent hundreds of thousands of personally identifying information to “innocent requestors ” who had asked for one file; others involved Syrian foreign nationals on the DHS payroll as informants had direct access to the CHRI database room, while on contractor status.

And all of that- these level 3 breaches (equivalent to a nation state level cyber -attack ) were covered up by a former FBI agent at 3M, and a cohort of “revolutionists ” at that corporation (guess who guides them ).

These never made the news (on the first -fifth breach ). I cant imagine why….. I mean, yeah, its all so innocent.


Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...