from the security:-always-worth-taking-seriously-AFTER-the-damage-is-done dept
The twice-hacked Office of Personnel Management has had little to offer but promises of “taking security seriously” and free identity theft protection for the thousands of government employees whose personal information was pried loose by hackers.
Twice-hacked, because there was one breach the OPM did discover, and one it didn’t. While it spent time walling off the breach it had detected, another went unnoticed, leaking enough info on government employees that the CIA began worrying about the safety of agents located abroad.
A new report [PDF] by the Committee on Oversight and Government Reform (which AP refers to but, oddly, does not feel compelled to LINK to, despite it being a completely PUBLIC document) details where the OPM initially went wrong.
The government discovered the first hacking in March 2014. A Homeland Security Department team noticed suspicious streams of data leaving its network between 10 p.m. and 10 a.m. — the online equivalent of moving trucks hauling away filing cabinets containing confidential papers in the middle of the night. The government’s Einstein intrusion warning system detected the theft.
For the next few months, the personnel office worked with the FBI, National Security Agency and others to monitor the hacker to better understand his movements. Officials developed a plan to expel the hacker in May 2014. That effort included resetting administrative accounts, building new accounts for users who had been compromised and taking offline compromised systems.
Good moves in the wake of a breach, although I’m sure the thousands affected would have preferred a more proactive approach — like using available cybersecurity tools to help prevent breaches from occurring in the first place. Those tools are what detected the second, still-ongoing breach that the OPM failed to notice when patching up the first hole.
[F]our people familiar with the investigation said the breach was actually discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services, which has a networks forensics platform called CyFIR. CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.
Or, as the report puts it, the malicious code-detecting tool “lit up like a Christmas tree” when deployed. Despite this tool finding malicious code in about one out of every five OPM devices, the report notes the OPM didn’t think it was worth paying for. It allowed the trial period to expire before deciding the toolset that found the second breach might be a valuable security asset.
Despite housing the personal information of thousands of government employees — including those with high-level security clearances — the OPM didn’t take security quite as seriously as it claimed to while handing out free credit reporting, post-breach. Jenna McLaughlin of The Intercept points out that the OPM spent less money — quite a bit less — than many other government agencies on network security.
The personnel agency spent just $2 million in 2015 to prevent malicious cyber activity, while the Department of Agriculture doled out $39 million. The departments of Commerce, Education, and Labor also spent more in this area. Among the categories of cybersecurity spending delineated by the committee — preventing malicious cyber activity, detecting, analyzing, and mitigating intrusions, and shaping the cybersecurity environment — only the Small Business Administration spent as little as OPM (although Small Business Administration spent more overall on cybersecurity).
The OPM has responded to the report by stating it fails to account for the agency’s, post-double-breach cybersecurity awesomeness. And one contributor to the Committee feels there’s just not enough buck-passing in the report.
OPM responded by saying the report does not actively reflect the progress the agency has made since the hack, and Rep. Elijah Cummings, D-Md., the ranking Democrat on the House Oversight Committee, insisted the report was flawed, in part because it failed to place blame on or otherwise account for the contractors involved in the agency’s cybersecurity.
That the OPM would want the report to focus on its barn door-closing efforts, rather than its eminent hackability, is understandable. But it’s also stupid to insist a report detailing past mistakes not spend more time speculating on the agency’s presumably glowing cybersecurity future. The report’s title is uncharacteristically (for a Congressional report) brutal and does nothing to spare the feelings of an agency that didn’t appear to care until it was too late:
The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation
But there’s nothing to be gained by complaining that no one cares about the stuff you’re doing correctly now — not when it’s been revealed that an agency that should have known it was, and will always be, a prime target for malicious hackers spent very little on cybersecurity and didn’t deploy even the most basic security tools until well after the fact.