bluebay2014 - Fotolia

OPM breach report blames leadership inaction for data loss

A House committee investigation into the OPM breach said leadership failed to implement the recommended security improvements that could have prevented the attack and data loss.

An investigation into the OPM breach has been completed by the House Oversight and Government Reform committee, and although the report is more than 200 pages long, experts said there were details missing.

The report painted a grim picture.

"The government of the United States of America has never been more vulnerable to cyberattacks. No agency is safe. In recent data breaches, hackers took information from the United States Postal Service; the State Department; the Nuclear Regulatory Committee; the Internal Revenue Service; and even the White House," the report stated. "None of these data breaches, though, compare to the data breaches of the U.S. Office of Personnel Management (OPM)."

The OPM breaches came to light in June 2015. The report said they involved "personnel files on 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals," as well as fingerprint data for 5.6 million of those individuals.

The report said the loss of this data was "deeply troubling, and citizens deserve greater protection from their government."

"The damage done by the loss of the background investigation information and fingerprint data will harm counterintelligence efforts for at least a generation to come," the report read. "The intelligence and counterintelligence value of the stolen background information for a foreign nation cannot be overstated, nor will it ever be fully known."

Michael Lipinski, CISO and chief security strategist at Securonix Inc., based in Los Angeles, said the report lacked more detailed breakdowns of the risks to the data lost for the individuals affected.

"People will pay a price for this into the next generation. The risk to government and private organizations from the lost fingerprints alone has huge potential impacts. Security risks from the biometric use of these fingerprints are possible," Lipinski told SearchSecurity. "Does the existence of these fingerprints in the wild undermine the validity of fingerprint identification in everyday court cases? The state actors that possess the exfiltrated data will be able to create very sophisticated, very targeted phishing campaigns. I think there is a lot of potential fallout from this data loss that hasn't been well-communicated to the public yet."

Richard Helms, CEO of Ntrepid Corp., based in Herndon, Va., said the monitoring services offered to the affected individuals months after the OPM breach were not enough.

"The missing piece is a discussion of the fact the breach was not a theft of credit card data at a point of sale; rather, it was an attack on our national security community personnel by a foreign state to benefit further collection of intelligence on them. The millions spent on credit monitoring in response are of zero benefit," Helms said. "The national security community needs to extend its security perimeter to include employees' online activity. Follow-up collection efforts or attacks from these adversaries will logically be most effective through the internet browsers of these employees and their families. That protection can be had for a lot less money than is being spent on ineffective credit monitoring."

The report provides a detailed timeline of the attack, and it reported the first attacker -- referred to as Hacker X1 in the report -- gained access to the OPM network in July 2012. On March 20, 2014, US-CERT notified OPM of data exfiltration on its network and OPM. At the same time, US-CERT decided to monitor the attacker to gather counterintelligence, with a fail-safe plan to shut down the compromised systems, if needed, to remove the hacker.

However, on May 7, another hacker -- Hacker X2 -- "established their foothold into OPM's network" using credentials stolen from a contractor to install malware and a backdoor. OPM did not identify this second hacker, despite actively monitoring the first.

"As the agency monitored Hacker X1's movements throughout the network, it noticed Hacker X1 was getting dangerously close to the security clearance background information," the report read. "The agency was confident the planned remediation effort in late May 2014 eliminated Hacker X1's foothold on their systems. But Hacker X2, who had successfully established foothold on OPM's systems had not been detected due to gaps in OPM's IT security posture, remained in OPM's system."

The gaps in OPM's security were quite wide, according to the report. The OPM inspector general had been warning about cybersecurity deficiencies since 2005, but the report said the "absence of an effective managerial structure to implement reliable IT security policies" meant fundamental weaknesses remained. And a 2015 IT security report from the Office of Management and Budget said OPM was one of the agencies with the "weakest authentication profiles."

"Had OPM implemented basic, required security controls and more expeditiously deployed cutting-edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented or significantly mitigated the theft," the report read. "Importantly, the damage also could have been mitigated if the security of the sensitive data in OPM's critical IT systems had been prioritized and secured."

Igor Baikalov, chief scientist at Securonix, said this shows the OPM breach was not due to technical problems.

"What the audit shows is a systematic pattern of negligence and total disregard for information security principles and practices. Since 2007, OIG repeatedly reported grossly inadequate security management and weak governance as a foundational cause of numerous security problems at OPM," Baikalov said. "Any information security program starts with standards to adhere to, policies to comply with and procedures to follow -- all of that was missing at OPM, and that has nothing to do with how outdated their systems were, or what technology they had deployed."

Beth Cobert, acting director of OPM, who took over after the resignation OPM Director Katherine Archuleta following the OPM breach, wrote in a blog post that the report "does not fully reflect where this agency stands today."

"While we disagree with many aspects of the report, we welcome the committee's recognition of OPM's swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies and processes. We also appreciate the panel's willingness to work with us on these important issues and find many of the final recommendations to be useful for OPM and the federal government at large," Cobert wrote. "Over the past year, OPM has worked diligently with its partners across government and made significant progress to strengthen our cybersecurity posture and re-establish confidence in this agency's ability to protect data while delivering on our core missions."

Cobert went on to detail steps the agency has taken to improve security and accountability, including the implementation of multifactor authentication (MFA) in the agency, the continuous diagnostics and mitigation program developed by the Department of Homeland Security and DHS's Einstein 3A, and the ongoing process of rebuilding and enhancing the web app system used for background investigations. Other initiatives Cobert cited included strengthening legacy systems while modernizing IT infrastructure and working with the Department of Defense, "who are designing, building and will operate the IT infrastructure for the new National Background Investigations Bureau, the OPM-based entity that will conduct background investigations for the federal government in the future."

The report focused heavily on how the OPM breach could have been prevented if the agency had implemented multifactor authentication, and experts agreed.

"Implementation of multifactor authentication is a good suggestion, but also really just a baseline that everyone should have adopted. An attacker with control of a desktop can still leverage credentials even with two-factor authentication," Lance Cottrell, chief scientist of Passages at Ntrepid, told SearchSecurity. "It is like saying an organization should patch their software and keep good backups -- it is totally generic and entry-level advice, which makes it somewhat shocking that this is what they are telling an organization handling sensitive government information."

Sam Elliott, director of security product management at Bomgar Corp., based in Ridgeland, Miss., said the recommendation could have gone farther.

"I am glad to see the report make this recommendation, but I would also recommend a strong password management policy, which includes frequent rotation of privileged credentials, as well as employing technology to control, facilitate and monitor direct access to sensitive infrastructure," Elliott said. "With those three areas in place, a bad actor with stolen credentials, who is trying to gain persistence in an environment, will face significant challenges. The hacker won't be able to use traditional mechanisms to access a target in the first place. And, lastly, with MFA in place, even if they are able to get to a target, standard authentication will do them almost no good."

Lipinski said the recommendation of MFA, although important, "grossly misses the remaining issues."

"This was a people, process and technology failure. There was no executive-level responsibility watching over security. It fell under the CIO who was not credentialed as a security professional. The people failure led directly to the process gaps," Lipinski told SearchSecurity. "The report concluded that additional talent is needed. Poor logging, insufficient tools, lack of internal hunting capability, no vulnerability management, no penetration testing and incident response activities were grossly lacking."

Lipinski added: "This was a failure at every level -- people, process, technology and governance. Instead of striving for a continuous improvement model, I saw an excuse-driven, 'not my fault because we have old equipment' model. The government failed to hold itself to even the lowest level of standards it places on the private sector. Lack of basic controls, lack of any discernable policies or processes, lack of incident response capabilities and lack of executive ownership over data protection all need to be addressed to prevent another occurrence."

Next Steps

Learn more about the alleged OPM hackers being arrested by the Chinese government.

Find out how the Cybersecurity Strategy and Implementation Plan aims to improve government security.

Get info on the costly changes needed for the Einstein government cybersecurity system.

Dig Deeper on Security operations and management