Failure to execute a basic function in risk management caused the OPM cyber attack.
Security intrusion stories unfolding in the cyber space authenticate that companies are not the only targets. Government department systems, viewed to be the most trusted custodian of personal information, are the obvious next frontiers for hackers. In the latest and the largest breach of personal information in US history, hackers breached the computer system of the Office of Personnel Management (OPM), potentially exposing the entire Federal workforce.
While cyber espionage targeting state departments’ systems is nothing new to the increasingly digital world, thankfully they are less frequent in comparison with breaches reported by large corporations. But perilously, when they strike (or are detected!), it is made sure to be enormous enough to derail any budding prospect of reconciliation with China – the alleged source of cyber attacks in the United States. Notably, the recent attack comes ahead of the annual US-China Strategic and Economic Dialogue scheduled during June 22-24. With the latest intrusion, attackers gained access to about 4 million current and former federal workers’ details.
OPM functions as the human resources department for various Federal agencies and the April information security breach targeted the Department of Interior database, which also contains data from other agencies, but specifically the Central Personnel Data File. While it is claimed that the hacked database did not house security clearances application or investigation details, there is no denial that “every federal employee, every federal retiree, and up to one million former federal employees’ Social Security numbers, military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status and more” has been compromised, according to American Federation of Government Employees (AFGE) President J. David Cox.
The second significant breach into the OPM systems within less than a year, the recent attack can be viewed as a case of poor defense tactics and execution against evolving cyber attacks. Following the last summer attack, the department put “an aggressive effort to update its cyber security posture, adding numerous tools and capabilities to its networks.” However, it is obvious now that the new capabilities have not been able to defend, but has enriched detection.
A November 2014 report found the agency not performing regular scans for system vulnerabilities – a risk management primary practice of a proactive defense strategy to detect and shield any suspicious intrusion. On the other hand, the defense capabilities being built by the US forms part of the Department of Homeland Security’s $4.5 billion National Cyber security and Protection System (NCPS) program. While the lack of a very basic security practice utilized to exposes security flaws that “could potentially have national security implications,” will raise questions about the diligent implementation of multi-billion dollar security program.
Combined with the lack of a mature and effective vulnerability scanning program, 11 of OPM’s key computer systems were found to be “operating with a valid authorization,” representing a “systemic issue of inadequate planning.” In such a scenario, it is no surprise that “The mystery here is not how they got cleaned out by the Chinese. The mystery is what took the Chinese so long,” as told by a senior former government official to The New York Times. The report in the daily elaborates that the “U.S. was warned of systems open to cyber attacks.”
iSight Partners claims (tweet) to have “high degree of confidence” that the OPM and the Anthem breach are linked to the same hackers group. The Internet security company puts “high hopes this will be major wakeup call.” Federal agencies have their work cut out for them to sustain the high hopes despite the troubling history of information security breaches. According to an April 2015 Government Accountability Office (GAO) report, during the 2014 fiscal year “material weakness or significant deficiency in internal controls” was reported in 19 of 24 major federal agencies while “inspectors general at 23 of these agencies cited information security as a major management challenge for their agency.” The investment, application and awareness in efficient and effective risk management solutions just isn’t up to the level necessary or expected by the affected people, in this case, nearly all federal employees past and present.
Poor risk identification and weak control implementation adequately exposed against evolving cyber espionage by both state-sponsored and independent hacker groups has increased the number of reported information security incidents by more than double during 2009-2013 fiscal years. Information security incidents involving personally identifiable information (PII) jumped to 25,566 during 2013 from 10,481 during 2009, according to the April 2014 GAO report.
While high-value breaches involving federal agencies are contributing to database building in the allegedly rogue country and security events like the one involving OPM are continuing to serve as the “case study in bureaucratic lethargy and poor security practices,” persistent attacks targeting poorly protected systems continue to peril information security of every citizen in the United States.