OPM Hacking Report Says Agency Missed One Set Of Attacks, Spent Little On Cybersecurity
from the security:-always-worth-taking-seriously-AFTER-the-damage-is-done dept
The twice-hacked Office of Personnel Management has had little to offer but promises of "taking security seriously" and free identity theft protection for the thousands of government employees whose personal information was pried loose by hackers.
Twice-hacked, because there was one breach the OPM did discover, and one it didn't. While it spent time walling off the breach it had detected, another went unnoticed, leaking enough info on government employees that the CIA began worrying about the safety of agents located abroad.
A new report [PDF] by the Committee on Oversight and Government Reform (which AP refers to but, oddly, does not feel compelled to LINK to, despite it being a completely PUBLIC document) details where the OPM initially went wrong.
The government discovered the first hacking in March 2014. A Homeland Security Department team noticed suspicious streams of data leaving its network between 10 p.m. and 10 a.m. — the online equivalent of moving trucks hauling away filing cabinets containing confidential papers in the middle of the night. The government's Einstein intrusion warning system detected the theft.
[...]
For the next few months, the personnel office worked with the FBI, National Security Agency and others to monitor the hacker to better understand his movements. Officials developed a plan to expel the hacker in May 2014. That effort included resetting administrative accounts, building new accounts for users who had been compromised and taking offline compromised systems.
Good moves in the wake of a breach, although I'm sure the thousands affected would have preferred a more proactive approach -- like using available cybersecurity tools to help prevent breaches from occurring in the first place. Those tools are what detected the second, still-ongoing breach that the OPM failed to notice when patching up the first hole.
[F]our people familiar with the investigation said the breach was actually discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services, which has a networks forensics platform called CyFIR. CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.
Or, as the report puts it, the malicious code-detecting tool "lit up like a Christmas tree" when deployed. Despite this tool finding malicious code in about one out of every five OPM devices, the report notes the OPM didn't think it was worth paying for. It allowed the trial period to expire before deciding the toolset that found the second breach might be a valuable security asset.
Despite housing the personal information of thousands of government employees -- including those with high-level security clearances -- the OPM didn't take security quite as seriously as it claimed to while handing out free credit reporting, post-breach. Jenna McLaughlin of The Intercept points out that the OPM spent less money -- quite a bit less -- than many other government agencies on network security.
The personnel agency spent just $2 million in 2015 to prevent malicious cyber activity, while the Department of Agriculture doled out $39 million. The departments of Commerce, Education, and Labor also spent more in this area. Among the categories of cybersecurity spending delineated by the committee — preventing malicious cyber activity, detecting, analyzing, and mitigating intrusions, and shaping the cybersecurity environment — only the Small Business Administration spent as little as OPM (although Small Business Administration spent more overall on cybersecurity).
The OPM has responded to the report by stating it fails to account for the agency's, post-double-breach cybersecurity awesomeness. And one contributor to the Committee feels there's just not enough buck-passing in the report.
OPM responded by saying the report does not actively reflect the progress the agency has made since the hack, and Rep. Elijah Cummings, D-Md., the ranking Democrat on the House Oversight Committee, insisted the report was flawed, in part because it failed to place blame on or otherwise account for the contractors involved in the agency’s cybersecurity.
That the OPM would want the report to focus on its barn door-closing efforts, rather than its eminent hackability, is understandable. But it's also stupid to insist a report detailing past mistakes not spend more time speculating on the agency's presumably glowing cybersecurity future. The report's title is uncharacteristically (for a Congressional report) brutal and does nothing to spare the feelings of an agency that didn't appear to care until it was too late:
The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation
But there's nothing to be gained by complaining that no one cares about the stuff you're doing correctly now -- not when it's been revealed that an agency that should have known it was, and will always be, a prime target for malicious hackers spent very little on cybersecurity and didn't deploy even the most basic security tools until well after the fact.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, hacking, opm
Reader Comments
Subscribe: RSS
View by: Time | Thread
How Many at OPM were Promoted due to their Incompetence?
Burr/Feinstein would assuredly recommend hardening OPM's network using encryption algorithms with exploits baked in to the finished product.
[ link to this | view in chronology ]
Makes sense
You spend time and money protecting things of value, and since the OPM doesn't have any valuable data of course they're not going to spend more than pocket change protecting it.
[ link to this | view in chronology ]
And now we see
[ link to this | view in chronology ]
Re: And now we see
[ link to this | view in chronology ]
Repeated warnings from the auditors were ignored, systems in production without authorizations to operate, no two factor authentication (when it was required), deploying new security products under the guise of a demo as an incident response strategy, and limited communication between appropriate internal OPM groups.
All this on the heels of an under developed security program for an organisation that really should have known better. Can we say that we're surprised?
[ link to this | view in chronology ]
goes well beyond Gov staff
That includes most mil supplier technical staff. Scientists and engineers assisting at NASA centers were also impacted. Even visitors to research centers like Los Alamos National Labs.
The data not only included your personal information, but the names and addresses of your references, family, past employers and more.
Hard to imagine a more complete data set for ID thieves to go after. Apparently the emphasis on `security' rather than `clearance' was largely theatrical.
[ link to this | view in chronology ]
breaches, peaches
The CHRI database in Pasadena was a prime target of this exact, politicized laissez faire approach between 2001-2016, as were many such databases.
And, that DB was breached over a period of decades by #theGoodPeeple, while under 3M Cogent control.
Sometimes the breach was, “innocent ” wherein the (D ) operatives “mistakenly ” sent hundreds of thousands of personally identifying information to “innocent requestors ” who had asked for one file; others involved Syrian foreign nationals on the DHS payroll as informants had direct access to the CHRI database room, while on contractor status.
And all of that- these level 3 breaches (equivalent to a nation state level cyber -attack ) were covered up by a former FBI agent at 3M, and a cohort of “revolutionists ” at that corporation (guess who guides them ).
These never made the news (on the first -fifth breach ). I cant imagine why..... I mean, yeah, its all so innocent.
Sincerely,
ResearchOrganizedGangStalking
[ link to this | view in chronology ]