In-brief: Is the massive breach at the U.S. Government’s Office of Personnel Management a success story? Given the dire state of risk management within the federal government, the answer may be ‘yes.’
Is the massive breach at the U.S. Government’s Office of Personnel Management (OPM) a success story? Given the dire state of cyber risk management within OPM and the federal government, the answer may be ‘yes.’
In fact, in the weeks leading up to the revelation that OPM was the victim of a massive security breach, the agency’s information security director, Jeff Wagner, was on something of a media tour to trumpet OPM’s new approach to securing its IT assets and employees – a strategy focused on detecting attackers on its network. The new approach may have work better than anyone expected.
OPM acknowledged on Thursday that it was the victim of a “cybersecurity incident” that potentially affects personnel data for some four million current and former federal employees. The agency said it is working with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) and the FBI to determine the full extent of the breach and its impact on federal employees.
OPM is the U.S. government’s human resources department: an independent agency with more than 6,000 employees that is responsible for everything from hiring to retirement benefits. Significantly: OPM is responsible for conducting security clearance interviews and audits for employees across the government. That works makes the agency’s databases and file servers a treasure trove of information on everyone from elected officials and staff to senior employees of federal agencies stretching from the Executive Branch to the Departments of Justice and Defense.
However, like many federal agencies, the Office struggled with information security and IT risk management over the years. A string of reports from the Government Accountability Office (GAO) stretching back a decade have documented information technology and risk management woes at OPM. Among them: a heavy reliance on legacy technology- including mainframe systems running applications written in programming languages like COBOL. Add to that a nest of connections between OPM systems and personnel systems at some 400 federal agencies.
In a May, 2013 report describing the OPM’s efforts to modernize federal employee retirement processing systems, for example, the GAO documented failed IT modernization efforts stretching back two decades and concluded that OPM lacked the management capabilities to realize its stated goals.
“Among the management disciplines the agency has struggled with are project management, risk management, organizational change management, cost estimating, system testing, progress reporting, planning, and oversight,” GAO wrote.
No surprise: those shortcomings extended to the realm of information security, as well. OPM systems for performing background checks were the target of hackers in December, 2014, when information on 48,000 federal employees was exposed in a breach of KeyPoint Government Solutions, which conducts background investigations of federal employees seeking security clearances. Notably: that breach was discovered by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), not by OPM staff.
But OPM appears to have taken the lessons of the December breach to heart: embracing a new security mantra focused on detecting threats within its environment.
Specifically: in a series of media interviews, position papers and public appearances, Wagner hailed OPM’s new approach to cyber security, which he described as “security through visibility” that focused on detecting anomalous behavior within OPM’s network, rather than on monitoring attacks from outside.
At the heart of OPM’s new approach is technology by CSG Invotas, a kind of system of systems which consolidates security information and metrics from disparate products and allow information security professionals to program automated responses to security “triggers” raised by the product.
It is unclear when OPM began using the technology, or exactly what role it played in the discovery of the most recent breach. But Wagner was evangelizing what he called the agency’s “security through visibility” approach in a white paper that was released by the Armed Forces Communications and Electronics Association’s Bethesda chapter as early as March.
In that, Wagner called on federal cyber professionals to follow a security and risk management framework from the National Institute of Standards and Technology (NIST) and to build a full picture of network activity by combining disparate data from network security tools and controls.
“We try to simplify our processes as much as possible and then you can look through your flow chart and see where you can leverage orchestration and where can I stop having humans do simple things?” Wagner told Federal News Radio in March.
Even in disclosing the breach on Thursday, OPM took pains to stress that it was mending its ways.
“Within the last year, the OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks,” the agency said in a statement. The result of that was the discovery of the latest breach, in April 2015, the Office said.
Does that make OPM a success story of sorts? By most measures, “no.” Both the length and the extent of the breach are evidence of a significant failure by OPM’s IT staff – evidence that fits a pattern with other news of breaches at data rich government agencies and private firms like Anthem Healthcare and Premera.
The shred of good news may be that OPM developed the capability to detect a compromise on its own networks – an improvement from December, when it needed to be informed by DHS that it had been compromised. In the long term, that is a distinction that matters. Data compiled by the firm Trustwave found that the percentage of businesses that were able to detect a compromise themselves increased from nine percent in 2009 to 29 percent in 2013. And, for organizations that detected a breach themselves, the median number of days needed to contain the breach was 1. However, for organizations that were informed by third parties that they had been breached, the median time needed to contain that breach was 14 days.
Sadly, for millions of current and former federal employees, OPMs about-turn on security and defense comes too late.