Red White and Blue Fail Whale

The Abject Failure of Federal InfoSec

Red White and Blue Fail Whale
The reports from OPM and IRS reveal the total failure of federal information security practice.

In-brief: OPM and IRS are just the latest incidents to expose the dire state of federal information security practice. The question is: why? 

Two stories this week underscore the federal government’s ongoing struggle to manage the security of its critical networks. Both suggest that federal information security is more than just troubled – it is a failed project.

First, and most notable is the ongoing saga of the breach of security systems at the Office of Personnel Management (OPM). In testimony before Congress this week, that agency’s Director, Katherine Archuleta and Chief Information Officer,  Donna Seymour, admitted to an almost total breakdown of information security controls. Michael Esser, the agency’s assistant inspector general for audit, told lawmakers on Capitol Hill that OPM’s leadership ignored warnings about its cyber security failings for years and failed to adopt “reasonable cybersecurity practices,” despite warnings about the dangers of a cyber attack. The agency’s information technology staff had “no expertise.” he said.

So grievous was the state of security on OPM’s networks, its Inspector General recommended that OPM shut them down. But Archuleta refused to do so. No matter: hackers believed to have links to China had already compromised OPMs networks and made off with the personnel files of more than 4 million federal employees. The hackers are believed to have made off with a trove of data from systems that store information on background checks for federal employees, including those seeking classified clearances.

“You failed utterly and totally,” committee Chairman Jason Chaffetz, a Utah Republican told Archuleta. “They recommended it was so bad that you shut it down and you didn’t.”

The Committee also demanded testimony from two contractors with business at OPM, Keypoint and USIS, to determine whether hackers may have compromised OPM’s network by way of those firms. OPM has declined to speculate on how hackers breached its network.

OPM is hardly the only data-rich agency struggling to put its house in order. Over at the Internal Revenue Service, the news has been about the rash of taxpayer identity theft that has been going on for months, after cyber criminals figured out how to game “Get Transcript,” a web-based service for electronically filing individual tax returns. According to statements by the IRS, the attackers were able to obtain taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts. The attackers used information like the taxpayer’s Social Security information, date of birth and street address to defeat “multi-step” authentication process (basically: challenge/response questions) and get access to taxpayer filing data. They used that information to file fraudulent returns seeking refunds. The filing data may also be used in subsequent identity theft scams unrelated to the IRS, security experts have warned.

The IRS temporarily shut down the “Get Transcript” service and subsequently identified around 200,000 attempts to steal taxpayer data, though that number may grow.

This week, the IRS relaunched the Get Transcript service and announced a collaborative agreement with state revenue departments and private sector tax preparation services to help identify fraud. Among the fixes: new fraud detection services intended to week out criminals from taxpayers. Among them: checking IP addresses for submitted returns to identify repeats (a potential sign of fraud), verifying the device identification of the system used to file the return, analyzing the time taken to complete the return, to detect automated filings and capturing metadata from the filing transaction to identify possible indicators of fraud.

These are fine steps – but they’re also tools that banks and brokerages have relied on for close to a decade to spot fraudulent activity. The fact that the IRS – which receives 240 million returns annually – is just now implementing them on their main e-filing portal speaks volumes about the lackluster state of federal information security practice.

Why all the trouble with information security in the federal sector? The problems are as old as federal IT itself and attributable to everything from the government’s aging IT infrastructure (a central compliant of Mrs. Archuleta) to its relatively low pay and rigid, bureaucratic structure. Pay grades and work in a cube lost amidst a vast, circa 1970s offices are hardly qualities that will attract top technologists. The decentralized nature of the U.S. government’s IT operations – with each agency operating as an IT island – and the byzantine contracting system that funnels work to a small, handful of approved entities, regardless of their track record also contribute to what have become chronic failures.

Indeed, many of the criticisms levied against OPM by its inspector general can as easily be found in Inspector General reports from other agencies, as well. An Inspector General’s report on the IRS’s information technology program issued at the end of 2014, for example, concluded that the IRS had “significant deficiency” in the internal control systems for its financial reporting systems in both 2012 and 2013. Those weaknesses extended to the “enterprise information technology security program, the protection of Federal tax information, implementation of enterprise risk management, security issues with systems development activities, implementation of security solutions, and security of employees,” the Treasury’s Inspector General reported.