In-brief: The resignation of the Office of Personnel Management’s Director may have ended official Washington’s search for a fall guy, but it won’t solve anything and may make recovering from the hack harder, experts warn.
It’s a truism of political life that when things go wrong, heads will roll. The annals of Washington D.C. are so replete with examples of otherwise accomplished politicians and bureaucrats forced to fall on their sword, that some (like famed political consultant Dick Morris) have made something of falling on their sword and living to tell of it.
The Washington establishment’s blood thirst was in full evidence last week, as the Director of the Office of Personnel Management, Katherine Archuleta, tendered her resignation following weeks of reports about the fallout of a sophisticated hack of OPM’s network that resulted in the theft of data on some 21 million current and former federal employees. Archuleta, who had headed up OPM for just 17 months, wrote in an e-mail to OPM staff on Friday morning that she “conveyed to the President that I believe it is best for me to step aside and allow new leadership to step in, enabling the agency to move beyond the current challenges and allowing the employees at OPM to continue their important work.”
But will Archuleta’s resignation make the job of fixing OPM’s security mess easier or harder? More broadly, is Washington D.C.’s cultural fixation on collecting political scalps in exchange for political capital a help or a hinderance when it comes to the massive and multi-year project of improving the security posture of government agencies? Experts the Security Ledger consulted said the answer is far from clear.
Archuleta’s resignation has been a hot topic of conversation over at The SANS Institute, a research and education organization that is a bastion of expertise on IT security serving more than 165,000 security professionals around the world.
Alan Paller, the founder and research director at SANS said there was ample evidence that heads needed to roll at OPM – he just isn’t sure that Archuleta’s was one of them.
In an e-mail to the Security Ledger, Paller said the key failings were of OPM’s rank and file IT staff – the “techies” responsible for managing the agency’s IT infrastructure. OPM almost certainly needs to bring on rank and file information technology and security staff with the right skills to identify and respond to the kinds of sophisticated attacks that are common in the government space.
There is also a strong case to be made that their bosses, the OPM’s Chief Information Officer, Chief Information Security Officer or equivalent positions, can be called to task and that an argument could be made for replacing them. At the very least, they failed to identify the skill set OPM needed –skills like threat discovery, containment and recovery — and bringing staff in house with those skills.
Archuleta should only be held accountable if the conclusion is that her hiring process was flawed, Paller argued.
His comments were echoed by John Pescatore, the Director of SANS. “The sad fact in the federal government is that it is easier to punish a department head than a CIO,” Pescatore wrote. “Most of the failures in configuration management, patching and privilege management are IT operations failures that many CIOs allow to continue and at best try to spackle over with ‘security.'” The Chief Information Officer was the first executive let go at Target following a disastrous breach there that eventually claimed the company’s CEO, as well. Pescatore said the federal government would do well to take their queue from the private sector. “I’d really like to see more focus on the IT operations side at government agencies as Federal CIO Tony Scott’s rapid cybersecurity review proceeds,” he wrote.
True, there’s ample evidence that IT and information security practices at Archuleta’s OPM were poor.
In a May, 2013 report describing the OPM’s efforts to modernize federal employee retirement processing systems, for example, the GAO documented failed IT modernization efforts stretching back two decades and concluded that OPM lacked the management capabilities to realize its stated goals.
“Among the management disciplines the agency has struggled with are project management, risk management, organizational change management, cost estimating, system testing, progress reporting, planning, and oversight,” GAO wrote.
But it is also clear that those problems existed long before she took the role of Director in 2013, and signs that the agency was beginning to address longstanding problems that created an environment in which malicious actors easily gained access to key IT systems and escaped notice.
As Security Ledger noted, OPM had, in recent months, embraced a new security mantra focused on detecting threats within its environment. Specifically: in a series of media interviews, position papers and public appearances, the agency’s information security director, Jeff Wagner, hailed OPM’s new approach to cyber security, which he described as “security through visibility” that focused on detecting anomalous behavior within OPM’s network, rather than on monitoring attacks from outside.
At the very least, cleaning house in the midst of an incident response operation sends a terrible message to the employees who are left, said Monzy Merza, the Chief Security Evangelist at the security firm Splunk.
“One of the most disheartening things is that we end up blaming the victim. It’s ridiculous.” Merza spent many years working as a contract incident responder and said that IT staff are critical assets in recovering from a cyber incident and deserve respect, even if their actions might plausibly be part of what led to the incident in the first place. “These are folks who work hard and do it every day. It’s a thankless job. They get blamed when something fails but they don’t get credit when things work.”
Speaking with Security Ledger before Archuleta resigned, Merza said that firing- or forcing out the leader of the organization that was victimized, political leaders only demonstrate that they don’t place much value on the work that those employees do and the importance of leadership within those organizations. “It breaks down the notion of who is serving or why they do their work. It’s completely demoralizing. It’s the worst thing you can do,” Merza said. “People work for people, not for organizations or legal entities. When you get rid of a leadership position, it undermines that.”
And what does OPM gain with Archuleta gone? Not much, security experts agree. The problems that existed at OPM before the firing are almost still there, and the agency must now move quickly to replace staff in the same, difficult hiring market.
“This isn’t about keyboarding skills,” said Merza. “You’re looking at 100,000 security jobs open with nobody to fill them,” said Merza. “Even if the person you’re firing was terrible, if they’ve been in a position for a long time, they have context and insight that can’t be replaced – even with a super ninja.”