One year ago, on July 10, 2015, Katherine Archuleta resigned her position as Director of the Office of Personnel Management (OPM) in the face of intense criticism following the announcement that OPM had been the victim of the worst breach of a government network in U.S. history. The actual breach itself had occurred much earlier, in March 2014, but OPM’s announcement about the theft of millions of people’s personal information came during a streak of similar breaches. In the wake of intrusions at Anthem, Sony, and Target, cybersecurity was already on everyone’s mind, a fact which only served to increase the impact of OPM’s announcement. Since then, the shadow of the OPM breach has loomed large over every action the U.S. government has taken to try and improve its resilience in the cyber-domain. But in the year since Archuleta resigned, how much has changed?
A number of factors contributed to the OPM’s vulnerability to enemy hackers, and these factors were by no means limited to just OPM. Archuleta blamed the breach on OPM’s legacy systems, old pieces of hardware and software that were still in use despite being profoundly outdated. This argument is not without merit, and in the time since has helped spur a much-needed conversation about the federal acquisitions process.
Beyond using old, insecure systems, OPM also lacked strong authentication and privilege control systems. Authentication is the means by which users prove their identity to the system, and privilege control systems determine what users are allowed to do once their identity has been established. The lack of two-factor authentication – which uses a second, usually physical, token to prove a user’s identity – made it much easier for the hackers to gain access in the first place using stolen credentials.
The insufficient privilege controls meant that, once inside, their actions did not draw attention since their user identity was technically allowed to access the information they were targeting. At its core, these problems are symptomatic of a larger issue – IT problems are often ignored until there is a major breach, at which point it is too late to do anything about it.
That being said, once a system has been breached, there is an opportunity to capitalize on the attention to try and rectify the flaws that caused the breach in the first place. Since OPM, the U.S. government has worked to institute a number of changes meant to enhance cybersecurity readiness, many of which came about through executive actions. For example, shortly after the OPM breach, President Obama called for a 30 day Cybersecurity Sprint geared towards fixing the most serious deficiencies in cybersecurity procedures across the federal government. This included limiting user privileges and accelerating the adoption of two-factor authentication.
The sprint also resulted in the Office of Management and Budget (OMB) releasing the Cybersecurity Strategy and Implementation Plan, which was meant to identify priorities and gaps in the government’s cybersecurity posture, as well as recommendations for addressing them. John Davis, the Vice President and Federal Chief Security Officer for Palo Alto Networks, told The Cipher Brief that “these executive actions established a promising foundation for enhancing our collective national cybersecurity, but will ultimately depend heavily upon Congress and the next Administration’s ability and willingness to implement.”
This is not a small issue, as Congress has proven to be largely unable to keep up with the rapidly changing world of cybersecurity. For example, the Cybersecurity Information Sharing Act was the first significant piece of cyber-related legislation to become law in decades, and it almost failed – as other, similar bills had in the past – due to concerns about privacy and government overreach.
Similarly, the federal acquisitions process in regards to cybersecurity remains slow and somewhat unwieldy. The government is attempting to improve its ability to partner with industry on cyber-issues, but ongoing conflicts between tech companies and the government continue to complicate those efforts.
In the same vein, the federal government has trouble attracting people to work in cybersecurity positions, as the shortage of IT professionals in the United States has ensured that industry can offer them higher salaries and, often, less bureaucracy.
While these problems are by no means insignificant, the current situation is better than it was in 2014, when the OPM breach occurred, or 2015, when the breach was announced. Awareness of the importance of cybersecurity has increased, and there is a stronger focus on preventing another major breach from occurring. As Senator Saxby Chambliss told The Cipher Brief, “If security of the system is to improve in a major way, the bureaucracy of the agency and the mindset of the employees has to be much more focused on the cybersecurity issue.” If that focus is lost, the chances of another major breach increase dramatically.
As the United States approaches a presidential election, there is a greater chance that cyber-issues will fall by the wayside. However this outcome is less likely as long as foreign actors are penetrating U.S. government and government-affiliated networks, as this tends to galvanize the government and reaffirm its focus in this area. Assuming the government can maintain its momentum in regards to improving cybersecurity, progress is likely to continue – albeit slowly.
Luke Penn-Hall is the cyber and technology producer at The Cipher Brief.
