The Office of Personnel Management (OPM) hack shocked the U.S., exposing the vulnerability of the U.S. government to cyber attack. After thieves took the personal data of more than 20 million federal employees, what did we learn?
1. IT isn’t a priority until something goes wrong. OPM received several warnings from its Inspector General about weak cybersecurity at the agency, but some went unaddressed for up to eight years. It was simply not a priority – until the breach occurred.
Many asked why the earlier warnings were ignored. The answer is that organizations – government or business – rarely care about IT issues until something bad happens, and at that point it is too late.
2. Budget Cuts Prevent Critical Security Upgrades. When budgets get tight, organizations rarely protect IT funding. This restricts updates and upgrades, most of which are critical for network security. OPM was particularly vulnerable to cyber attack. Not only did it lack money for network updates, but some OPM networks are over 20 years old and could not support modern encryption and security software anyway.
OPM’s failure teaches us that organizations need to prioritize IT funding, even in austere times. Treating network upgrades as an afterthought increases the likelihood of an expensive and embarrassing breach.
3. Bureaucracy hamstrings quick reactions to a changing threat. The difference in pace between government agencies and hackers – both criminal and state sponsored – is extraordinary. Government agencies update their cybersecurity systems too slowly to counter the constantly changing methods of attack they face.
The government can buy software from private companies to adapt more quickly, but commercial software gets hacked all the time – think Sony, Target, Facebook. This software is cheaper, and can be acquired faster, but won’t fix the security issue.
As a result, the government is consistently outpaced by those who are trying to hack it. However, a current Pentagon initiative explores programs that would automatically find and fix vulnerabilities in other programs, reducing the need to constantly upgrade.
4. Cyber-Defense is Intrinsically Different from Physical Defense. The U.S. is unrivaled in defense innovation and superiority. This does not necessarily translate into the realm of cybersecurity. In the more traditional sense of state security, a single individual with commercial hardware could not credibly challenge the dominance of the United States. This is not the case in cyberspace.
It is relatively easy to become a hacker. The cost to develop new tools is also very low, meaning a large number of bad actors can generate a large volume of malware fairly quickly. Cyber is an area where talented individuals can do vastly disproportionate amounts of damage to target systems. This all adds up to a domain that is fundamentally different than anything the United States has had to deal with prior to the advent of the Internet.
5. Humans are Always the Weakest Part of Any Cybersecurity System. Even the most secure of networks always have an Achilles heel – the people who use them. Cybersecurity professionals routinely point to human error as the largest cause of breaches. It does not matter how good a network’s defenses are if the people using it are clicking on pop-ups or opening attachments on strange emails. To mitigate vulnerabilities created by careless employees, organizations need to spend time on education and promoting better practices.
Cybersecurity concerns need to be integrated into the daily functions of the government. This would require a fundamental change in how the government views IT, because the status quo will only result in more – and more damaging - breaches.
Luke Penn-Hall is an analyst at The Cipher Brief.
