The Office of Personnel Management (OPM) was the victim of a cyber-attack in 2014. Hackers (the Chinese are suspected) gained access to OPM’s local-area network on or about May 7, 2014 by stealing credentials and then planting malware and creating a backdoor for exfiltration. Actual exfiltration of data on background investigations did not begin until July 3, 2014, and it continued until August. In October 2014, the hackers pivoted to the Interior Department center where OPM’s personnel records resided. On December 15, 2014, the intruders siphoned that data away. OPM did not discover that they had a problem until April 15, 2015. The attack was successful in stealing personal data on 22 million current or former federal employees.
While the number of personnel files is staggering, why is this the most significant breach of the U.S. Government (USG) to date?
OPM is an agency with in excess of six thousand employees, a budget in excess of $2 billion and a “revolving fund” of another $2 billion. Part of its mission is the management of security clearances for the USG. OPM is responsible for investigating individuals to give them Secret and Top Secret clearances. The 2014 cyberattack was successful in obtaining all personal information on each individual who was investigated by OPM for such clearances. This includes applicants and employees of all law enforcement, intelligence, and military agencies as well as the U.S. military personnel. Those records include names and locations of family members, health issues, criminal conduct, names and locations of friends in addition to social security numbers, financial documents, and employment history.
The attackers may have already used the information to the detriment of the USG, or they may never use it. But just having the names and personal information on every applicant for security clearances will give an adversary a huge advantage in the world of intelligence gathering and potentially expose future covert operations.
As we think about how the USG has improved defensive cyber capabilities, a look at how OPM has taken advantage of lessons learned and put measures in place to prevent future attacks is a reflection of improvements across the USG.
When something of this magnitude happens, leadership is always called into question, and here, the Director of OPM, Katherine Archuleta, became the focus of scrutiny. Her testimony at a June 23, 2015 hearing of the Financial Services and General Government Subcommittee of the Senate Appropriations Committee left little doubt she was in a position that did not match her capabilities. Thus she was forced to resign on July 10, 2015.
Her testimony that day sought to put the blame for the attack on “legacy systems” that she inherited at OPM versus any human failure, and while some of the breached systems were old legacy systems, some were not. It is evident that under her leadership, the focus of OPM was on its core mission, and no attention was paid to several recent annual Office of the Inspector General (OIG) reports that warned OPM that its IT systems were vulnerable.
The new leadership at OPM is under Acting Director Beth Cobert who has been in place for less than a year but has initiated some basic improvements in the IT system that will improve the security of the system over time. Changes include; requiring a two factor authorization (including the use of biometrics); limitation on remote access by requiring OPM hardware be physically in place in order to access; and a significant increase in cybersecurity training for employees.
In addition, OIG has several fulltime staffers dedicated to OPM oversight. The Department of Homeland Security (DHS) has also stepped up its oversight of the agency and is making suggestions and recommendations on IT to OPM staff on a regular basis. This oversight by DHS is particularly important because DHS itself, under the leadership of Jeh Johnson, has made significant improvements in its cyber capabilities.
In addition, the Department of Defense (DoD) has taken control of all background checks for military personnel, and while OPM contractors continue to perform other agency background checks, the information gathered in those checks is to be housed at DoD, not OPM.
Even with the additional security provisions in place, OPM has to deal with major short term and long term cybersecurity issues. For example, after agency officials discovered a separate intrusion into the system in 2014, OPM awarded a controversial sole source contract to Imperatis Corporation “to make major security improvements to the existing environment and continue to operate OPM systems in their current location.” The contract was for $20 million, and after reviewing the contract process, the OPM Inspector General stated in a June 2015 report, “there is high risk that this Project will fail to meet the objective of providing a secure operating environment for OPM systems and applications.” Now, a year later, the contractor has defaulted on the contract prior to completion after its workers failed to show up for work on the contract on May 9, 2016.
Some of the measures taken by OPM will minimally improve the security of the OPM systems. However, the system still remains vulnerable to attack today. If security of the system is to improve in a major way, the bureaucracy of the agency and the mindset of the employees has to be much more focused on the cybersecurity issue.
All government agencies and Congress should learn from the OPM experience. They are going to be constant targets of nation states, common criminals, and amateur hackers; their IT systems are vulnerable, and they need to be vigilant in maintenance, upgrade, and training to stay ahead of the cybersecurity curve; and leadership at every USG Agency must be focused on cybersecurity, giving it the highest priority.
