Leadership, Not Technology, Blamed for Huge OPM Breach

A report published this week by the U.S. House of Representatives Committee on Oversight and Government Reform said the data breaches disclosed by the Office of Personnel Management (OPM) last year were a result of culture and leadership failures, and should not be blamed on technology.

The OPM reported in June 2015 that hackers had accessed the personal data of more than 4 million federal employees. The next month, officials provided an update saying that the details of roughly 21.5 million additional people who underwent background checks had also been compromised. An investigation revealed that attackers had also stolen fingerprint data associated with 5.6 million individuals.

Threat actors based in China are believed to be behind the attacks and officials are concerned that, given the sensitivity of the compromised data, the incident will have a long-term impact on national security and counterintelligence.

According to the report published by the Oversight and Government Reform committee, the OPM inspector general had warned since at least 2005 that the agency’s systems were highly vulnerable to hacker attacks.

The report reveals that OPM learned of one breach in March 2014, after US-CERT informed the organization that a third-party had observed threat actors exfiltrating data from its networks. The agency monitored the hacker’s activities until late May, when it decided to kick it off its network as it had been getting too close to systems storing security clearance background information.

In the meantime, starting on May 7, a different hacker breached OPM’s systems using credentials stolen from one of the agency’s contractors. This second hacker went undetected for nearly a year, during which they exfiltrated background investigation files (July-August 2014), personnel records (December 2014) and fingerprint data (early 2015).

The second attacker’s presence was only discovered in April 2015. The authors of the report believe this hacker may have leveraged manuals and other information collected by the first hacker.

The report says OPM could have potentially prevented the incident had it implemented basic, required security controls, such as two-factor authentication, and expedited the deployment of more advanced security solutions after learning about the first breach.

Apparently, the agency used a product from Cylance, which consistently detected threats, but the solution was only deployed after the second hacker was detected in April 2015. OPM leadership allegedly ignored recommendations from the organization’s director of IT security operations to deploy the Cylance product after the initial attack was detected in March 2014.

The oversight committee has accused OPM officials of misleading Congress and the public, and attempting to downplay the incident.

“The longstanding failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the Inspector General, represents a failure of culture and leadership, not technology,” the report reads. “As OPM discovered in April 2015, tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency’s extensive vulnerabilities.”

In response, OPM Acting Director Beth Colbert pointed out that the agency disagrees with many aspects of the committee’s report, but did not provide any clarifications. Colbert also highlighted several steps taken by the organization since the incident, including use of multi-factor authentication, rebuilding web-based applications, implementation of the DHS’s Einstein security system, and migration to a modern IT infrastructure.