The OPM breach report: A long time coming

The catastrophic breach of the federal Office of Personnel Management, which exposed the personal information of more than 22 million current and former employees, became public in mid-2015. It took another 15 months for Congress to complete a report on it

1 2 Page 2
Page 2 of 2

“Most of the details were leaked to the press and left it to the imagination of professionals trying to defend their organization from possible similar attacks to ascertain fact or fiction,” he said.

leo taddeo

Leo Taddeo, CSO, Cryptzone, former FBI agent

And Baker, while not surprised at the time it took, agreed that, “the internal reporting could and should have been much faster.”

Whether the report’s blistering findings will change the security culture within the government is uncertain. As noted earlier, those in charge – Archuleta and Seymour – were allowed to resign rather than be fired. The government made it clear that it accepts liability for any damages to the victims.

And while, in the wake of the breach, President Obama, the federal CIO and the Office of Management and Budget directed all federal agencies to use 100 percent encryption and digital certificates on all websites, Bocek said, “they failed to mention any direct preparation to deal with the new threats that arise from using encryption.”

Those include the malicious use of digital certificates. “If encryption is the default, every website will use certificates to make the padlock glow green in your browser and turn on encryption,” Bocek said. “The hackers behind the OPM breach understood this, and when they created the website, they used a digital certificate to make users feel safe.”

ann barron dicamillo

Ann Barron-DiCamillo, CTO, Strategic Cyber Ventures; former director of US CERT

Also, if everything is encrypted, it is easier for malicious actors to hide. “Security controls like firewalls, IPS/IDS, sandboxes and more all expect to scan traffic,” he said. “Unless they can look inside encrypted traffic, they are blind and useless.”

Incoming traffic can create problems as well, he said. “It means all these security systems will need to have all the keys and certificates from an organization loaded in to them. This is a huge challenge and one that only automation can help solve,” he said.

Taddeo added that the report didn’t go into much detail about how quickly the IOCs were shared with network defenders. Besides IOCs, “the information most important to network defenders includes the hacker tactics, techniques, and procedures (TTPs), IP addresses, virus signatures, URLs or domain names of botnet command and control servers, and MD5 hashes of malware files,” he said. “This type of information should be shared very quickly by investigators and in most cases it is.”

But the report, he noted, “is not clear how long it took to publish the TTPs and IOCs.”

The report does say that the committee, “remains hopeful that OPM, under the new leadership of Acting Director Beth Cobert, is in the process of remedying decades of mismanagement.”

And it offers 13 recommendations for reform, including updated technology, better training, better cyber hygiene and to, “ensure that agency CIOs are empowered, accountable and competent.”

None of it inspires much confidence in Chirhart, who said he is among the breach victims.

If OPM had been a private corporation subject to various state laws, “its response could have led to litigation,” he said. “But the federal government is protected by sovereign immunity, so victims are ‘lucky’ to have received what they did, and have very little, if any, legal recourse for compensation.”

The enormous irony, he noted, is that the stolen data was what the government used to determine whether a person could be trusted to handle sensitive, classified data. “The very same people who determine worthiness for everyone else proved themselves to be the ones incapable of properly handling sensitive information,” he said.

This story, "The OPM breach report: A long time coming" was originally published by CSO.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
IT Salary Survey: The results are in