The OPM breach report: A long time coming

The catastrophic breach of the federal Office of Personnel Management, which exposed the personal information of more than 22 million current and former employees, became public in mid-2015. It took another 15 months for Congress to complete a report on it

katherine archuleta

Then U.S. Office of Personnel Management Director Katherine Archuleta testifies before a House Oversight and Government Reform hearing on the data breach of OPM computers, on Capitol Hill in Washington June 16, 2015.

Credit: REUTERS/Jonathan Ernst

If you want to have even a chance of defeating cyber attacks, you have to be quick.

So, in hindsight, there is no mystery why the federal government’s Office of Personnel Management (OPM) was a loser to attackers who exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data – of more than 22 million current and former federal employees.

Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.

These and dozens of other depressing details are in a timeline that is part of a 241-page report released last month by the House Committee on Oversight and Government Reform, bluntly titled, “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”

Indeed, the report opens with a series of quotes from high-level intelligence officials, all declaring in stark terms how catastrophic the effects of the breach will be, for decades.

FBI Director James Comey spoke of the information contained in the so-called SF-86 form, used for conducting background checks for employee security clearances.

“My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses,” he said. “So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

The SF-86 also contains information on financial history, investments, arrest records, medical problems, any drug or alcohol problems and other material that could be used to blackmail an employee.

The report itself wasn’t exactly turned around quickly either – it took around 15 months from the time the breach was made public, even though much of what is contained it had been covered in the IT or mainstream press much earlier. Indeed, there are a number of citations in it to news articles.

There were also plenty of early warnings about how vulnerable the department was. It had no IT security staff until 2013. An inspector general’s report from November 2014 was blunt about a lack of basic security measures including:

  • A lack of encryption
  • No two-factor authentication for workers remotely accessing the system
  • No inventory of servers and databases
  • Lack of awareness of all the systems connected to its networks

Or, as the report summarized it, the breach, and the failure to detect and contain it were, “in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems.”

One of the key findings in the report was that, “OPM failed to heed repeated recommendations from its Inspector General,” which began in 2005.

It said the discovery of who it called “Hacker X1” in March 2014, “should have sounded a high level, multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data.”

Yet, a June 2015 letter from then OPM CIO Donna K. Seymour to the millions of victims of the breach said the OPM, “takes very seriously its responsibility to protect your information,” and offered credit monitoring service and identity fraud insurance as “a courtesy.”

But it followed that with a declaration that the OPM would not take any responsibility for failing to protect it. “Nothing in this letter should be construed as OPM or the US Government accepting liability for any of the matters covered by this letter or for any other purpose,” it said.

Seymour was not fired. She retired this past February, two days before she was scheduled to appear before Congress to talk about the breach. The head of OPM during the intrusion, Kathleen Archuleta was not officially fired either. She resigned under pressure from Congress in July 2015.

All of which raises the question of whether the report itself is more evidence that government is not up to the task of safeguarding what Joel Brenner, former National Security Agency (NSA) senior counsel, called, “crown jewel material.”

If it takes Congress more than a year simply to report on what went wrong, what chance does the bureaucracy have to keep up with ever-evolving cyber threats?

A number of security experts agreed that the report was slow in coming, but pointed out that a report is not the response.

All agreed that OPM had what former Department of Homeland Security (DHS) official Stewart Baker called, “a lousy security culture.

Baker, now a blogger, partner at Steptoe & Johnson and a board member of the Association of Former Intelligence Officers (AFIO), added that, “someone probably should have been fired sooner.”

stewart baker

Stewart Baker, blogger and partner at Steptoe & Johnson

But he and others said politics can put a drag on any report. “It’s a congressional investigation,” he said. “I’m sure the executive branch was cautious in cooperating, so I’m not surprised it took as long as it did.”

John Chirhart, federal technical director at Tenable Network Security, compared it to the way the National Transportation Safety Board (NTSB) works. “One of the cardinal rules of any investigation is not to officially determine the cause or cast blame until the investigation is complete,” he said. “Based on the OPM report, one could argue that OPM took the NTSB approach to investigating the breach.”

The so-called actionable indicators of compromise (IOC) were shared with both private and public sectors, “as soon as the findings cleared the equitable process,” said Ann Barron-DiCamillo, CTO of Strategic Cyber Ventures and the former director of US CERT (Computer Emergency Readiness Team).

john chirhart

John Chirhart, federal technical director, Tenable Network Security

“This report wasn’t sharing actionable data but provided forensic assessment of the activities and shortcomings leading to the breaches,” she said, adding that investigations like this, “are complicated with many moving parts and stakeholders involved but further exacerbated by being a federal entity with multiple oversight bodies.”

Leo Taddeo, CSO of Cryptzone and former special agent in charge at the FBI’s New York City cybercrimes division, was not surprised at the time it took to complete the report. “Conducting interviews of key personnel can be delayed by the fact that they are in crisis mode trying to remediate the damage,” he said. “There is also significant time required to schedule witnesses and arrange hearings.”

But at least one expert – Kevin Bocek, vice president of security strategy and threat intelligence at Venafi – said he was “disturbed” at how long it took to finish the report.

1 2 Page 1
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.