How OPM data breach could have been prevented

The director of the U.S. government's Office of Personnel Management is out after finding the data breach was larger than initially thought.

The recently disclosed data breach at the U.S. government's Office of Personnel Management follows a long history of lax security at the agency, according to the inspector general's office.

In testimony before a joint House subcommittee hearing, Michael Esser, OPM's assistant inspector general for audits, told lawmakers that the agency's "long history of systemic failures to properly manage its IT infrastructure" may have invited a pair of related hacking incidents that compromised more than 21 million current and former government employees' personal information.

[ Related: The OPM lawsuit will only make the lawyers rich ]

That figure was more than five times larger than the agency initially had estimated the scope of the breach was, which OPM says it first discovered in April.

Then late Friday word emerged that the embattled head of the agency was stepping down.

Esser says that OPM has made some improvements in its security posture, but at the same time he expresses frustration that many recommendations his office has made over the years -- some dating back to 2007 -- have essentially been ignored within the agency.

"We are pleased to see that the agency is taking steps to improve its IT security posture, but many challenges still lay ahead," Esser says.

OPM face budget and resource challenges in fight to improve IT security

Esser acknowledges that OPM, like virtually every other entity in the federal government, faces a challenging budget environment that limits the organization's ability to undertake major IT initiatives, but that's only part of the problem.

"Resources, I think, are always an issue, but are not the sole answer. Sometimes we feel that things that we report don't get the attention that they should get," Esser says.

Lawmakers noted that the CIO of OPM had been invited to testify, but declined owing to a scheduling conflict.

But the breach has reverberated throughout the organization, with Friday bringing the resignation of the agency's director, Katherine Archuleta.

"I think what the president thinks is that it's quite clear that new leadership, with a set of skills and experiences that are unique to the urgent challenges that OPM faces are badly needed," White House Press Secretary Josh Earnest told reporters on Friday. At the daily White House press briefing, Earnest explained that Archuleta offered her resignation "of her own volition," and he praised her for elevating cybersecurity as a priority within the agency.

"And it's precisely because of some of the reforms that she initiated, that this particular cyber breach was detected in the first place," Earnest said.

Beth Cobert, who has been serving as OPM's chief performance officer, will take the director's job on an interim basis while administration searches for a permanent replacement.

Inspector general pushes for better security practices

In the meantime, the inspector general continues to press for OPM to take steps to address lax security practices that he says left the agency vulnerable to the massive breaches that exposed millions of names, addresses, Social Security numbers and other personal information.

Esser describes an inconsistent governance framework for information security, which he sees as the inevitable byproduct of a decentralized organizational structure. The agency has been making some strides on that front, but much work remains, he says.

"It is vital to have a centralized governance structure," Esser says. "OPM has made improvements in this area, but it's still working to recover from years of decentralization."

Additionally, he takes aim at the assessment and authorization mechanisms in place to ensure the security of the applications in use within the agency. In a 2014 audit, Esser's team discovered that 11 of 47 major OPM systems were operating without a valid authorization, as set forth by OMB standards.

Esser also says that OPM needs to improve its technical security controls in areas like authentication and configuration management.

OPM, which oversees sensitive data including files relating to security clearances for federal workers, today finds itself the focal point of the debate over information security within the government, but insiders note that the problems are hardly confined to a single agency.

Gregory Wilshusen is the director of Information Security Issues at the U.S. Government Accountability Office. At the House hearing, he was asked how he would grade the federal cybersecurity apparatus, generally. After only the slightest hesitation, Wilshusen responded, "D."

"In many respects there are improvements within federal information security and some initiatives, but it's getting to the effective implementation of those security controls and some of the initiatives over time consistently that's been proved challenging," he says.

Following the revelations of the OPM data breach, the White House announced what it called a "cybersecurity sprint," a 30-day blitz across the federal government to address some of the most critical vulnerabilities. Then, last week, the administration issued a fact sheet touting the successes of that program and others focused on cybersecurity.

Wilshusen credits the administration for taking steps to improve security and to call attention to the threats, though he takes issue with the terminology of the latest effort, calling for a more fundamental shift that would embed security considerations within the daily operations of the departments and agencies.

"The need for assessing and monitoring the effectiveness of security controls needs to be done on a continuous-monitoring basis because threats change every day," Wilshusen says. "It's not a sprint -- it's a marathon."

Join the CSO newsletter!

Error: Please check your email address.

Tags no companysecuritydata breach

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place