The OPM breach report: A long time coming

The catastrophic breach of the federal Office of Personnel Management, which exposed the personal information of more than 22 million current and former employees, became public in mid-2015. It took another 15 months for Congress to complete a report on it

If you want to have even a chance of defeating cyber attacks, you have to be quick.

So, in hindsight, there is no mystery why the federal government’s Office of Personnel Management (OPM) was a loser to attackers who exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data – of more than 22 million current and former federal employees.

Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.

These and dozens of other depressing details are in a timeline that is part of a 241-page report released last month by the House Committee on Oversight and Government Reform, bluntly titled, “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”

Indeed, the report opens with a series of quotes from high-level intelligence officials, all declaring in stark terms how catastrophic the effects of the breach will be, for decades.

FBI Director James Comey spoke of the information contained in the so-called SF-86 form, used for conducting background checks for employee security clearances.

“My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses,” he said. “So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

The SF-86 also contains information on financial history, investments, arrest records, medical problems, any drug or alcohol problems and other material that could be used to blackmail an employee.

The report itself wasn’t exactly turned around quickly either – it took around 15 months from the time the breach was made public, even though much of what is contained it had been covered in the IT or mainstream press much earlier. Indeed, there are a number of citations in it to news articles.

There were also plenty of early warnings about how vulnerable the department was. It had no IT security staff until 2013. An inspector general’s report from November 2014 was blunt about a lack of basic security measures including:

  • A lack of encryption
  • No two-factor authentication for workers remotely accessing the system
  • No inventory of servers and databases
  • Lack of awareness of all the systems connected to its networks

Or, as the report summarized it, the breach, and the failure to detect and contain it were, “in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems.”

One of the key findings in the report was that, “OPM failed to heed repeated recommendations from its Inspector General,” which began in 2005.

It said the discovery of who it called “Hacker X1” in March 2014, “should have sounded a high level, multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data.”

Yet, a June 2015 letter from then OPM CIO Donna K. Seymour to the millions of victims of the breach said the OPM, “takes very seriously its responsibility to protect your information,” and offered credit monitoring service and identity fraud insurance as “a courtesy.”

But it followed that with a declaration that the OPM would not take any responsibility for failing to protect it. “Nothing in this letter should be construed as OPM or the US Government accepting liability for any of the matters covered by this letter or for any other purpose,” it said.

Seymour was not fired. She retired this past February, two days before she was scheduled to appear before Congress to talk about the breach. The head of OPM during the intrusion, Kathleen Archuleta was not officially fired either. She resigned under pressure from Congress in July 2015.

All of which raises the question of whether the report itself is more evidence that government is not up to the task of safeguarding what Joel Brenner, former National Security Agency (NSA) senior counsel, called, “crown jewel material.”

If it takes Congress more than a year simply to report on what went wrong, what chance does the bureaucracy have to keep up with ever-evolving cyber threats?

A number of security experts agreed that the report was slow in coming, but pointed out that a report is not the response.

All agreed that OPM had what former Department of Homeland Security (DHS) official Stewart Baker called, “a lousy security culture.

Baker, now a blogger, partner at Steptoe & Johnson and a board member of the Association of Former Intelligence Officers (AFIO), added that, “someone probably should have been fired sooner.”

stewart baker

Stewart Baker, blogger and partner at Steptoe & Johnson

But he and others said politics can put a drag on any report. “It’s a congressional investigation,” he said. “I’m sure the executive branch was cautious in cooperating, so I’m not surprised it took as long as it did.”

John Chirhart, federal technical director at Tenable Network Security, compared it to the way the National Transportation Safety Board (NTSB) works. “One of the cardinal rules of any investigation is not to officially determine the cause or cast blame until the investigation is complete,” he said. “Based on the OPM report, one could argue that OPM took the NTSB approach to investigating the breach.”

The so-called actionable indicators of compromise (IOC) were shared with both private and public sectors, “as soon as the findings cleared the equitable process,” said Ann Barron-DiCamillo, CTO of Strategic Cyber Ventures and the former director of US CERT (Computer Emergency Readiness Team).

john chirhart

John Chirhart, federal technical director, Tenable Network Security

“This report wasn’t sharing actionable data but provided forensic assessment of the activities and shortcomings leading to the breaches,” she said, adding that investigations like this, “are complicated with many moving parts and stakeholders involved but further exacerbated by being a federal entity with multiple oversight bodies.”

Leo Taddeo, CSO of Cryptzone and former special agent in charge at the FBI’s New York City cybercrimes division, was not surprised at the time it took to complete the report. “Conducting interviews of key personnel can be delayed by the fact that they are in crisis mode trying to remediate the damage,” he said. “There is also significant time required to schedule witnesses and arrange hearings.”

But at least one expert – Kevin Bocek, vice president of security strategy and threat intelligence at Venafi – said he was “disturbed” at how long it took to finish the report.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOFBIIOCIPSNational Security AgencyNSAOffice of Management and BudgetTenableTenable Network SecurityTransportationVenafi

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place