“Most of the details were leaked to the press and left it to the imagination of professionals trying to defend their organization from possible similar attacks to ascertain fact or fiction,” he said.
And Baker, while not surprised at the time it took, agreed that, “the internal reporting could and should have been much faster.”
Whether the report’s blistering findings will change the security culture within the government is uncertain. As noted earlier, those in charge – Archuleta and Seymour – were allowed to resign rather than be fired. The government made it clear that it accepts liability for any damages to the victims.
And while, in the wake of the breach, President Obama, the federal CIO and the Office of Management and Budget directed all federal agencies to use 100 percent encryption and digital certificates on all websites, Bocek said, “they failed to mention any direct preparation to deal with the new threats that arise from using encryption.”
Those include the malicious use of digital certificates. “If encryption is the default, every website will use certificates to make the padlock glow green in your browser and turn on encryption,” Bocek said. “The hackers behind the OPM breach understood this, and when they created the opmsecurity.org website, they used a digital certificate to make users feel safe.”
Also, if everything is encrypted, it is easier for malicious actors to hide. “Security controls like firewalls, IPS/IDS, sandboxes and more all expect to scan traffic,” he said. “Unless they can look inside encrypted traffic, they are blind and useless.”
Incoming traffic can create problems as well, he said. “It means all these security systems will need to have all the keys and certificates from an organization loaded in to them. This is a huge challenge and one that only automation can help solve,” he said.
Taddeo added that the report didn’t go into much detail about how quickly the IOCs were shared with network defenders. Besides IOCs, “the information most important to network defenders includes the hacker tactics, techniques, and procedures (TTPs), IP addresses, virus signatures, URLs or domain names of botnet command and control servers, and MD5 hashes of malware files,” he said. “This type of information should be shared very quickly by investigators and in most cases it is.”
But the report, he noted, “is not clear how long it took to publish the TTPs and IOCs.”
The report does say that the committee, “remains hopeful that OPM, under the new leadership of Acting Director Beth Cobert, is in the process of remedying decades of mismanagement.”
And it offers 13 recommendations for reform, including updated technology, better training, better cyber hygiene and to, “ensure that agency CIOs are empowered, accountable and competent.”
None of it inspires much confidence in Chirhart, who said he is among the breach victims.
If OPM had been a private corporation subject to various state laws, “its response could have led to litigation,” he said. “But the federal government is protected by sovereign immunity, so victims are ‘lucky’ to have received what they did, and have very little, if any, legal recourse for compensation.”
The enormous irony, he noted, is that the stolen data was what the government used to determine whether a person could be trusted to handle sensitive, classified data. “The very same people who determine worthiness for everyone else proved themselves to be the ones incapable of properly handling sensitive information,” he said.