2005-01-28

Questions regarding the OPM data breach

2015-09-30

A report to the nation concerning the OPM data breaches
is certainly in order.
Among the questions that need to be answered,
I would include these:

  1. Were there any ways that the data breaches could have been prevented?
  2. What were they?
  3. Who was responsible for the non-execution of those preventive measures?


Some pertinent articles:

2015-09-30-Chaffetz-the-breach-we-could-have-avoided
The breach we could have avoided
by Rep. Jason Chaffetz
The Hill, 2015-10-01

[Note: I only became aware of this article on 2015-10-01, the day after I wrote the above.]

...

The Office of Personnel Management (OPM) attack was the result of
negligence,
inadequate cybersecurity measures,
mismanagement of IT budgets over decades,
poor data management and
incompetent leadership
that, unfortunately, remain in place today.

[So wrote Rep. Jason Chaffetz.
More from Rep. Chaffetz:]


...

Competent leaders would have seen the obvious threat and responded to it. The OPM’s didn’t.

By ignoring repeated warnings of system vulnerability,
failing to adopt basic cybersecurity best practices and
wasting millions of dollars maintaining outdated technology,
OPM leaders left the agency’s valuable data vulnerable to attack.

The resulting breach was entirely predictable and its risk well known.

OPM leadership consciously ignored warnings of “material weakness” in data security from the inspector general (IG) for at least eight years.

Inexcusably, OPM leadership operated systems without valid authorizations despite knowing the inherent risks.

The OPM did not encrypt Social Security numbers despite being required to do so.

It is also unclear why the OPM left all 21.5 million individuals’ security clearance files active on its system.
Information that isn’t available on a network can’t be hacked.

...

Bad decision-making at the OPM was not limited to security measures. The agency also proved a poor steward of IT dollars.

Since 2008 the Obama administration has spent in excess of $525 billion on IT, and it’s not working.

Instead of investing in cutting-edge technology, officials wasted millions on outdated legacy systems, which make the application of security tools far more challenging.

Astonishingly, the OPM operates using 1950s-era Cobol language, which is difficult, if not impossible, to update to include encryption or multifactor authentication due to its aging code base.

Yet the OPM spent nearly 80 percent of its budget in fiscal 2014 on old IT, like Cobol. Nearly $70 million was allocated to operations and maintenance with a mere $14 million on development modernization.

As the OPM embarks on its better-late-than-never plan to overhaul its IT infrastructure, the agency’s failure to change leadership portends more failure. It is once again disregarding warnings from the IG that its plan has a “high risk of failure.”

[Attacking OPM for misusing their budget may be too easy.
Precisely how could they have better used their budget?
I don't know, but any alternative plan
no doubt could be attacked from one direction or another.

By the way, with $70M going to O&M,
should more of the IG-highlighted issues have been addressed?
An inside look would be interesting.]


...

Experienced leaders in IT and cybersecurity would ensure that the controls already in place are being followed. That’s not happening.

The 30-day cyber sprint initiated by the Office of Management and Budget (OMB) in the aftermath of the hack yielded a 30 percent agencywide increase in multifactor authentication for certain users, from 42 percent to 72 percent.

It was over 10 years ago, though, that the White House first issued direction to agencies to accelerate the use of multifactor authentication. It shouldn’t have taken a crisis of these proportions for agencies to get their IT houses in order.

It was only after the 30-day cyber sprint was complete that the OPM increased its multifactor authentication participation from 42 percent to 97 percent of all users.

...