OPM data breach


For general background,
see the Wikipedia article Office of Personnel Management data breach .

Very useful background information
was provided by the submitted testimony of three witnesses
who appeared before the Subcommittee on Research and Technology and the Subcommittee on Oversight
of the Committee on Science, Space and Technology
of the U.S. House of Representatives
in a hearing on July 8, 2015
(their names link to PDFs of their submitted testimony):

  • Mr. Michael R. Esser, Assistant Inspector General for Audits,
    Office of Personnel Management
  • Dr. Charles Romine, Director, Information Technology Laboratory,
    National Institute of Standards and Technology
  • Mr. Gregory Wilshusen, Director, Information Security Issues,
    U.S. Government Accountability Office

In his written testimony (on page 7),
Michael Esser gave some very interesting background:

[T]he e-QIP [Electronic Questionnaire for Investigations Processing] system
contains vulnerabilities that OPM knew about,
but had failed to correct for years.
As part of the system’s Authorization process in September 2012,
an independent assessor identified 18 security vulnerabilities
that could have potentially led to a data breach.
These vulnerabilities were scheduled to be remediated by September 2013,
but still remain open and unaddressed today.
Unfortunately, the overdue remediation of known vulnerabilities for e-QIP
is only a single example of a more widespread problem at OPM.
Both our FY 2012 and FY 2013 FISMA reports indicated that
out of OPM’s 47 major information systems,
22 had known vulnerabilities with remediation activity greater than 120 days overdue.
In FY 2014, the number grew to 38.
This issue demonstrates the importance of the Authorization process
(as discussed above),
but is also an example of OPM’s historical neglect of IT security.
The agency has failed to complete system Authorizations for its most sensitive systems,
but even when the agency has known about security vulnerabilities,
it has failed to take action.

In my opinion,
a key issue that I haven't yet seen addressed is:
who in the United States government is responsible for doing
vulnerability assessments
on government computer systems,
by which I mean assessing
how significant the divulging of the data in the systems would be
how well guarded the systems are from such a data breach.

I don't know the answer to that question.
I believe the CIA in general has the responsibility for assessing U.S. vulnerabilities,
but on the other hand NSA has always had responsibility for U.S. communications security,
and to some extent that has broadened into computer security with the establishment of Cyber Command.
And, of course, the Department of Homeland Security has some responsibilities inherent in its title.

So between the CIA, NSA/CyberCom, and DHS,
just who is responsible for assessing the vulnerabilities of U.S. government systems?

A little background on President Obama's cybersecurity czar, Michael Daniel:

Does the White House’s cybersecurity czar
need to be a coder? He says no.

by Andrea Peterson
Washington Post, 2014-08-22
[An article discussing the technical qualifications, or lack thereof, of President Obama's cybersecurity czar, Michael Daniel.
One response, by Yahoo Chief Security Officer Alex Stamos, to this situation:]

The lack of respect shown to information security as a profession by the govenment is infuriating.

Another article on Michael Daniel's lack of technical experience:
It Does Matter That The White House Cybersecurity Czar Lacks Technical Chops
by Robert M. Lee
Forbes, 2014-08-25

Mr. Daniel has never been involved with cybersecurity before; he has a strong background in policy and budgeting but nothing in even the basics of cybersecurity. This seems to be a problem just for the government cybersecurity community, but it has farther reaching impacts.

News Articles

Below are a number of news articles reporting on the OPM breach.


KeyPoint network breach could affect thousands of federal workers
By Christian Davenport
Washington Post, 2014-12-18

KeyPoint Government Solutions, which took over the bulk of federal background checks after one of its competitors was hacked, also recently suffered a computer network breach, officials said Thursday.

While there was “no conclusive evidence to confirm sensitive information was removed from the system,” Office of Personnel Management spokeswoman Nathaly Arriola said the agency would notify 48,439 federal workers that their personal information may have been exposed.

The breach comes just a few months after OPM decided not to renew a background investigations contract with USIS, which suffered a breach earlier this year.

USIS had been the largest provider of background checks used in security clearances for the federal government for years. After OPM decided not to renew USIS’s contract, Colorado-based KeyPoint quickly picked up the bulk of the work for the federal government.

KeyPoint and USIS declined to comment.

Earlier this month, USIS pushed back against criticism that it didn’t do enough to prevent a massive cyberattack and accused the OPM of neglecting to share information that might have helped it detect the intrusion earlier.

USIS, based in Falls Church, Va., said it sought to work closely with OPM after the breach. But the company wrote that “no meaningful partnership will ever exist if the U.S. government response to cooperation is to punish and shut down organizations that, like so many government agencies, happen to fall victim to a cyber attack.”

KeyPoint’s breach was yet another in a series of problems that have plagued the background-check process. Before it was hacked, USIS was accused in a whistleblower lawsuit, joined by the Justice Department, of “flushing” hundreds of thousands of checks — meaning they were submitted as complete even though they were not.

And members of Congress repeatedly urged OPM to end its contract with USIS.

The termination of the contracts on Sept. 30 had a devastating effect on USIS, which at one point employed about 3,000 workers in its investigations division.

KeyPoint moved quickly to fill the void, looking to double the size of its investigative workforce.

But USIS’s caseload was significant — 21,000 background checks a month, and once its contract was not renewed, some wondered who would be able to handle the task on short notice.

That amount of work requires significant managerial oversight, which is usually developed over time, said Nicole Smith, a former USIS senior investigator who now is an attorney at Tully Rinckey working on security clearance issues.

Once KeyPoint took over, she said one of the questions that concerned her was: “Can they even handle the influx of these new employees and all the work that gets dumped on them from OPM?”

In an e-mail to OPM colleagues, Donna Seymour, the agency’s chief information officer, said that “following the discovery of the problem, KeyPoint implemented numerous controls to strengthen the security of its network. The immediacy with which KeyPoint was able to remediate vulnerabilities has allowed us to continue to conduct business with the company without interruption.”

In the e-mail, a copy of which was obtained by The Washington Post, she said that the “security of our network and the data entrusted to us remains our top priority. This incident serves as yet another reminder that we all must be ever-vigilant in our efforts to understand, anticipate and guard against the threat of cyber-attacks.”

Arriola, the OPM spokeswoman, declined to comment on the sophistication of the attack or who might have been behind it, saying the investigation was ongoing. OPM will offer the employees free credit monitoring.


Hacking Linked to China Exposes Millions of U.S. Workers
New York Times, 2015-06-05

With a series of major hacks,
China builds a database on Americans

By Ellen Nakashima
Washington Post, 2015-06-05

China is building massive databases of Americans’ personal information by hacking government agencies and U.S. health-care companies, using a high-tech tactic to achieve an age-old goal of espionage: recruiting spies or gaining more information on an adversary, U.S. officials and analysts say.

Groups of hackers working for the Chinese government have compromised the networks of the Office of Personnel Management, which holds data on millions of current and former federal employees, as well as the health insurance giant Anthem, among other targets, the officials and researchers said.

“They’re definitely going after quite a bit of personnel information,” said Rich Barger, chief intelligence officer of ThreatConnect, a Northern Virginia cybersecurity firm. “We suspect they’re using it to understand more about who to target [for espionage], whether electronically or via human ­recruitment.”

The targeting of large-scale data­bases is a relatively new tactic and is used by the Chinese government to further its ­intelligence-gathering, the officials and analysts say. It is government espionage, not commercial espionage, they say.

“This is part of their strategic goal — to increase their intelligence collection via big-data theft and big-data aggregation,” said a U.S. government official who, like others, spoke on the condition of anonymity to discuss a sensitive topic. “It’s part of a strategic plan.”

One hack of OPM, which was disclosed by the government Thursday, dates at least to December, officials said. Earlier last year, OPM discovered a separate intrusion into a highly sensitive database that contains information on employees seeking or renewing security clearances and on their background investigations.

Once harvested, the data can be used to glean details about key government personnel and potential spy recruits, or to gain information useful for counter­intelligence. Records in OPM’s database of background investigations, for instance, could contain a complete history of where an individual has lived and all of his or her foreign contacts in, say, China. “So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese,” a China cyber and intelligence expert said.

The data could help Chinese analysts do more effective targeting of individuals, said a former National Security Agency official. “They can find specific individuals they want to go after, family members,” he said.

The trend has emerged and accelerated over the past 12 to 18 months, the official said. An increase in Chinese capability has opened the way “for bigger data storage, for bigger data theft,” he said. “And when you can gain it in bulk, you take it in bulk.”

The Chinese government, he said, is making use of Chinese companies that specialize in aggregating large sets of data “to help them in sifting through” the information for useful details. “The analogy would be one of our intelligence organizations using Google, Yahoo, Accenture to aggregate data that we collected.”

China on Friday dismissed the allegation of hacking as “irresponsible and unscientific.”

Chinese Foreign Ministry spokesman Hong Lei said Beijing wanted to cooperate with other nations to build a peaceful and secure cyberspace.

“We wish the United States would not be full of suspicions, catching wind and shadows, but rather have a larger measure of trust and cooperation,” he told a regular news briefing,

OPM disclosed that the latest hack of one of its systems exposed personal data of up to 4 million current and former employees — the largest hack of federal employee data in recent years.

It is possible that officials as senior as Cabinet secretaries had their data exposed, a congressional aide said on a briefing call with government officials Friday.

U.S. officials privately said China was behind it. The stolen information included Social Security numbers and performance evaluations.

“This is an intelligence operation designed to help the Chinese government,” the China expert said. “It’s a new phase in an evolution of what they’re doing. It certainly requires greater sophistication on their part in terms of being able to take out this much data.”

Barger’s firm has turned up technical evidence that the same Chinese group is behind the hacks of Premera Blue Cross and Empire BlueCross, which were discovered at roughly the same time earlier this year.

The first OPM incident has been linked to the health-care hacks by Barger and another security researcher, John Hultquist, senior manager for cyberespionage threat intelligence at iSight Partners. Hultquist said the same group is responsible for all of them, and for other intrusions into commercial databases containing large sets of Americans’ personal information.

“They would leverage this data to get to diplomatic, political, military and economic intelligence that they typically target,” said Hultquist, who declined to comment on who was behind the attacks.

Though much Chinese cyber­espionage is attributed to the People’s Liberation Army, these hacks, Barger said, appeared to be linked to the Ministry of State Security, which is a spy agency responsible for foreign espionage and domestic counterintelligence.

Other Chinese entities, including the military, may also be involved in the campaign, analysts said.

Chinese government hackers “are like a vacuum cleaner” in sucking up information electronically, said Robert “Bear” Bryant, a former top counterespionage official in the government. “They’re becoming much more sophisticated in tying it all together. And they’re trying to harm us.”

Security researchers have pointed to a cyber tool or family of malicious software called Derusbi that has been linked exclusively to Chinese actors. One group that has used Derusbi is Deep Panda, a name coined by the firm CrowdStrike, which has linked that group to the Anthem hack.

Disclosed in February, that incident exposed the Social Security numbers, addresses, phone numbers, e-mail addresses and member IDs of tens of millions of customers. No medical data such as diagnosis or treatment information was compromised, the company said.

Researchers note that in contrast to the hacks of Home Depot and Target, personal data that might have been stolen from OPM, Anthem and the other companies has not shown up on the black market, where it can be sold to identity thieves. That is another sign, they said, that the intrusions are not being made for commercial purposes.

“Usually if there’s a criminally or financially motivated breach like that, we see the data making its way into the black market soon after that,” Barger said.

The big-data approach being taken by the Chinese might seem to mirror techniques used abroad by the NSA, which has come under scrutiny for its data-gathering practices under executive authority. But in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.

“This is what all intelligence services do if they’re good,” said the China cyber expert. “If you want to find a needle, first you have to gather a haystack of needles.”

The massive data harvesting “reflects a maturity in Chinese” electronic intelligence gathering, the expert said. “You have to put in place structured data repositories. You have to have big-data management tools to be able to store and sift and analyze.”

Barger said that “with a large pool of data, they can prioritize who is the best to target electronically and who is the best to target via human recruitment.”

The U.S. official noted that the Chinese “would not take [the data] if they did not have the opportunity to aggregate it.” And, he added, “they are taking it.”

Why OPM should have seen the latest cyberattack coming
By Andrea Peterson
Washington Post Blog "The Switch", 2015-06-05

Hackers gained access to information of about 4 million current and former federal employees in December, U.S. officials have said. But the agency at the heart of the attack, the Office of Personnel Management, should have seen it coming.

An annual audit of its information security systems released last year showed the agency had major security problems. And it had already suffered a breach thought to target sensitive information about government security clearances.

According to a report by OPM's inspector general's office released in November, the agency couldn't even find all of its equipment.

"OPM does not maintain a comprehensive inventory of servers, databases, and network devices," the audit, which reviewed the agency's operations through September, found.

That could make it a lot harder to keep them safe, experts said. "You can't defend yourselves well if you don't know what systems you have and where your data is," said Richard Bejtlich, chief security strategist at cybersecurity firm FireEye and a Brookings Institution senior fellow. "You won't be able to fend off an basic adversary, let alone an advanced adversary."

The report also noted that eleven "major systems" were operating without the agency certifying they met security standards.

The lapse constituted "a material weakness in the internal control of the agency's IT security program," according to the report. A "core cause" of the authorization delays was that there were "no consequences" for operating without approval.

The 2014 report actually showed an improvement over previous years. Government audits of OPM's information security programs have repeatedly warned about such problems. "We have significant concerns regarding the overall quality of the information security program at OPM," a 2009 IG report said.

The latest report said the agency had made "some improvements" to its security program, although "some problem areas that had improved in past years have resurfaced."

OPM did not immediately respond to requests for comment.

However, the breach disclosed this week was discovered in April after information security improvements were rolled out by OPM earlier this year, according to the agency. "OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks," the agency said in a statement Thursday about the attack, which reportedly targeted an OPM data center housed at the Interior Department.

This is also not the first time OPM has been the victim of a cyberattack. Last year, hackers targeted information about employees filing for security clearances.

Both breaches are thought to be linked to Chinese hackers, according to The Washington Post's Ellen Nakashima. Other attacks on government agencies have also been linked to foreign hackers -- including intrusions into the unclassified e-mail systems at the White House and State Department last year believed to have been carried out by Russian hackers.

The way the government purchases equipment and services is part of the problem, said Scott Montgomery, vice president and chief technology strategist for Intel Security. "Restrictions on acquisition creates dramatic drawbacks in the way government can roll out and deploy information technology," he said.

Federal security compliance rules are "equally archaic," he said, and don't match up with the current threats facing government networks. "There are a lot of security controls in government that don't have as much to do with whether a system or agency is secure so much as they're checklists."

FireEye's Bejtlich said government officials focus too much on finding and patching vulnerabilities rather than on identifying breaches. "At the end of the day, whether you are breached or not is important -- not whether you are patched and compliant," he said.

But those struggles are not unique to the public sector, Montgomery said, noting that Target and other major retailers met industry compliance standards when they suffered massive breaches. And across the board, he said, it is difficult to find the right people to deal with the current wave of cybersecurity incidents.

"The pool of trained information security professionals is shallow, and the government needs to invest in tracking down and retaining top-tier talent," he said. "There's just not enough in any organization."

The administration has acknowledged that issue: In May, OPM gave federal agencies approval to go outside of traditional civil service hiring procedures when appointing people to digital positions tied to a planned reboot of government information technology systems.

Holes in Uncle Sam’s security
By Editorial Board
Washington Post Editorial, 2015-06-05

FEDERAL OFFICIALS said new tools allowed them to discover a massive breach of government-employee data by hackers suspected of working for the Chinese state. We would imagine that achievement will not inspire much gratitude among the millions whose personal data were violated. No doubt they, as well as U.S. taxpayers, are wondering why their government seems so incapable of protecting sensitive information from cyberattacks.

The Obama administration disclosed Thursday that the computer system of the Office of Personnel Management, which handles federal employee records and security clearances, had been hacked. The breach, affecting about 4 million current and former government workers, was detected in April but appears to have dated back to December. The hackers, apparently targeting Social Security numbers and other personal identifying information, have been linked by cybersecurity experts to thefts of similar personal data from two major U.S. health-care firms. Administration officials did not publicly identify the attackers, but The Post’s Ellen Nakashima quoted sources identifying the hackers as state-sponsored. The Chinese foreign ministry dismissed the claims as jumping to conclusions.

What’s so disconcerting about the breach — other than its massive scale and possible value to Chinese espionage, of course — is that it is just one in a series of intrusions into vital computer systems of the U.S. government. The White House and the State Department last year discovered their e-mail systems had been compromised in an attack linked to Russian hackers. The OPM was the target of a smaller attack last year. Last week, the Internal Revenue Service said identity thieves had illegally obtained tax information on more than 100,000 households.

High-profile cyberattacks on such private companies as Sony Pictures Entertainment and Target prompted the White House to push the private sector to improve protections of its computer networks and share information on best methods. So there’s an unfortunate irony in the vulnerability of federal computer networks, which, as Rep. Adam B. Schiff (D-Calif.) noted, Americans expect to be “maintained with state-of-the-art defenses.”

Measures taken so far are clearly insufficient. We hope the breach at the OPM — among the largest thefts ever of government data — awakens the administration and Congress to the need for a robust strategy that puts safeguards in place and promises consequences for the people and countries who try to violate them.

U.S. Was Warned of System Open to Cyberattacks
New York Times, 2015-06-06


The inspector general at the Office of Personnel Management, which keeps the records and security clearance information for millions of current and retired federal employees, issued a report in November that essentially described the agency’s computer security system as a Chinese hacker’s dream.

But by the time the report was published, Chinese hackers had already cleaned out tens of thousands of files on sensitive security clearances, and were preparing for a much broader attack that ultimately obtained detailed personal information on at least four million current and former government employees. Even today, the agency is struggling to patch numerous vulnerabilities.

A number of administration officials on Friday painted a picture of a government office struggling to catch up, with the Chinese ahead of them at every step.

The agency did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside to use the kind of basic authentication techniques that most Americans use for online banking. It did not regularly scan for vulnerabilities in the system, and found that 11 of the 47 computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”

The problems were so severe for two systems that hosted the databases used by the Federal Investigative Service, which is responsible for the background investigations for officials and contractors who are issued security clearances, that the inspector general argued for temporarily shutting them down because the security flaws “could potentially have national security implications.”

Hackers in China apparently figured that out months before the report was published. Last summer a breach was detected that appeared aimed directly at the security clearance records — information that could help a determined hacker gain access to email or other accounts belonging to those entrusted with the nation’s secrets.

While upgrades were underway, a much broader attack occurred, apparently starting in December. Before it was detected, personal information on at least four million people was apparently downloaded by a patient, well-equipped adversary — and the number is likely to grow.

As one senior former government official who once handled cyberissues for the administration, who would not speak on the record because it could endanger the person’s role on key advisory committees, said on Friday, “The mystery here is not how they got cleaned out by the Chinese. The mystery is what took the Chinese so long.”

Researchers and government officials have determined that the Chinese group that attacked the office was probably the same one that seized millions of records held by the health care firms Anthem and Primera. Based on the forensics, experts believe the attackers were not part of the People’s Liberation Army, whose Third Department oversees much of the military’s cyberintelligence gathering. Rather they believe the group is privately contracted, though the exact affiliation with the Chinese government is not known.

For the Obama administration, which came to office holding East Room events on cybersecurity and pressing Congress, for years, to pass legislation that would allow the private sector to share information with the government, what has happened at the Office of Personnel Management can only be described as a case study in bureaucratic lethargy and poor security practices.

In the most egregious case cited by the inspector general, outsiders entering the system were not subjected to “multifactor authentication” — the systems that, for example, require a code that is sent to a cellphone to be entered before giving access to a user. Asked about that in an interview, Donna Seymour, the chief information officer at the Office of Personnel Management, said that installing such gear in the government’s “antiquated environment” was difficult and very time consuming, and that her agency had to perform “triage” to determine how to close the worst vulnerabilities.

The agency now plans to install two-step authentication across its network, Ms. Seymour said. A longtime data security official, she also defended the decision to ignore the inspector general’s advice to shut down two systems that contain the security clearance information. Ms. Seymour said that the investigators were using an outdated assessment of the security measures — and that the agency was in the process of getting tighter controls when the intrusion happened. Another senior official said that with the agency under pressure to clear a huge backlog of security clearances, halting the process was “a nonstarter” with Congress.

During the installation of new security scanning software, officials said, they found evidence of the broad downloading of millions of files.

But administration officials said a lack of management focus on the problems contributed to the slow response — combined with a lack of focus on protecting systems that are not part of the national security infrastructure but that contain large amounts of data. And a number of administration officials in interviews on Friday painted a picture of Chinese adversaries who appear to be building huge databases of information on American citizens, useful for intelligence gathering and other purposes.

“They didn’t go to sell the data, which is what criminal groups usually do,” said James Lewis, an expert at the Center for Strategic and International Studies. “It’s biographic databases that really give an intelligence benefit — and that get into an opponent’s skin.” Such databases indicate where a government official was posted, and security clearance information would list their foreign contacts — useful if there was an effort to track down Chinese citizens in contact with Americans.

The chronology of attacks against American targets matches China’s stated economic and strategic objectives, members of Congress were told in briefings held by the Department of Homeland Security and other agencies. “I’m angry and frustrated that we are at a place where this kind of attack can be successful,” said Rep. Jim Langevin, a Rhode Island Democrat who sits on both a subcommittee on cyberissues and the Armed Services Committee. The attackers, he said, “could have been inside the systems for weeks or months.” In fact, investigators believe they were there for at least three months, before being detected in April.

Government officials in the United States have been tracking several such privately contracted Chinese groups since 2008 and believe they operate at the behest of the state. One, based out of Guangzhou in southern China, has been tied to thousands of attacks on victims in the United States, Britain, Canada, Europe, Russia and Africa that develop missile, satellite, space and nuclear propulsion technology.

At the White House, officials were struggling to explain on Friday how the breach could have happened after warnings from the inspector general and others. Michael Daniel, the White House’s top cyberofficial, declined to speak on the record about the attack, and Lisa Monaco, who has been handling cyberissues as one of Mr. Obama’s top national security officials, declined to be interviewed.

“The threat that we face is ever-evolving,” said Josh Earnest, the White House press secretary. “We understand that there is this persistent risk out there. We take this very seriously.”

Mr. Earnest said Mr. Obama’s efforts to push legislation would bolster the nation’s data.

“We need the United States Congress to come out of the Dark Ages and actually join us here in the 21st century to make sure that we have the kinds of defenses that are necessary to protect a modern computer system,” he said.

Hackers May Have Obtained Names of Chinese With Ties to U.S. Government
New York Times, 2015-06-11

White House Weighs Sanctions After Second Breach of a Computer System
New York Times, 2015-06-13

WASHINGTON — The White House on Friday revealed that hackers had breached a second computer system at the Office of Personnel Management, and said that President Obama was considering financial sanctions against the attackers who gained access to the files of millions of federal workers.

Investigators had already said that Chinese hackers appeared to have obtained personal data from more than four million current and former federal employees in one of the boldest invasions into a government network.

But on Friday, officials said they believed that a separate computer system at the agency was breached by the same hackers, putting at risk not only data about the federal employees, but also information about friends, family members and associates that could number millions more. Officials said that the second system contained files related to intelligence officials working for the F.B.I., defense contractors and other government agencies.

Sam Schumach, a spokesman for the personnel office, said that the F.B.I.’s incident response team had concluded “with a high degree of confidence” that systems containing information related to background investigations of current, former and prospective federal employees were compromised.

A senior government official, speaking on the condition of anonymity, said that investigators became aware of the second intrusion while assessing the damage from the first breach. The official said the information apparently taken in the second breach appeared not to be limited to federal employees.

The database contains copies of what is known as Standard Form 86, a questionnaire filled out by applicants for national security positions. The 127-page form can include medical data, including information on treatment or hospitalization for “an emotional or mental health condition.”

In addition, the form asks for detailed information on close relatives and “people who know you well.” The form has spaces for each contact’s home or work address, email address, phone number and other information.

The personnel office has said that the number of federal employees and applicants affected could rise beyond the four million already reported. If the relatives and close contacts are included, the total number of people affected could be several times as high, officials said.

At the White House, officials said that Mr. Obama was weighing the use of an executive order he signed in April that allows the Treasury secretary to impose sanctions on individuals or groups that engage in malicious cyberattacks, or people who benefit from them.

“This newly available option is one that is on the table,” said Josh Earnest, the White House press secretary.

[What is this, some kind of bad joke?
The damage is done, irreparable, and very possibly extremely serious.
There are no sanctions that can repair the damage.]

Here’s What OPM Told Congress the Last Time Hackers Breached its Networks
Nextgov.com, 2015-06-15


[OPM CIO Donna] Seymour spoke at an April 22 House Oversight and Government Reform Committee panel about a separate, March 2014 attack that, she said, OPM successfully thwarted. She is scheduled to appear before the same committee Tuesday to discuss the extent of the recent attack and OPM's compliance with federal security controls.

OPM officials have said they first learned about the latest breach in April.
CyTech, a Virginia-based firm, says on April 21, sales reps were invited to demonstrate a tool called CyFIR for the agency.

“Using our endpoint vulnerability assessment methodology,
CyFIR quickly identified a set of unknown processes running,"
CyTech CEO Ben Cotton said in a statement Monday.
"This information was immediately provided to the OPM security staff
and was ultimately revealed to be malware."

The company says it does not know if OPM was already aware of this suspicious activity.

CyTech stayed on site that day to help "with the breach response, provided immediate assistance and performed incident response services supporting OPM until May 1," Cotton said.

Agency officials on Monday denied that CyTech was responsible for eyeing the network breach during a product test.

"OPM’s cybersecurity team made this discovery in April 2015," agency spokesman Samuel Schumach said in a statement on Monday. "If not for the fact that OPM was already in the process of updating and strengthening our IT infrastructure, we would have not known about the intrusion, and would have not been able to mitigate any damage."


OPM: Data Breach
Full House Committee on Oversight and Government Reform
Hearing Date: June 16, 2015 10:00 am


To provide Members an opportunity to gain information on the nature and extent of the recent U.S. Office of Personnel Management (OPM) data breach.

To discuss federal agency compliance with the Federal Information Security Management Act (FISMA).


On June 4th, OPM announced a data breach and its plan to notify approximately 4 million individuals whose personally identifiable information (PII) may have been compromised. OPM’s data center is housed by the U.S. Department of the Interior.

The full extent of the data breach, including who was affected and what information was accessed, is still unknown.

The data may have been unencrypted, making employee information immediately usable if extracted.

Witnesses and testimonies
Name Title Organization Panel Document
Ms. Katherine Archuleta Director U.S. Office of Personnel Management Document
Ms. Donna K. Seymour Chief Information Officer U.S. Office of Personnel Management
Dr. Andy Ozment Assistant Secretary, Office of Cybersecurity and Communications, National Program Preparedness Directorate U.S. Department of Homeland Security Document
Mr. Tony Scott U.S. Chief Information Officer, Office of E-Government and Information Technology U.S. Office of Management and Budget Document
Ms. Sylvia Burns Chief Information Officer U.S. Department of the Interior Document
Mr. Michael R. Esser Assistant Inspector General for Audits Office of Inspector General, U.S. Office of Personnel Management

Top House Republican calls on OPM director to resign over employee data breach
by Lisa Rein
Washington Post, 2015-06-17, page A15

A top House Republican Tuesday called on the government’s personnel chief and her chief information officer to resign after saying that she “failed utterly and totally” to prevent the massive hack that exposed the personal data of 4.2 million active and former employees.

“Those two had an opportunity to right the ship…they did not get it done, and there should be consequences,” Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, told reporters after a contentious hearing on the cyberattack. Office of Personnel Management Director Katherine Archuleta and the agency’s chief information officer, Donna Seymour, were grilled for almost three hours by angry lawmakers from both parties.

“If we want a different results, we’re going to have to have different people,” Chaffetz said as he walked down a hallway of the Rayburn House Office Building moments after the hearing ended. Our colleague Joe Davidson was there.

The comments capped a serious of tense exchanges between Archuleta and House Democrats and Republicans, many of whom represent districts with thousands of federal employees. Lawmakers noted that OPM was warned repeatedly by the agency’s inspector general to make computer security upgrades, but took too long.

“Your systems were vulnerable,” Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, said in an testy exchange with Archuleta, at a hearing on the data breach.

“The data was not encrypted,” Chaffetz said, raising his voice as he tried to understand what exactly was hacked and whether the attack could have been avoided.

The inspector general “recommended you make changes,” Chaffetz said. “You didn’t. The information was vulnerable, and the hackers got it. I want to know why.”

The agency’s watchdog recommended last year that OPM consider shutting down computer security systems that were particularly vulnerable to hackers.

Inspector General Patrick McFarland found that 11 major OPM systems were operating without the agency’s certification that they met security standards. Auditors recommended to Archuleta that OPM consider shutting down those systems.

She said the recommendation came “after the adversaries were already in our network,” a reference to a previous data breach. She said she is working hard to upgrade the agency’s information security weaknesses.

“The recommendations are ones we take very seriously,” Archuleta said. She also said some of OPM’s databases are too old to successfully encrypt.

OPM officials said that even if the data had been encrypted, the hackers would have worked around it and gotten through.

Rep. Elijah Cummings (D-Md.), the oversight committee’s top Democrat, accused a former OPM contractor, USIS, of “obstructing” the committee’s work. He noted that Chaffetz had invited USIS to testify at the hearing. “But last night they refused,” Cummings said. “Just like they have refused repeated requests for information over the past year” about a breach of USIS networks that resulted in the compromise of sensitive security clearance information.

Cummings wanted to know whether the intruders — reportedly Chinese government hackers — gained access to OPM’s networks using information stolen from USIS, or from another contractor named Keypoint. “Given the history of noncompliance at USIS, I believe this [testifying on the Hill] may be one of the only ways to obtain the information we’re seeking,” he said.

Chaffetz pressed OPM for more answers on what information is contained in the hacked databases, which include personnel files spanning 30 years and a separate database containing information on background checks for security clearances.

He wanted to know whose data was compromised. Did it include employees from the Central Intelligence Agency? The military? Federal contractors?

Archuleta declined to answer him, saying lawmakers would learn more in a classified briefing Tuesday afternoon that will be closed to the public.

Chaffetz said some of the information should be made public.

“Can you assure the federal workers that you’re going to implement all the recommendations” to shore up IT security, Rep. Mark Meadows (R-N.C.) asked Archuleta. He then interrupted her when she tried to say that the agency was making the changes a high priority.

“I assume that means no,” Meadows said.

Seymour, OPM’s chief information officer, said the data in the background investigations database could span an employee’s lifetime. Investigators still haven’t figured out how many of those employees had their data taken because it’s an old system, with many agencies contributing, she said.

Toward the end of Tuesday’s hearing, a lawmaker asked Archuleta if anyone at her agency had been fired for not putting computer security upgrades in place before the hack.

“No,” she answered.

Ellen Nakashima contributed to this story.

Feds' cyber security woes can't all be blamed on legacy systems
Creaky systems that can't use the latest encryption are merely one item
in a cyber security mess that took decades to create.

By Larry Dignan
ZDnet.com, 2015-06-17, 1406Z

The legacy computer systems at the Office of Personnel Management were too old and creaky to use encryption or sufficiently protect data. That argument surfaced in a House Oversight and Government Reform Committee hearing, but there are plenty of other security issues to take the blame.

In recent weeks, the OMB was hit with cyber attacks that exposed how weak the Federal government is on security. The OPM attacks rode shotgun with a similar hack at the Internal Revenue Service.

The OPM said June 4 that 4 million individuals had their personally identifiable information compromised. OPM's data center is housed by the U.S. Department of the Interior. Officials don't know the full extent of the breach yet.

Rest assured that heads will roll over the cyber attacks, which have been blamed on China. But the role of creaky systems is worth pondering.

At the House hearing, Katherine Archuleta, director of the OPM, said:

When I was sworn in I said that I would develop an IT strategic plan in my first 100 days and delivered on that promise in February 2014. I immediately became aware of security vulnerabilities in the agency's aging legacy systems and I made the modernization and security of our network and its systems one of my top priorities.

Archuleta said that the OPM sees 10 million confirmed intrusion attempts a month and will see more. The OPM has shored up its network monitoring, logging and firewalls. The catch is that the systems being protected are too old and vulnerable.

The lack of investment has left the OPM vulnerable. "I want to emphasize that cyber security issues that the Government is facing is a problem that has been decades in the making, due to a lack of investment in federal IT systems and a lack of efforts in both the public and private sectors to secure our internet infrastructure," said Archuleta.

The legacy system storyline is valid, but only goes so far. Yes, the government agencies need more funding for cyber security, but the to-do list is long. Among the key weak spots cited in the testimony given on Tuesday.

  • Talent. Sylvia Burns, CIO, for the Department of the Interior, said talent and cyber security expertise is critical. Burns said the long-term plan is to strengthen the department's security and privacy workforce. Here's the rub: Cyber security experts can make better money elsewhere.
  • Network design. All of the execs in the hearing said they were designing new networks that can be segmented and carved off in an attack.
  • A security focus. While the folks giving testimony noted security monitoring, the between the lines reading is that cyber security wasn't a primary focus. That reality isn't surprising since most entities---public and private---don't get serious about cyber security until after they are hacked, exposed and take a public beating.
  • Collaboration. The OPM is now working well with the Department of Homeland Security, which is piecing together the cyber attack via a system called EINSTEIN. The public and private sector will need to collaborate more.
  • The bad guys are well funded. It's highly likely that the cyber attackers---whether state or non-state actors---are going to have more technology and funding than the Feds.

When you add up those moving parts and glaring holes, it's obvious that legacy systems are just one issue among many. The only real takeaway from the hearing on Tuesday is that the attacks will continue on the Federal government systems and probably accelerate.

[Really excellent reporting from ZDnet. Congratulations.
Too bad big media, couldn't match it.
The Wednesday, 2015-06-17 Washington print edition of the New York Times had zero words about the hearing, at least in its A section.
The Wednesday Washington Post had a news article, plus a column from their Federal Worker columnist and a lead editorial,
all to the good,
but didn't have the detailed background on problems in the ZDnet story.]

OPM breach:
We get exactly the IT security we're willing to pay for

A big part of the Office of Personnel Management's security fiasco
can be blamed on hopelessly archaic computers
and a government that refuses to fund their replacements.

By Steven J. Vaughan-Nichols
ZDnet.com, 2015-06-17, 1947Z

Everyone who's now working for the federal government or has a security clearance may have had their personal records stolen. While obsolete hardware and software weren't the only reasons the Office of Personnel Management (OPM) had its personnel records stolen, it didn't help.

At the House hearing investigating this breach, Donna Seymour, the OPM's CIO said, "Some legacy systems may not be capable of being encrypted." She's right.

Representative Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, ranted "You failed. You failed utterly and totally," at OPM's management. He also said, this incident "may be the most devastating cyberattack in our nation's history." He continued, "OPM's security policy was akin to leaving its doors and windows unlocked and expecting nothing to be stolen." He's right too.

Chaffetz wants OPM Director Katherine Archuleta and Seymour fired. Doubtlessly some one will be fired, but whom should be kicked out the door?

Let's look more closely. Archuleta claimed that "In February 2014, I immediately became aware of security vulnerabilities in the agency's aging legacy systems and I made the modernization and security of our network and its systems one of my top priorities." She must have been. There's nothing new about this old problem.

Back in the 80s, when I worked as a system administrator, network admin, and programmer for NASA and Naval Sea Systems Command, we were still using gear from the 60s and 70s. For example, when I helped manage NASA Shuttle data communications in the mid-80s one backup connection I monitored was a 1950s telex 110 baud line to the Bermuda tracking station. It always checked out, but I thank God we never had to use it on a mission.

The reason for this wasn't because we felt secure with antique equipment. We didn't. It was that we never had anything like enough Capital expenditures (CAPEX) funding at either NASA or DoD for IT. That's still the case today.

In 2011, the OPM's Federal Data Center Consolidation Initiative (FDCCI) observed that the last major OPM data center update happened in the mid 1990s. In other words, Windows 95 was the hot new desktop when OPM's mainframes were last given a through overhaul.

As you might guess, in 2011 the OPM already realized that "Many critical applications at OPM are hosted on legacy platforms and have not been re- architected in many years. In some cases, documentation of these systems is lacking, making it difficult to estimate time and cost of consolidation."

Why? The OPM's IT deparment "has historically been underfunded, especially on the operations side, making it difficult to make investments in consolidation projects, even when those have positive ROI in later years."

The OPM report shows that the organization was well aware of its problems. Looking ahead, the agency wanted to move to a modern virtualized, cloud-based system, but it was never sufficiently funded.

After the OPM was hacked in March 2014--oh yes this successful attack wasn't the first--Seymour said "Our antiquated technology may have helped us a little bit." It didn't this time. Security by obscurity never works for long.

Fast forward to this year. In the OPM's 2016 budget request, it asked for $32 million more. Archuleta wrote "Most of these funds will be directed towards investments in IT network infrastructure and security. As a proprietor of sensitive data - - including personally identifiable information for 32 million federal employees and retirees -- OPM has an obligation to maintain contemporary and robust cybersecurity controls."

Clearly, OPM long knew they had a major problem on their hands due to their reliance on out-of-date equipment and software. They knew their obsolete IT infrastructure made them more vulnerable to hackers. And, they knew what the answer was. It's just too bad they couldn't get Congress to pay for it.

Congress, which has been mired in partisan politics for years, has been barely able to function at all. For example, Congress barely kept the Department of Homeland Security running earlier this year.

The real culprits behind the OPM hack aren't Archuleta and Seymour They're the scapegoats. The real blame should fall on Congress, which as they showed in the 2013 budget sequestration, refuse to rationally budget for critical government needs.

Without sufficient funding, the OPM might as well tried using stone knives and bear skins to secure its systems. Just because Mr. Spock could work technical miracles on Star Trek with obsolete tech is no reason to think OPM's IT staff could do it in real life.

Reacting to Chinese hack,
the government may not have followed its own cybersecurity rules

By Lisa Rein
Washington Post Blog, 2015-06-18

In responding to China’s massive hack of federal personnel data, the government may have run afoul of computer security again.

Over the last nine days, the the Office of Personnel Management has sent e-mail notices to hundreds of thousands of federal employees to notify them of the breach and recommend that they click on a link to a private contractor’s Web site to sign up for credit monitoring and other protections.

But those e-mails have been met with increasing alarm by employees — along with retirees and former employees with personal data at risk — who worry that the communications may be a form of “spear phishing” used by adversaries to penetrate sensitive government computer systems.

After the Defense Department raised a red flag about the e-mails its 750,000 civilian employees were starting to receive, OPM officials said late Wednesday that the government had suspended its electronic notifications this week.

“We’ve seen such distrust and concerns about phishing,” OPM spokesman Sam Schumach acknowledged, describing the feedback from many of the 4.2 million current and former employees who are being notified that personnel files containing their Social Security numbers, addresses and other personal information may have been stolen.

Computer experts said the personnel agency — already under fire from lawmakers from both parties for failing to protect sensitive databases from hackers — could be putting federal systems in jeopardy again by asking employees to click on links in the e-mails.

“There’s a risk that you desensitize people by telling them that occasionally, there’s going to be a very important email you have to click on,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology.

He called OPM’s first round of e-mail transmissions the equivalent of “sending a postcard to people saying gee, you just got hacked, go to this website. The hackers could wise up and send their own set of fake identity protection e-mails and get into your computers all over again.”

That’s precisely what worried top Defense officials before the chief information officer of the government’s largest agency told OPM last week to suspend the notifications because they disregarded basic cybersecurity training that’s crucial to ensuring the safety of military networks: Never click on unfamiliar links, attachments or e-mail addresses because they expose employees to spear phishing attacks.

Defense offices across the country posted a bulletin in their internal communication networks from CIO Terry Halvorsen that said OPM was “suspending notification to DoD personnel that their [Personal Identifying Information] may have been breached until an improved, more secure notification and response process can be put in place..”

The notice continued:
“Recognizing that DOD personnel are trained not to open links embedded in emails not digitally signed and/or sent from unknown senders, DoD officials are working closely with other federal partners to establish notification procedures that will allow DoD personnel to reliably and confidently receive these notifications, and register for the benefits to which they are entitled.”
Employees across the government and their unions have raised concerns that the e-mails refer them to the Web site of a private company with a .com address instead of coming from a government domain. Even though they are given a PIN code, many people say they’re wary of giving a contractor their Social Security numbers, addresses and other information they need to provide to qualify for identity theft insurance and credit monitoring.

The contractor, CSID, resumed the e-mail notifications late Wednesday with a change designed to give employees more confidence that the communications are legitimate and the company’s Web site secure, Schumach said. They still have the option to click directly on a link to enroll in credit protection services, but now they can copy and paste the Web site address, https://www.csid.com/opm/ themselves, a more secure strategy.

“To alleviate the concerns of phishing, OPM and [the contractor] have made changes to email notifications by adding additional options for those who want to enroll in the [contractor’s] services directly from the email,” Schumach said. “Now, affected individuals will be able to not only click on the ‘Enroll Now’ button, but will also have the option to copy a non-hyperlink address so they know exactly what website they will be visiting.”

Despite the fixes, OPM’s credibility may still suffer. Director Katherine Archuleta was berated by Democrats and Republicans on Capitol Hill this week for what they called her serious negligence in failing to take long-recommended steps to secure the computer systems containing federal personnel records. Two top Republicans have called on her to resign.

“Even when they try to clean it up, they’re getting it wrong,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, said of OPM’s response to the data breach. “A policy saying don’t send clickable links to employees is not rocket science. It’s cybersecurity 101.”

Officials are preparing to send a second round of notifications to millions of employees and contractors that the hackers also got access to their detailed personal histories.

Most federal agencies give their employees regular cybersecurity training. But with their computer systems an obvious target for cyber criminals, DOD civilians and active duty military get extensive instruction in how to store their information securely, create strong passwords and avoid exposing their networks to intruders. Some of the basic no-nos are opening links or attachments from senders they don’t know.

The danger in clicking unfamiliar links is that an employee will fall for a spear phishing scam, hitting bogus links that download malicious programs and infecting the company’s information-technology server.

J. David Cox Sr., president of the American Federation of Government Employees, the largest federal union, said in a statement, “Employees throughout the government need to be very cautious of opening any email that comes from unknown sources, since the hacking of OPM’s databases has made employees extra vulnerable to phishing schemes.”

Attack Gave Chinese Hackers Privileged Access to U.S. Systems
New York Times, 2015-06-21


For more than five years, American intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers, their targets shifting to fit Beijing’s latest economic priorities.

But last summer, officials lost the trail as some of the hackers changed focus again, burrowing deep into United States government computer systems that contain vast troves of personnel data, according to American officials briefed on a federal investigation into the attack and private security experts.

Undetected for nearly a year, the Chinese intruders executed a sophisticated attack that gave them “administrator privileges” into the computer networks at the Office of Personnel Management, mimicking the credentials of people who run the agency’s systems, two senior administration officials said. The hackers began siphoning out a rush of data after constructing what amounted to an electronic pipeline that led back to China, investigators told Congress last week in classified briefings.

Much of the personnel data had been stored in the lightly protected systems of the Department of the Interior, because it had cheap, available space for digital data storage. The hackers’ ultimate target: the one million or so federal employees and contractors who have filled out a form known as SF-86, which is stored in a different computer bank and details personal, financial and medical histories for anyone seeking a security clearance.

“This was classic espionage, just on a scale we’ve never seen before from a traditional adversary,” one senior administration official said. “And it’s not a satisfactory answer to say, ‘We found it and stopped it,’ when we should have seen it coming years ago.”

The administration is urgently working to determine what other agencies are storing similarly sensitive information with weak protections. Officials would not identify their top concerns, but an audit issued early last year, before the Chinese attacks, harshly criticized lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission — and the Department of Homeland Security, which has responsibility for securing the nation’s critical networks.

At the Nuclear Regulatory Commission, which regulates nuclear facilities, information about crucial components was left on unsecured network drives, and the agency lost track of laptops with critical data.

Computers at the I.R.S. allowed employees to use weak passwords like “password.” One report detailed 7,329 “potential vulnerabilities” because software patches had not been installed. Auditors at the Department of Education, which stores information from millions of student loan applicants, were able to connect “rogue” computers and hardware to the network without being noticed. And at the Securities and Exchange Commission, part of the network had no firewall or intrusion protection for months.

“We are not where we need to be in terms of federal cybersecurity,” said Lisa Monaco, President Obama’s homeland security adviser. At an Aspen Institute conference in Washington on Tuesday, she blamed out-of-date “legacy systems” that have not been updated for a modern, networked world where remote access is routine. The systems are not continuously monitored to know who is online, and what kind of data they are shipping out.

In congressional testimony and in interviews, officials investigating the breach at the personnel office have struggled to explain why the defenses were so poor for so long. Last week, the office’s director, Katherine Archuleta, stumbled through a two-hour congressional hearing. She was unable to say why the agency did not follow through on inspector general reports, dating back to 2010, that found severe security lapses and recommended shutting down systems with security clearance data.

When she failed to explain why much of the information in the system was not encrypted — something that is standard today on iPhones, for example — Representative Stephen F. Lynch, a Massachusetts Democrat who usually supports Mr. Obama’s initiatives, snapped at her. “I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers,” he said, “as you are keeping information out of the hands of Congress and federal employees.”

Her performance in classified briefings also frustrated several lawmakers. “I don’t get the sense at all they understand the problem,” said Representative Jim Langevin, a Rhode Island Democrat, who called for Ms. Archuleta’s resignation. “They seem like deer in the headlights.”

Josh Earnest, the White House spokesman, said on Wednesday that Mr. Obama remained confident that Ms. Archuleta “is the right person for the job.” Ms. Archuleta, who took office in November 2013, did not respond to a request for an interview.

But even some White House aides say a lack of focus by managers contributed to the security problems. It was not until early last year, as computer attacks began on United States Investigations Services, a private contractor that conducts security clearance interviews for the personnel office, that serious efforts to develop a strategic plan to seal up the agency’s many vulnerabilities started.

The attacks on the contractor “should have been a huge red flag,” said one senior military official who has reviewed the evidence of China’s involvement. “But it didn’t set off the alarms it should have.”

Federal and private investigators piecing together the attacks now say they believe the same groups responsible for the attacks on the personnel office and the contractor had previously intruded on computer networks at health insurance companies, notably Anthem Inc. and Premera Blue Cross.

What those attacks had in common was the theft of millions of pieces of valuable personal data — including Social Security numbers — that have never shown up on black markets, where such information can fetch a high price. That could be an indicator of state sponsorship, according to James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies.

But federal investigators, who like other officials would not speak on the record about a continuing inquiry, said the exact affiliation between the hackers and the Chinese government was not fully understood. Their tools and techniques, though, were easily identifiable to intelligence analysts and the security researchers who have been analyzing the breaches at the insurers and the Office of Personnel Management. Federal officials believe several groups were involved, though some security experts only detected one.

“Since mid-2014, we have observed a threat group target valuable ‘personally identifiable information’ from multiple organizations in the health care insurance and travel industries,” said Mike Oppenheim, the manager of threat intelligence at FireEye, a cybersecurity company. “We believe this group is behind the O.P.M. breach and have tracked this group’s activities since early 2013.”

But he argued that “unlike other actors operating from China who conduct industrial espionage, take intellectual property or steal defense technology, this group has primarily targeted information that would enable it to build a database of Americans, with a likely focus on diplomats, intelligence operatives and those with business in China.”

While Mr. Obama publicly named North Korea as the country that attacked Sony Pictures Entertainment last year, he and his aides have described the Chinese hackers in the government records case only to members of Congress in classified hearings. Blaming the Chinese in public could affect cooperation on limiting the Iranian nuclear program and tensions with China’s Asian neighbors. But the subject is bound to come up this week when senior Chinese officials meet in Washington for an annual strategic and economic dialogue.

Though their targets have changed over time, the hackers’ digital fingerprints stayed much the same. That allowed analysts at the National Security Agency and the F.B.I. to periodically catch glimpses of their movements as they breached an ever more diverse array of computer networks.

Yet there is no indication that the personnel office realized that it had become a Chinese target for almost a year. Donna K. Seymour, the chief information officer, said the agency put together last year “a very progressive, proactive plan that allowed us to see the adversarial activity,” and argued that “had we not been on that path, we may never have seen anything” this spring. She cautioned, “There is no one security tool that is a panacea.”

A congressional report issued in February 2014 by the Republican staff of the Senate Homeland Security Committee, concluded that multiple federal agencies with responsibility for critical infrastructure and holding vast amounts of information “continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information.”

The report reserves its harshest criticism for the repeated failures of agency officials to take steps — some of them very basic — that would help thwart cyberattacks.

Computers at the Department of Homeland Security, which is charged with protecting the nation’s public infrastructure, contained hundreds of vulnerabilities as recently as 2010, according to authors of the report. They said computer security failures remained across agencies even though the government has spent “at least $65 billion” since 2006 on protective measures.

At the personnel office, a set of new intrusion tools used on the system set off an alarm in March, Ms. Seymour said. The F.B.I. and the United States Computer Emergency Response Team, which works on network intrusions, found evidence that the hackers had obtained the credentials used by people who run the computer systems. Ms. Seymour would say only that the hackers got “privileged user access.” The administration is still trying to determine how many of the SF-86 national security forms — which include information that could be useful for anyone seeking to identify or recruit an American intelligence agent, nuclear weapons engineer or vulnerable diplomat — had been stolen.

“They are casting a very wide net,” John Hultquist, a senior manager of cyberespionage threat intelligence at iSight Partners, said of the hackers targeting of Americans’ personal data. “We’re in a new space here and we don’t entirely know what they’re trying to do with it.”

“EPIC” fail—
how OPM hackers tapped the mother lode of espionage data

by Sean Gallagher
Arstechnica, 2015-06-21


The two systems breached were the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior's shared service data center, and the central database behind "EPIC," the suite of software used by OPM's Federal Investigative Service in order to collect data for government employee and contractor background investigations.

Ars contacted both OPM and DHS while researching this story, but officials at both agencies refused to confirm or deny that these systems were part of the breach due to the ongoing investigation. However, sources familiar with OPM projects identified these systems as the ones most likely to be at the heart of the breaches.


OPM is not alone in neglecting basic security guidelines spelled out for them by both federal regulations and executive orders for much of the past decade. Even those agencies that have implemented systems to comply with the letter of FISMA (Federal Information and Security Management Act) and other regulations have had problems keeping on point because of the constantly changing nature of information security threats. And the complex plaque of information systems that agencies have built up often defies any sort of security management because the vendors who built many of the systems have long since disappeared.

By and large, government agencies in the last 20 years have become increasingly dependent on outside contractors to provide the most basic of information technology services—especially smaller agencies like OPM. The result has been a patchwork IT systems and security, and the Office of the CIO at OPM has a direct hand in fewer and fewer projects. Of the 47 major IT systems at OPM, 22 of them are currently run by contractors. OPM's security team has limited visibility into these outside projects, but even the internally operated systems were found to be lacking in terms of basic security measures.


The greatest lapse within OPM's security, perhaps, is the way that it has handled user authentication. The OPM IG report has found progress on access controls, including the use of multi-factor authentication to access OPM's virtual private networks and even to log into workstations using Personal Identity Verification (PIV) card readers—essentially guarding the entry points into the OPM network. But "none of the agency's 47 major applications require PIV authentication," the Office of the Inspector General reported, a violation of an Office of Management and Budget mandate for federal systems.

OPM's Office of the CIO responded that "in [fiscal year] 15 we will continue to implement PIV authentication for major systems."

But OPM's systems, including central user authentication services used by most of the agency's applications, and the entirety of EPIC, were also operating without authorization—meaning, the systems had not been fully vetted for security, and were not even technically supposed to be in use. The OPM's Inspector General report recommended that EPIC and other systems that were operating without "Authority to Operate" (ATO) be shut down until they were judged secure, calling the systems' poor auditing a national security concern.

Ironically, federal officials have been blaming the messenger to some degree through anonymous statements to the press. NPR reported that investigators were looking into whether the IG report "tipped off hackers to some of the agency's vulnerabilities," and reporter Dina Temple-Raston found that investigators believed the attack came "about a month" after the IG report was published. "Among the things the inspector general found that could have helped hackers was that nearly a quarter of the agency's systems did not have valid authorization procedures," she said. "The reason that's important is because one of the departments that didn't have the correct procedures was the Federal Investigative Services. That's the group responsible for background investigations of federal employees. So that data's very sensitive, and as we know now, this is one of the databases that was hacked."

But those problems had been well-documented prior to the 2014 IG report. Attacks on two OPM investigative contractors—USIS and KeyPoint—could have provided plenty of intelligence on just how bad OPM's systems were. Even a quick Web search would have given attackers plenty of ideas about how to get into OPM's sensitive systems. For example, the "secure" Web gateway to OPM's background investigation systems is a contractor-hosted website at an application service provider. That Web gateway is reached through a Windows Web server running JRun 4.0, Adobe's Java application server, as well as ColdFusion, a platform that has been used for a number of breached government servers in the past few years.

In 2013, someone hacked into Adobe and stole the ColdFusion source code. And Adobe dropped the JRun product line entirely in 2013—with extended "core" support ending in December of 2014. There is no evidence that OPM or its application provider had purchased expensive extended, dedicated support, but JRun would hardly be the only unsupported platform still used by OPM. The agency still has systems based on Windows XP (supported under a custom support agreement with Microsoft), and many of the core systems run by the agency are based on mainframe applications that haven't been updated since their COBOL code was fixed for the Y2K bug in the late 1990s.

It would be incorrect to say that these older systems (especially the COBOL code) couldn't be updated to support encryption, however. There are numerous software libraries that can be used to integrate encryption schemes into older applications, including libraries from PKWare. Other government agencies and financial institutions already utilize such software, according to Matt Little, VP of Product Development at PKWare. The problem is that, as DHS Assistant Secretary for Cybersecurity Andy Ozment noted during his testimony, OPM didn't have the kind of authentication infrastructure in place for its major applications to take advantage of encryption in the first place. Encryption, he said, would "not have helped in this case."

Since multi-factor authentication and encryption were not integrated into any of OPM's 47 major applications, all an attacker had to do was to gain access to a system on the network—nearly any system. Based on the testimony before Congress and other publicly available data, we know that hackers found at least two systems and were able to easily expand their access laterally within OPM and then contractor and service provider networks afterward.

"There's a process failure in every spot there," said PKWare's Little. "It's just bad security controls. It looks ridiculous—they didn't even have basic IP (network) access controls. This is not something we typically see in a serious security customer."

As Ars has reported, those problems were not just found at OPM itself. Contractors working for the agency may have introduced some unique security issues of their own, including employing Chinese nationals—some working from overseas—as part of subcontracting teams. Allegedly, that project was an implementation of SAP's SuccessFactors software, undertaken by a systems integrator for OPM and affiliated agencies, and included access to employee personnel data for the Department of Energy, the Transportation Security Agency, and others. SuccessFactors is used as part of a human resources system called the Talent Management System (TMS), "an integrated learning management and performance management system based on the industry leading SAP/Plateau/Success Factors software" hosted for multiple agencies by a data center at the Department of the Interior. SAP could not provide information about the program, the integrator, or even confirm that Interior or OPM were a customer without OPM authorization.


Bringing an approach from military training, where "train like you fight" has long been a mantra, would certainly help. But that's unlikely to happen without major changes to government security policy and culture. "Everything is focused on box checking," Parker noted. He added that his company doesn't do work in the federal market "because there's still a lowest bidder mentality there. If you're a CISO in a private company and you get hacked, and you get called into the boardroom and they ask you what is your procurement philosophy, and you say you went with the lowest bidder, you're going to get hung out to dry."

Instead of addressing some of the underlying problems, government agencies' approach has largely been to throw more people at the problem—Information Systems Security Officers (ISSOs). As of last October, OPM had hired seven ISSOs to take over management of systems security and had another four in the hiring pipeline. Parker said this is akin to "putting as many people around a bad fort instead of rebuilding a better fort." And while great heaps of money are being spent on cybersecurity systems, agencies could likely get a better result spending that money on "fixing systems that are 10 to 20 years old that have never been upgraded."

But these efforts won't happen without a sea change in culture, procurement approaches, and Congressional funding. Until then, expect to hear about more breaches—likely at an increasing rate.

Computer system that detected massive government data breach
could itself be at ‘high risk,’ audit finds

By Eric Yoder
Washington Post Blog, 2015-06-23

The computer upgrade that federal officials tout as having detected — although not prevented — a massive breach of information on federal employees is itself at high risk of failure, according to a new internal audit.

The independent inspector general’s office within the Office of Personnel Management is conducting a thorough review of the upgrade but issued a “flash audit alert” to top agency leaders “to bring to your immediate attention serious concerns we have” that require “immediate action.”

“There is a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications,” the alert says.

OPM “has initiated this project without a complete understanding of the scope of OPM’ s existing technical infrastructure or the scale and costs of the effort required to migrate it to the new environment . . . In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate, and introduces a very high risk of project failure,” it says.

The alert is dated June 17, the same day that top OPM officials participated in a contentious House hearing about two separate breaches, one involving personnel records of current and former federal workers and one involving security clearance application files.

The breach of OPM’s security-clearance computer system happened a year ago, giving Chinese government intruders considerable time to explore the sensitive data and identify information that they wanted to steal, according to details disclosed last week.

The compromise of that system — which includes a wealth of personal, family and financial details on millions of current, former and prospective federal employees and contractors — was uncovered in early June and goes back about a year, government officials said.

The discovery that the security-clear system had been infiltrated came after the detection in April of the compromise of a separate OPM personnel database that contains the personal information, including Social Security numbers, of 4.1 million current former federal employees.

The release of the IG’s audit comes as Congress is set to hold three more hearings this week on the issue and amid growing calls for more disclosure and accountability from OPM.

At last week’s hearing, members of both parties criticized OPM for failing to respond to prior reports from the inspector general warning of vulnerabilities in its computer systems. Those warnings included recommendations, not carried out, that OPM consider shutting down certain systems that did not meet certain security standards.

In response to those criticism, OPM director Katherine Archuleta repeatedly pointed to an ongoing upgrade project that ultimately detected the breaches, although months after they happened.

According to the latest IG report, that upgrade was launched in response to the failed attempt to hack the security clearance files in March 2014, an attempt that was made public several months later. The successful breach of those files happened around that same time, while the breach of the personnel files happened in late 2014.

The upgrade project includes a full overhaul of the agency’s technical infrastructure and then migrating the entire infrastructure into a completely new environment.

“While we agree in principle that this is an ideal future goal for the agency’s IT environment, we have serious concerns regarding OPM’s management of this Project. The Project is already underway and the agency has committed substantial funding, but it has not yet addressed several critical project management requirements,” the alert says.

One such issue is the time required to move the data into the new system, which OPM estimates at 18 to 24 months. “We believe this is overly optimistic and that the agency is highly unlikely to meet this target,” the auditors said.

Also questionable is the ultimate cost and how it will be paid for: “When we asked about the funding for the Migration phase, we were told, in essence, that OPM would find the money somehow, and that program offices would be required to fund the migration of applications that they own from their existing budgets. However, program office budgets are intended to fund OPM’ s core operations, not subsidize a major IT infrastructure project. It is unlikely that OPM will be able to fund the substantial migration costs related to this Project without a significantly adverse impact on its mission, unless it seeks dedicated funding through Congressional appropriation,” the audit says.

In addition, OPM has not completed other standard best practice project management steps such as a study of the scope and timeline, a technology acquisition plan, a test plan, and full implementation plan, it says.

While it was understandable that OPM had to shortcut the initial steps of the project to get it underway, it says, “the other phases of the project are clearly going to require long-term effort, and, to be successful, will require the disciplined processes associated with proper system development project management.”

At a Senate subcommittee hearing Tuesday morning, Archuleta said, “I assure the inspector general and everyone here that all our decisions are being tracked, documented and justified.”

She said the administration has designated $67 million in 2014 and 2015 funds for the project and is requesting another $27 million for 2016. She added that a request for additional funding may be made soon.

OPM press secretary Sam Schumach said in a statement later Tuesday, “If the agency were to follow the OIG recommendation that OPM adhere to the regular timetable of submitting this project as part of the FY 2017 budget process, then it would be necessary for OPM to begin a process that could not be completed in time and that would only serve to stall the critical efforts already underway.”

Michael Esser, the agency’s assistant inspector general for audits, said at the hearing that the upgrade “definitely needs to be done. We fully support that project. In general, we definitely think that’s the right path to follow.”

However, his formal statement raised many of the issues contained in the audit, adding that the money set aside or requested so far would pay only for the work up to the migration of data—which “is likely to be, by far, the most expensive part of the project.”

OPM Information Technology Spending & Data Security
FSGG Subcommittee Hearing
Tuesday, June 23, 2015


Hearing to review information technology spending and data security at the U.S. Office of Personnel Management

10:30 a.m., Room 124, Dirksen Senate Office Building


Ms. Katherine Archuleta
U.S. Office of Personnel Management

Mr. Michael Esser
Assistant Inspector General – Audits
U.S. Office of Personnel Management

Mr. Richard Spires
Chief Executive Officer
Resilient Network Systems, Inc.

OPM Data Breach: Part II
Full House Committee on Oversight and Government Reform
Hearing Date: June 24, 2015 10:00 am


To provide Members an opportunity to gain additional information on the security of the U.S. Office of Personnel Management (OPM) information systems and the data it is entrusted to protect.
To examine OPM compliance with the Federal Information Security Management Act (FISMA).


On June 4, OPM announced a data breach and its plan to notify approximately 4 million individuals whose personally identifiable information (PII) may have been compromised. The full extent of the data breach, including who was affected and what information was accessed, is still unknown.
The Committee held a hearing on June 16, 2015, titled, “OPM: Data Breach.” In prepared testimony, OPM Director Archuleta stated that “there was a high degree of confidence that OPM systems related to background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been compromised.”
During the hearing, OPM Director Archuleta indicated that, “any federal employee from across all branches of government, whose organization submitted service history records to OPM, may have been compromised.”

Witnesses and testimonies
Name Title Organization Panel Document
Katherine Archuleta Director U.S. Office of Personnel Management Document
Patrick E. McFarland Inspector General U.S. Office of Personnel Management Document
Donna K. Seymour Chief Information Officer U.S. Office of Personnel Management Document
Ann Barron-DiCamillo Director U.S. Computer Emergency Readiness Team, U.S. Department of Homeland Security
Eric A. Hess Chief Executive Officer KeyPoint Government Solutions Document
Rob Giannetta Chief Information Officer USIS Document

Why Can't We Play This Game?
by General Michael Hayden
The Cipher Brief, 2015-06-24

[Emphasis added.]

Jimmie Breslin borrowed a line from manager Casey Stengel
to title his chronicle of the worst team in baseball history, the 1962 Mets.
Stengel plaintively asked, "Can't Anybody Here Play This Game?"
Given recent events,
Americans could be asking the same question about
their government's cyber performance.

Earlier this month the Office of Personnel Management announced that
someone had grabbed super user status on OPM computers,
taking the records of
more than four million current, former and retired government employees
and, then, within a week OPM added that
an attacker had been in the database of the government's
far more sensitive security clearance system for almost a year.
Recent estimates put the number of people affected at 18 million.

We've seen breaches before, but these were particularly numbing.
The massive files of American government names, social security numbers, dates and places of birth, jobs, training and benefits
gives an adversary data that can be used to coerce, blackmail or recruit U.S. sources.
Access to the security clearance database would disgorge
even more detailed personal information,
including the foreign contacts of American officials.

Fingers quickly pointed to China, and why not?
The Chinese have pretty much had a freehand in American databases
for the better part of a decade
and the attacks fit their policy, their needs, their tactics and their tools.
The only thing missing was a formal American accusation.

But let me quickly add that I do not blame the Chinese.
If we determine that China did this,
we would be assigning responsibility,
but blame is a different matter.

I blame China when they penetrate American industry
(an unfair nation state vs. private company fight)
and rip off intellectual property for commercial gain
(something we view as criminal).

This wasn't that.
This was legitimate state espionage, one government going after another
for information that could contribute to its national security.
As Director of the National Security Agency,
given the opportunity against similar Chinese information,
I would not have hesitated for a second...
and I wouldn't have had to get anyone's permission to do it.

This is what serious nation states do. All of them.
There is no shame for China here.
This is all shame on us.

So how has the U.S. government responded?
Well, if there is official outrage about our incompetence,
it has been kept well hidden.
We've gotten our share of somber press briefings,
but there have been no visible consequences for catastrophic failure.
I could add predictable failure, as well,
since OPM's own Inspector General last year said that
the network was so bad that several systems should be shut down.
But they weren't.

A tone of self-congratulation seemed to surface
at the inevitable Congressional hearings
as OPM claimed that, but for its recent IT security modernization program,
the penetrations would still be undetected.
Despite the new tools, however, OPM was still unwilling or unable
to precisely characterize the damage or identify the perpetrator.

We then went through an interlude of comic relief,
the kind necessary in all tragedies.
The White House directed that all federal agencies conduct a 30-day cyber sprint
to apply patches and the other elements of basic cyber hygiene
that they apparently had not done in the preceding months and years.

Then OPM, as required by law,
began notifying folks whose personal information had likely been compromised.
Tens of thousands of emails were sent directing government employees to --
wait for it --
click on the embedded hyperlink to take advantage of
the data breach protection services being offered.
Recognizing that just such an action (a spear fishing attack)
had likely enabled the original breach,
the Department of Defense (DoD) directed its employees to trash the OPM message.

In front of Congressman Jason Chaffetz and the House Oversight Committee,
OPM Director Katherine Archuleta invoked a bit of the Homer Simpson defense
(“It was like that when I got here”) when she said,
"Cyber security problems take decades in the making…
the whole of government is responsible..."

Not a defense I would have adopted
(especially if I had been at OPM more than two years),
but one not without some truth.
After all, until the OPM breach,
we were fixated on the damage done by Bradley/Chelsea Manning in DoD
until he/she was eclipsed by Edward Snowden in NSA.
And one can fairly wonder what of the insider threat needed explaining
after Manning, but before Snowden.
And it's probably fair to note that in both cases (like the OPM case)
the downloading of massive amounts of data went undetected.

It's not only the executive branch that has been late to need.
The last two Congresses have failed to pass cyber security legislation
that would have given liability protection
to firms sharing cyber threat information with one another and with the government.

And Chairman Chaffetz was an enthusiastic supporter of the USA Freedom Act
designed to rein in the allegedly renegade National Security Agency
and its wanton depredations of American privacy.
Little more than forty-eight hours after voting to limit the Nation's most powerful cyber force,
Chaffetz and the rest of Congress was demanding to know
how the personal records of millions of Americans
could have been violated by a foreign power.
Perhaps they misidentified the real threats to American privacy.

In reviewing Breslin's book, the New York Times --with tongue in cheek--
described it as "one of the most imaginative spoofs of the year."
Jimmy Breslin, the review went on, "has invented a fabulous baseball club he calls the Mets.”

Except that the '62 Mets were real. Just like the sorry state of our cyber defenses.

By the way, seven years later the Mets were the world champions.

Shouldn't we get on with it, too?

General Hayden is a retired four-star General in the United States Air Force.
He was the Director of the Central Intelligence Agency from 2006-2009
and the Director of the National Security Agency from 1999-2005.
He is also an investor in The Cipher Brief.

Under Attack: Federal Cybersecurity and the OPM Data Breach
Senate Committee on Homeland Security and Governmental Affair


The Honorable Katherine Archuleta
Office of Personnel Management

Tony Scott
U.S. Chief Information Officer
Office of Personnel Management

Andy Ozment, Ph.D.
Assistant Secretary, Office of Cybersecurity and Communications
National Protection and Programs Directorate, U.S. Department of Homeland Security

The Honorable Patrick E. McFarland
Inspector General
Office of Personnel Management

Spies Warned Feds About OPM Mega-Hack Danger
by Shane Harris
Daily Beast, 2015-06-30

Is the OPM Data Breach the Tip of the Iceberg?
Subcommittee on Research and Technology and Subcommittee on Oversight Hearing -
Subcommittee on Research and Technology |
2318 Rayburn House Office Building Washington, D.C. 20515 |
Jul 8, 2015 2:00pm - 4:00 pm

Charter [A very informative document.]

  • Mr. Michael R. Esser, Assistant Inspector General for Audits,
    Office of Personnel Management
    [This is a very worthwhile document.
    An extract from it is below.]
  • Mr. David Snell, Director, Federal Benefits Service Department,
    National Active and Retired Federal Employee Association
  • Dr. Charles Romine, Director, Information Technology Laboratory,
    National Institute of Standards and Technology
  • Mr. Gregory Wilshusen, Director, Information Security Issues,
    U.S. Government Accountability Office

Extract from the submitted testimony of
Mr. Michael R. Esser, Assistant Inspector General for Audits,
Office of Personnel Management
(the emphasis in color is added by the author of the current blog):

1. Information Security Governance

Information security governance is
the management structure and processes
that form the foundation of a successful IT security program.
Although the DHS FISMA reporting metrics
do not directly address security governance,
it is an overarching issue that impacts
how the agency handles IT security and
its ability to meet FISMA requirements,
and therefore we have always addressed the matter
in our annual FISMA audit reports.

This is an area where OPM has seen significant improvement.
However, some of the past weaknesses still haunt the agency today.

In the FY 2007 FISMA report, we identified a material weakness related to
the lack of IT security policies and procedures.
In FY 2009, we expanded the material weakness to include
the lack of a centralized security management structure
necessary to implement and enforce IT security policies.
OPM’s Office of the Chief Information Officer (OCIO)
was responsible for the agency’s overall technical infrastructure
and provided boundary-level security controls
for the systems residing on this infrastructure.
However, each OPM program office
had primary responsibility for managing security controls
specific to its own IT systems.
There was often confusion and disagreement as to
which controls were the responsibility of the OCIO,
and which were the responsibility of the program offices.

Further, the program office personnel responsible for IT security
frequently had no IT security background
and were performing this function
in addition to another full-time role.
For example, this meant that an employee
whose job was processing retirement applications
may have been given the additional responsibility of
monitoring and managing the IT security needs
of the system used to process those applications.


However, in FY 2014, we changed the classification of this issue
to a significant deficiency,
which is less serious than a material weakness.
This change was prompted by important improvements
that were the result of changes instituted in recent years by OPM.


2. Security Assessment and Authorization

A Security Assessment and Authorization (Authorization)
is a comprehensive process under which
the IT security controls of an information system
are thoroughly assessed against applicable security standards.
After the assessment is complete,
a formal “Authorization to Operate” (ATO) memorandum is signed,
indicating that
the system is cleared to operate in the agency’s technical environment.
The Office of Management and Budget (OMB) mandates that
all major Federal information systems be re-authorized every three years
unless a mature continuous monitoring system is in place
(which OPM does not yet have).
Although, as mentioned,
IT security responsibility is being centralized under the OCIO,
it is still the responsibility of OPM program offices
to facilitate and pay for the Authorization process
for the IT systems that they own.


problems with OPM’s system Authorizations have recently resurfaced.
In FY 2014, 21 OPM systems were due for Authorization,
but 11 of those were not completed on time
and were therefore operating without a valid Authorization.
This is a drastic increase from prior years,
and represents a systemic issue of
inadequate planning by OPM program offices
to assess and authorize the information systems that they own.

Although the majority of our FISMA audit work
is performed towards the end of the fiscal year,
it already appears that
there will be a greater number of systems this year
operating without a valid Authorization.
In April,
the CIO issued a memorandum that granted
an extension of the previous Authorizations
for all systems whose Authorization had already expired,

and for those scheduled to expire through September 2016.
Should this moratorium on Authorizations continue,
the agency will have up to 23 systems
that have not been subject to a thorough security controls assessment.
The justification for this action was that
OPM is in the process of modernizing its IT infrastructure
and once this modernization is complete,
all systems would have to receive new Authorizations anyway.

While we support the OCIO’s effort to modernize its systems,
this action to extend Authorizations is contrary to OMB guidance,
which specifically states that
an “extended” or “interim” Authorization is not valid. [Emphasis in original.]
Consequently, these systems are still operating without a current Authorization,
as they have not been subject to the complete security assessment process
that the ATO is intended to represent.
We believe that this continuing disregard of the
importance of the Authorization process
is an indication that the agency has not historically,
and still does not, prioritize IT security.

There are currently no consequences for failure
to meet FISMA standards,
or operate systems without Authorizations,
at either the agency level or the program office level.
The OIG simply reports our findings in our annual FISMA audit,
which is delivered to OPM and then posted on our website.
OMB receives the results of all FISMA audits,
and produces an annual report to Congress.
There are no directives or laws that provide for penalties
for agencies that fail to meet FISMA requirements.


OPM’s official statement on this issue claims that
the agency is acting proactively by shutting down the e-QIP system.
However, the current security review ordered for this system
is a direct reaction to the recent security breaches.
In fact,

the e-QIP system contains vulnerabilities
that OPM knew about, but had failed to correct for years.
As part of the system’s Authorization process in September 2012,
an independent assessor identified 18 security vulnerabilities
that could have potentially led to a data breach.
These vulnerabilities were scheduled to be remediated by September 2013,
but still remain open and unaddressed today.

Unfortunately, the overdue remediation of known vulnerabilities for e-QIP
is only a single example of a more widespread problem at OPM.
Both our FY 2012 and FY 2013 FISMA reports indicated that
out of OPM’s 47 major information systems,
22 had known vulnerabilities with remediation activity greater than 120 days overdue.
In FY 2014, the number grew to 38.


Watchdog: OPM ignored warnings about online background check system
The Hill, 2015-07-08

The Office of Personnel Management (OPM) had known since 2012
about security flaws in its online submission system,
roughly three years before the agency finally shut down the system to repair it.

“OPM has known about vulnerabilities in the system for years,
but has not corrected them,” Michael Esser,
the assistant inspector general for audits at the OPM,
told a House subcommittee on Wednesday.

In late June, the OPM said it was suspending the Web-based platform,
known as e-QIP,
after a security review conducted in the wake of massive hacks at the agency
uncovered significant defects.

The OPM data breach has likely exposed
upwards of 18 million people’s sensitive information
and is raising pointed questions about
why the agency hasn't moved more expediently over the years
to correct glaring problems with its networks.

The agency’s inspector general has said
OPM officials repeatedly failed to heed its warnings,
even refusing to shut down several of its weakest computer systems as recommended.

On Wednesday, Esser accused the agency of also
not responding to alerts about the e-QIP system,
which is used to file the background checks for security clearances.

The agency’s oversight arm detailed 18 security vulnerabilities starting in 2012, he said.

“I do not know if those vulnerabilities were related to
the reason the system was shut down last week,”
Esser added.

OPM Director Katherine Archuleta has maintained
she always takes into account the watchdog’s recommendations.
The agency kept the deficient computer systems running, she said,
in order to avoid gaps in delivering employee's paychecks and benefits.

Office of Personnel Management Says Hackers Got Data of Millions of Individuals
New York Times, web 2015-07-09

Hack of security clearance compromised data of 21.5 million people, federal authorities say
By Ellen Nakashima
Washington Post, web 2015-07-09


The 21.5 million figure includes
19.7 million individuals who applied for a background investigation, and
1.8 million non-applicants, predominantly spouses or people who live with the applicants.
Some records also include findings from interviews conducted by background investigators, and
about 1.1 million include fingerprints, officials said.

Individuals who underwent a background investigation through OPM in 2000 or afterwards
are “highly likely” affected, officials said.
Background checks before 2000 are less likely to have been affected, they said.

The lapse enabled hackers to gain access not only to personnel files
but also personal details about millions of individuals with government security clearances –
information a foreign intelligence service could potentially use to recruit spies.


Because the exposed records included information on
individuals who served as references on security clearance applications,
U.S. official said that stolen data includes details on certain employees’ relatives and friends.


The intrusion of OPM’s system containing security clearance data took place in June or early July of 2014, officials said. In December, a separate OPM database containing personnel records was also hacked, affecting 4.2 million current and former employees.

In both cases, officials said, the hackers worked for the Chinese government, although the Obama administration has not formally accused Beijing. “It is an enormous breach, and a huge amount of data that is personal and sensitive… was available to adversaries,” FBI Director James Comey said at a Senate Intelligence Committee hearing Wednesday.

“We’re talking about millions and millions of people affected by this,” he said. “I’m sure the adversary has my SF86 now,” referring to the Standard Form 86, which all applicants for security clearances must fill out.

He noted it lists “every place I’ve lived since I was 18, every foreign trip I’ve taken, all of my family and their addresses…I’ve got siblings. I’ve got five kids. All of that is in there.”

Said Comey: “It is a huge deal.”

At a roundtable with reporters on Thursday, Comey called the heist a “treasure trove of information.”

Just imagine, he said, “if you were a foreign intelligence service and you had that data – how it would be useful.’’


OPM officials have defended the agency, saying that it was only because of a strategic plan put in place by Archuleta shortly after she became director in November 2014 that the breaches were discovered.

“There are certainly some people I would like to see given the boot for not paying attention to cybersecurity, but Katherine Archuleta is not one of them,” said one administration official, requesting anonymity to discuss personnel issues. Maybe they didn’t move as fast as they should have but they were at least moving in the right direction and were prioritizing it in
an agency that didn’t think of itself as having a security mission.”

[How ignorant (of the issues) can you get!
Spin this, Democrats.

Is the primary mission of OPM some form of security,
as it is with DOD, DHS, the FBI, CIA, NSA, and so on?
But even so,
any agency has the duty to maintain the security of its own workspace and data.
That is what OPM did not do.
So even though security was not OPM's primary mission,
that did not obviate it from carrying out any security duties,
such as maintaining the security of its files.]


The White House has been discussing possible response options, to include covert actions that would not be publicly announced. Among the options on the table, officials said, is economic sanctions. President Obama recently signed an executive order creating a sanctions tool to punish cyber attacks and cyber economic espionage.

However, some U.S. officials caution against taking actions against foreign states when the cyber theft is conducted for traditional spying motives. The United States has not officially named China or the motive, but privately officials say it appears China was conducting a form of traditional espionage. The data taken does not appear to fall into the category of intellectual property or commercial secrets that can be used to benefit another country’s industry.

“I think we have to be careful about the importance of continuing to draw a line between theft for economic advantage and traditional foreign intelligence activities, which may look untraditional now that they’re in the cyber realm,” said Rep. Adam Schiff (D-Calif.), a member of the House Intelligence Committee. “We want to draw a bright line” that hacking for economic benefit “is a violation of international norms.”

If the United States blurs the line between economic spying and foreign intelligence spying, “we risk undermining the fight against economic theft.”

OPM director resigns under pressure after scope of data hack was revealed
By Lisa Rein and Joe Davidson
Washington Post, 2015-07-10


[Most of this story is reporting various aspects
of the resignation on Friday, 2015-07-10 of OPM Director Katherine Archuleta,
but the story also includes some comments from the White House:]

Archuleta resigned “of her own volition,”
White House press secretary Josh Earnest told reporters Friday.
“The president thinks it’s quite clear that new leadership
with a set of skills and experiences that are unique to the urgent challenges that OPM faces
are badly needed.”

[Actually, what is needed is leadership from the White House
that puts a high priority on cybersecurity,
and is willing to pay the price, in resources and inconveniences,
to achieve it.
The president needs to explicitly support and stand behind agency directors
when they inconvenience the public, and their workforce,
for reasons of security.]


Earnest declined repeatedly to say that
Archuleta’s resignation reflected a failure by the administration
to manage the massive intrusions,
[Is it too much to expect the Obama administration
to have not merely managed "the massive intrusions",
but actually prevented them?]

which are believed to have been carried out by the Chinese government.

[Then there is this doozy of spin from the White House (emphasis added):]

“There are significant [cybersecurity] challenges that are faced
not just by the federal government,
but by private-sector entities as well,”
Earnest said.
“This is a priority of the president.”

[As to the first part of that statement, well, yes.
It is also true that bank robbery is a common crime in the private sector.
But theft from the nation's holdings of gold bullion has not occurred;
it is understood that that that deserves, and has gotten,
special and effective protection from being compromised.
Is it too much to expect that, similarly,
the files containing the data from
all the nations background investigation questionnaires
would have received better protection than
that at your local hardware store?
Evidently it was.
But that's your Democratic Party values, priorities, and skills for you.
There you have it,
what happens when you elect officials based on their political correctness.
Somehow I doubt very much that a Romney administration
would have been equally lackadaisical, in fact, negligent, about security.

As to the second part of the statement,
that cybersecurity "is a priority of the president",
what planet does the White House exist on?
The OPM OIG audit reports required by the FISMA,
as described in testimony from
Michael R. Esser, Assistant Inspector General for Audits,
Office of Inspector General, U.S. Office of Personnel Management
on 2015-06-16 and 2015-07-08,
stated clearly, explicitly, and unambiguously that
the OPM data files were not being secured properly,
year after year during the Obama administration.
Does the White House not have anyone reading those audit reports????????????????????????
Come on, you cock-suckers in the White House,
what the fuck did you do with those audit reports???????????????????????????
Other than ignore them.

Don't tell me that "cybersecurity was a priority of the president",
when it so clearly wasn't.
But what do expect from the spin masters of political correctness.
Anything but accepting responsibility.]


The OPM breach exposed more than a million fingerprints.
Here’s why that['s] terrible news.

by Andrea Peterson
Washington Post, 2015-07-15

Cyber Intrusion into U.S. Office of Personnel Management: In Brief
Congressional Research Service, 2015-07-17


Notably, as is common with data breaches,
available information on the recent OPM breach developments remains incomplete.
Assumptions about the nature, origins, extent, and implications of the data breach may change,
and some media reporting may conflict with official statements.
Policymakers have received official briefings on the breach developments,
and Congress has held a number of hearings on the issue.

This report provides an overview of
the current understanding of the recent OPM breaches,
as well as issues and questions raised about the source of the breaches,
possible uses of the information exfiltrated,
potential national security ramifications, and
implications for the cybersecurity of federal information systems.


Lack of digital talent adds to cybersecurity problems
by Joe Davidson
Washington Post, 2015-07-19

U.S. decides against publicly blaming China for data hack
By Ellen Nakashima

U.S. Fears Data Stolen by Chinese Hacker Could Identify Spies
New York Times, 2015-07-25

WASHINGTON — American officials are concerned that the Chinese government could use the stolen records of millions of federal workers and contractors to piece together the identities of intelligence officers secretly posted in China over the years.

The potential exposure of the intelligence officers could prevent a large cadre of American spies from ever being posted abroad again, current and former intelligence officials said. It would be a significant setback for intelligence agencies already concerned that a recent data breach at the Office of Personnel Management is a major windfall for Chinese espionage efforts.


“The information that was exfiltrated was valuable in its own right,” said Representative Adam B. Schiff of California, the top Democrat on the House Intelligence Committee. “It’s even more compromising when it is used in combination with other information they may hold. It may take years before we’re aware of the full extent of the damage.”


The director of the National Security Agency, Adm. Michael S. Rogers, alluded to that problem Thursday night during an interview at the Aspen Security Forum in Colorado.

“From an intelligence perspective, it gives you great insight potentially used for counterintelligence purposes,” Admiral Rogers said. “If I’m interested in trying to identify U.S. persons who may be in my country — and I am trying to figure out why they are there: Are they just tourists? Are they there for some other alternative purpose? — there are interesting insights from the data you take from O.P.M.”

Admiral Rogers suggested another possible motive of the hackers: The data could be used for developing sophisticated “spear phishing” attacks on government officials. In those attacks, victims click on what seem to be innocent emails from known sources, allowing viruses into their computer networks.

Admiral Rogers said it was “not perhaps unrelated that in the past nine months I am watching huge spear phishing campaigns targeted at the United States,” though he would not name the countries that are the sources of the attacks.

Officials said it was not yet clear how Chinese officials were using — or might use — the stolen files, which include personal information gathered during background checks of government workers, many who now hold Top Secret clearances.

“As a practical matter, you have to assume that all of the information has been exposed and can be exploited,” said Mr. Schiff, who added that it was prudent to plan for “worst-case scenarios.”


Joel Brenner, the former head of counterintelligence for the director of national intelligence, said the Chinese could search the database with the names of suspected spies they had gathered over the years. “You run 200 of those people through, and you have a pretty good idea of what they are and are not keeping in the system,” he said.


One former senior C.I.A. officer and one congressional official, both speaking on the condition of anonymity because they have received classified briefings about the data breach, said the hackers also managed to get personal information of retired C.I.A. officers that was in the databases.

Current and former American officials said that the hacking of the security clearance information will be a problem for years. The highly personal and potentially embarrassing information in the background questionnaires includes details about finances, drug and alcohol use, contacts with foreigners and mental health issues.

Mr. Clapper said Friday in Aspen that O.P.M.’s contractors had fallen so far behind in conducting security clearances — partly because of the hacking — that the intelligence agency’s periodic review of employees was far behind.

Letter from Jason Chaffetz to Beth Cobert
from Jason Chaffetz, 2015-08-06

[Emphasis added by the author of the current blog.]

Dear Ms. Cobert:

I write to augment concerns that Ms. Donna Seymour, Chief Information Officer (CIO) of the Office of Personnel Management (OPM),
is unfit to perform the significant duties for which she is responsible.

[Note especially the letter, which appears as an enclosure in the PDF file,
from OPM OIG Patrick E. McFarland to OPM Acting Director Beth F. Cobart dated July 22, 2015.
Note especially Attachment A to that letter, titled
"OCIO’s Interference with and Hindrance of OIG Activities".]

OPM officials hindering scrutiny of hacked computer systems, watchdog says
By Eric Yoder
Washington Post Federal Eye, Page A2 2015-08-07

The Office of Personnel Management’s inspector general has accused the agency’s information technology office of trying to thwart scrutiny of how well OPM protected the security clearance and federal employee personnel files that were hacked and how well it responded to those breaches.

Inspector general Patrick E. McFarland said that OPM’s Office of the Chief Information Officer, or OCIO, has “hindered and interfered with” his office’s oversight and “has created an environment of mistrust by providing my office with incorrect and/or misleading information.”

In a memo to acting OPM director Beth Cobert, McFarland said that while his independent office traditionally has had a positive relationship with the OCIO, recent events make him “question whether the OCIO is acting in good faith.”

In particular, the memo said that the IG delayed a planned audit of a contractor when officials pointed out that another audit recently had been done, even though they knew by then that the contractor already had been breached — a breach that has been described as providing the key to unlocking the OPM personnel files. The CIO’s office also “failed to timely notify” the IG of the hack of the personnel records, which “impeded our ability to coordinate with other law enforcement organizations and conduct audit oversight activity,” it said.

Management also tried to keep IG investigators out of meetings with the FBI and others on the security-clearance files breach, and did not fully inform the IG of a major IT project for nearly a year after planning and implementation began, it said.

While some of those events happened many months ago, McFarland also pointed to what he called “inaccurate or misleading” information originating with the chief information office that OPM officials provided in recent testimony before Congress.

“I am sharing this with you not to accuse any OPM employees of intentional misconduct, but rather to clear the air and rebuild a productive relationship between the OIG and the OCIO,” McFarland wrote to Cobert on July 22; he forwarded it to the House Oversight and Government Reform Committee on Monday.

However, the memo has spurred the head of that committee, Rep. Jason Chaffetz (R-Utah), to renew his call for the administration to remove Chief Information Officer Donna Seymour. That committee held several contentious hearings on the data breaches at which some members said they wanted Seymour and then-OPM director Katherine Archuleta, who hired her, to resign or be fired. Later, 17 committee members wrote to the White House requesting that both be fired.

Archuleta resigned under pressure after she and other officials disclosed the wide scope of the breach of security clearance files. That breach involves highly personal information on more than 21 million federal employees, military personnel and contractor employees who applied for a clearance or had one renewed since 2000 and in some cases before. The personnel files breach involves some 4.2 million current and former federal workers and includes personal identifying information.

In a letter sent Thursday to Cobert, who took over as acting director after Archuleta resigned, Chaffetz said that “it has been two weeks since the IG informed you of these serious transgressions and Ms. Seymour is still in a position of trust at the agency. Ms. Seymour has already failed the American people with her inability to secure OPM’s networks, and to learn that her office may be actively interfering with the work of the Inspector General only adds insult to injury.”

While the memo, released by both McFarland and Chaffetz, said that Archuleta and Seymour provided inaccurate or misleading information to Congress, details were redacted from the memo as it was made public.

In a response letter to McFarland, Cobert wrote that she and the agency’s leadership are committed to a productive relationship with the IG. She acknowledged his “frustration about what you perceive to be ineffective communication between your office and the OCIO” and suggested meetings monthly or more often between the IG and OCIO offices in addition to those already occurring, among other steps.

However, substantial portions of her letter, released by the OPM, also were redacted. The portions made public did not address McFarland’s specific complaints in detail beyond a promise to provide the IG with updated information on the IT upgrade.

OPM spokesman Sam Schumach said in a statement that “since Ms. Seymour’s arrival at OPM in late 2013, OPM has undertaken an aggressive effort to upgrade the agency’s cybersecurity posture, adding numerous tools and capabilities to its various legacy networks. These efforts were critical in helping OPM to identify the recent cybersecurity incidents,” the statement said, citing her 37 years of federal service and recognition awards.

The IG’s office earlier clashed with Archuleta and Seymour by issuing, on the day of one of the hearings, a memo stating that the IT upgrade that those officials credited with detecting the breach was itself at high risk of failure and cost overruns.

The IG’s office had pointed out weaknesses in OPM’s cybersecurity over a number of years, including recommendations that it shut down several of the systems that ended up being hacked. OPM officials didn’t follow those recommendations, stating since then that the issues were not serious enough to warrant shutting down so many systems so vital to the government’s personnel operations.

U.S. Chief Information Officer Tony Scott “stands by his comments” at a June Senate hearing, an Office of Management and Budget official said. At that hearing, Scott expressed confidence in both Seymour and Archuleta, who at the time was still in office. Scott said that the OPM’s responses to the breaches “serve as a template and a model for work that other agencies need to do as well” on cyber security.

At that same hearing, McFarland was asked whether he had confidence that the OPM management team was capable of fixing the agency’s cyber security problems and responded, “based on what we’ve found, no.”

[You want a scandal?
Why on earth did the WP give the pissant issue of
some Secret Service personnel using prostitutes
front-page treatment, day after day,
while it buries this REAL scandal inside (page A2),
in the "Federal Eye" section?
Now that's a scandal.]

The Big Stall: New OPM Leadership Not Eager to Get to Bottom of Data Breach Scandal
Patrice J. Lee
Independent Women's Foundation, 2015-08-10

Manipulation of feds’ personal data is a major danger in OPM cyber heist
By Joe Davidson
Washington Post Federal Eye blog, 2015-08-19

Exclusive: The OPM breach details you haven't seen
An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.
By Sean Lyngaas
FCW, 2015-08-21

An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers' calibrated extraction of data and the government's step-by-step response. It illuminates a sequence of events that lawmakers have struggled to pin down in public hearings with Obama administration officials.

The timeline makes clear that the heist of data on 22 million current and former federal employees was one sustained assault rather than two separate intrusions to steal background investigation data and personnel records.

The document, which bears the seals of OPM and the Department of Homeland Security, is dated July 14 and was prepared by federal investigators for the office of U.S. CIO Tony Scott, according to a source familiar with the investigation. The detailed timeline corroborates administration officials' public testimony but is unique in its comprehensiveness and specificity.

According to investigators, hackers likely gained access to OPM's local-area network on May 7, 2014, by stealing credentials and then planting malware and creating a backdoor for exfiltration. Actual exfiltration of data on background investigations did not begin until July 3, 2014, and it continued until August.

[Yeah, we keep hearing that "credentials were stolen."
How about some details about this?
Just what does that mean?
Were the people who stole those credential physically in the U.S. at the time of the theft?
Is this a physical theft?
Or is this something that happens on-line?]

In October, the hackers pivoted to the Interior Department data center where OPM's personnel records resided. On Dec. 15, 2014, the intruders siphoned that data away. OPM has said the personnel records of 4.2 million people were comprised in that breach.

According to the timeline, OPM officials did not know they had a problem until April 15, 2015, when the agency discovered "anomalous SSL traffic with [a] decryption tool" implemented in December 2014. OPM then notified DHS' U.S. Computer Emergency Readiness Team, and a forensic investigation began.

The discovery of a threat to the background investigation data led to the finding two days later, on April 17, of a risk to the personnel records. US-CERT made the discovery by loading data on the April 15 incident to Einstein, the department's intrusion-detection system. On April 23, US-CERT spotted signs of the Dec. 15 exfiltration in "historical netflow data," and OPM decided that a major incident had occurred that required notifying Congress.

The timeline does not name the adversary responsible for the breach, but all official signs thus far have pointed to China as a leading suspect. The document is dated weeks after it was public knowledge that hackers had accessed OPM's networks via credentials stolen from contractor KeyPoint Government Solutions. The document does not identify how that happened, however, and instead states: "method of credential acquisition unknown."

When the intrusions were discovered, OPM responded on April 17 by deploying "a predictive malware prevention capability across its networks" to sever the adversary's network access, according to the timeline. By April 24, the hackers had been evicted from OPM systems, and the next day, the document states, the agency used an "advanced host-based security tool to discover, quarantine and eliminate [the] malware." OPM verified the malware was gone on April 30, according to the timeline.

A former DHS official who viewed the document said the seven days the timeline stipulates between the deployment of the anti-malware tool and the supposed eviction of the hackers seemed rather quick.

"It's easier to be definitive about the malware being eradicated than to say the hackers are completely out of the system altogether," the former official said. He added, however, that the document "is consistent with everything that we know to date about the sequence of events that occurred in association with the OPM breach."

A DHS spokesperson also told FCW that the timeline's narrative sounded consistent with previously released details about the breach but declined to comment on the document's provenance or intended audience. Scott did not respond to emails requesting comment on the timeline, and OMB spokespeople could not be reached by phone.

Questions linger

The duration of the infiltration points to an inherent problem with deploying defenses such as Einstein that rely on malware signatures.

"Going after malware is futile when you get 80,000 new variants a day," Mark Seward, a vice president at cyber analytics firm Exabeam, told FCW. Nation-state-backed hackers are capable of cloaking and varying attacks to render them undetectable by tools that rely on recognizing known threats, he added. According to the DHS timeline, adversaries were inside the OPM network for 10 months before their malware signatures were plugged into Einstein.

With the support of DHS Secretary Jeh Johnson, lawmakers have advocated increased deployment of Einstein as a way to shore up agencies' security after the OPM breach. A bill sponsored by Sen. Tom Carper (D-Del.) that would accelerate deployment of the system across government passed the Senate Homeland Security and Governmental Affairs Committee last month. The House passed a related provision in April.

The detailed timeline sheds light on a chain of events that is still murky to some lawmakers. Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, sent a letter this week to US-CERT Director Ann Barron-DiCamillo asking when OPM first contacted her office to report the breach. Chaffetz also requested additional reporting and analysis on the nature of the attack.

Seriousness of the OPM Data Breach Disputed
Intelligence experts agree that redlines need to be drawn but disagree on where to draw them
By Gary Feuerberg
Epoch Times, 2015-08-23

Catherine Lotrionte, director of the Institute for Law, Science, and Global Security at Georgetown University,
Jason Healey, senior fellow, at the Atlantic Council’s Cyber Statecraft Initiative,
Robert Knake, senior fellow at the Council on Foreign Relations.


On Aug. 19, the Atlantic Council held a discussion on how best to respond to cyberattacks, especially to the data breach of OPM, but also other hacking into government databases. The latter includes the discovery on July 25 that the unclassified email network of the Joint Chiefs of Staff had been broken into and 4,000 military and civilian personnel affected. Russia is believed to be the culprit here, but again the U.S. government has refrained from accusing anyone. Without doubt, more cyberattacks are going to happen.

Should the U.S. government retaliate in some manner? In view of the Snowden revelations of the U.S.’s own surveillance activities, is the U.S. in any position to invoke rules restricting other nations?


What the military learned from OPM
By Zach Noble
FCW, 2015-09-16

In the wake of the mammoth Office of Personnel Management breach, the Defense Department joined the rest of the federal government in some serious cybersecurity introspection and improvement.

In a Sept. 16 discussion hosted by the American Security Project, two leaders within the military shared some of the lessons they’d taken from the OPM debacle.

They should have checked things out

The feds had advance warning of the OPM breach: Over the course of 2014, contractors that worked closely with OPM revealed that they had suffered breaches.

OPM officials would later testify that compromised contractor credentials allowed hackers to breach OPM’s networks.

Lt. Col. Scott Applegate, chief of defensive cyberspace operations at Army Cyber Command, said OPM should have gotten close scrutiny immediately after those revelations. As it was, hackers got a few extra months to exfiltrate data as OPM assured everyone things were OK.

“What probably should have happened is, and 20-20 hindsight is always a good thing, we’ve been standing up our cyber national mission forces across the DoD,” Applegate said. “That’s the type of event where you mobilize one of those cyber protection teams to go out and actually go look at that network and do a clear and secure operation, and survey the network and see what’s actually on there, because it has an indication [of compromise] and because it is a high-priority [repository].”

[So who is responsible for OPM cybersecurity?
OPM? DoD? DHS? OMB to monitor IG audits and get OPM's boss (the president, I presume) to lean on them to solidify their cybersecurity posture?]


Officials had made the mistake of thinking that
OPM’s ancient systems would avoid the notice of adversaries,
[Rear Adm. Danelle Barrett, deputy director of current operations at U.S. Cyber Command]
and Applegate noted.
[If so, they should be fired.
What counts in vulnerability is a combination of the attractiveness of the target to foreign agents
and the security, or lack thereof, with which it is defended.
It should have been very well known that U.S. personnel files would be a prime target of foreign governments.
The "ancientness" of the U.S. computer systems did nothing to detract from the attractiveness of the files they held as targets.
Only an incompetent would think that it did.]

Instead of complacency, agencies will need to exercise caution and ramp up governance,
especially over privileged access to systems, as any system or piece of hardware (even commercial routers) could be a viable target.

Threats are only increasing

While several representatives of the private sector argued that progressively more complex defensive tools would price individual hackers out of the game, leaving hacking as a nation-on-nation engagement, Applegate disagreed.

“I think the day-to-day clutter of attacks is just going to increase, because our surface area is increasing,” Applegate said.

With the Internet of Things exploding, we’re connecting everything from cars to refrigerators to clothes to the Internet, he noted.

“Complexity breeds vulnerability,” he said, noting we’re creating “millions of lines of code and thousands of lines of code interacting in ways the creator never had in mind.”

“The cost of entry to disrupt … is so low and so ubiquitous,” Barrett added. “It costs [adversaries] nothing.”

She contrasted the billion-dollar price tags of U.S. military equipment with the cost of training a hacker to break those systems. “$100?” she postulated. “$200?”

Change will come slowly

The summertime cyber sprint strengthened the federal government’s cybersecurity position a great deal, Applegate said, but the feds still aren’t at 100 percent strong authentication for privileged users.

It’s all part of the bigger problem: In a fast-paced threat landscape, the federal government moves slowly.

“It’s just a huge bureaucratic beast and it takes time to do anything,” said Applegate. “The speed at which we can implement things is very slow and limiting.”

After the OPM breach: ripple effects and lingering questions
By Derek Major
GCN, 2015-09-18

This security breach of Office of Personnel Management systems that compromised the personal information of more than 22 million people continues reverberate throughout government. Yet while a cyber sprint has been run and some details of the attack revealed, the incident has prompted far more questions than answers -- not just at OPM, but across other agencies and military branches.

On Sept. 16, the American Security Project held a panel in Washington, D.C., on what lessons the government -- and the military in particular -- have taken from the OPM breach.

Aamir Lakhani, who works for the private cybersecurity company Fortinet, commented on one of the few details about the breach that has been made public -- that the source of the breach was the stolen credentials of a vendor. Lakhani believes that even today, companies are not adequately securing their networks.

“One of the things that we’ve seen is that once you have credentials to one system, it's really easy to get credentials to other systems and just move laterally,” Lakhani said. “People are just not taking internal security seriously because it’s a very difficult task to handle these days.”


Lt. Col. Scott Applegate, chief of defensive cyberspace operations at Army Cyber Command, said he doubted it was a zero-day hack that affected OPM, but that the hackers more likely used OPM’s network to their advantage.

“It’s important to point out that in terms of how the adversary moves through our network, it’s generally not zero-day,” Applegate said. “The stealthiest way to move through a network is to use the tools that are already there, because for the most part your network sensors and security systems aren’t looking for legitimate tools -- they’re looking for malware and things like that.”

“Basic network hygiene can prevent a lot of these breaches that we’re seeing,” Applegate added. "Standard patching, and not allowing system to system communication, things like that."

Applegate also stressed the need for security inside a network as well as outside, in order to minimize threats. "Perimeter security is a good thing, but it's only the first line of defense," he said. "You’ve got to have internal security mechanisms as well. ... If you don't have sensors inside telling you that at 3 a.m. someone is uploading or downloading gigabytes of data, you probably missed the boat."


OPM says 5.6 million fingerprints stolen in cyberattack, five times as many as previously thought
By Andrea Peterson
Washington Post, 2015-09-23

One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people's fingerprints were stolen as part of the hacks.

That's more than five times the 1.1 million government officials estimated when the cyberattacks were initially disclosed over the summer. The total number of those believed to be caught up in the breaches, which included the theft of the Social Security numbers and addresses of more than 21 million former and current government employees, remains the same.

OPM and the Department of Defense were reviewing the theft of background investigation records when they identified additional fingerprint data that had been exposed, OPM said in a statement.

Breaches involving biometric data like fingerprints are particularly concerning to privacy experts because of their permanence: Unlike passwords and even Social Security numbers, fingerprints cannot be changed. So those affected by this breach may find themselves grappling with the fallout for years.

“The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology. “I’m surprised they didn't have structures in place to determine the number of fingerprints compromised earlier during the investigation.”

Lawmakers, too, were upset about the latest revelation. "OPM keeps getting it wrong," said Rep. Jason Chaffetz (R-Utah). " I have zero confidence in OPM’s competence and ability to manage this crisis."

As fingerprints increasingly replace passwords as a day-to-day security measure for unlocking your iPhone or even your home, security experts have grown concerned about how hackers might leverage them.

But federal experts believe the potential for "misuse" of the stolen fingerprints is currently limited, according to OPM, but that could "could change over time as technology evolves." It also said an interagency working group including experts from law enforcement and the intelligence community will review ways that the fingerprint data could be abused and try to develop ways to prevent that from happening.


Hackers Took Fingerprints of 5.6 Million U.S. Workers, Government Says
New York Times, 2015-09-24

USA: OPM biometric data breach 'goes way beyond traditional risks'
by Yancho Yanchev
Data Guidance "Privacy This Week", 2015-10-01


"This is the first major breach involving the theft of biometric data and it goes way beyond the 'traditional' risks associated with identity theft," Joan Antokol, Managing Partner at Park Legal LLC, told DataGuidance. "You only have ten fingers and ten toes, and you can't replace your fingerprints as if they were a stolen credit or debit card."

In its notification, announcing the additional fingerprint data theft, the OPM said, 'As of now, the ability to misuse fingerprint data is limited.' However, Antokol noted, "The government is undoubtedly referring to the fact that the use of [biometric data] is in its infancy. [But] consistent with the exploding use of new technologies, mobile devices, and the Internet, many more [biometric data] uses are expected to be put in place in the coming years.

The theft of biometric data could have lasting repercussions not only for the affected individuals, but also for the access authorisations that use this data. Micheal Vatis, Partner at Steptoe & Johnson LLP, explained, "One of the arguments against using fingerprints as a form of identification is that once it is stolen, it is impossible (or at least extremely difficult) for a person to change his/her data, meaning the thief 'owns' that unique form of identification in perpetuity. Criminals and foreign governments will surely develop means of misusing people's biometric data."

The OPM said that it is in the process of notifying affected individuals. "A private sector entity might have had an obligation to notify affected individuals if their fingerprints were stolen from that entity, as an increasing number of states are adding 'unique biometric data' to the definition of 'personal information' whose breach requires notification," Vatis added.

Alex Lakatos, Partner at Mayer Brown LLP, commented, "Stolen biometric data is a significant reputational and legal risk. I think that regulators are likely to react to this breach by proposing new rules and standards to prevent such attacks for succeeding in the future, and to ensure the reliability of biometric based security systems. Obviously, this will increase costs for regulatory compliance for businesses and the government itself."

Federal Information Security Modernization Act Audit FY 2015 Final Audit Report
(PDF file) [5.19 MB]< U.S. Office of Personnel Management Inspector General, 2015-11-10

GOP chairman blasts agencies for pulling out of briefing on data breaches
by Rebecca Kheel
The Hill, 2015-11-17

The chairman of the House Armed Services Committee slammed three federal agencies for pulling out of a classified briefing Tuesday that was to focus on the massive government data breaches discovered earlier this year.

“It’s pretty remarkable to me that these agencies that are responsible for really the largest national security data breach that we’ve ever had, and probably anybody's ever had, refuse to come up and ask questions because we’re going to pay attention to what they say, we’re going to write it down," Rep. Mac Thornberry (R-Texas) said.

Officials from the Office of Personnel Management (OPM), Department of Homeland Security (DHS) and Office of Management and Budget (OMB) decided not to testify an hour before they were scheduled to after they found out the briefing would be transcribed, Thornberry said.

Officials from the Defense Department and the Director of National Intelligence came as planned, and the committee was able to get much of the information it wanted, he added.

It’s routine to transcribe even classified briefings, Thornberry said, so that members who can’t come can see what was said or members can review the information again later.

If the agencies were worried about the classified information not being protected, Thornberry said, that would be “ironic.”

Earlier this year, it was discovered that two breaches led to 22 million people’s information being exposed. It is believe China orchestrated the digital theft.

In a joint statement, OPM, OMB and DHS said they “have engaged in more than a dozen classified briefings and open hearings to ensure our partners in Congress are supported with the most up-to-date information on this issue. Unfortunately, we were unable to accommodate a last-minute change in the request today. We look forward to working with our partners in Congress for a briefing in the future.”

Thornberry On OPM/DHS/OMB Failure to Appear Before HASC
Press Release from the House Armed Services Committee, 2015-11-17


OPM Just Now Figured Out How Much Data It Owns

Months after it announced that it was hacked,
the agency has finally put together an inventory of its own servers.

by Kaveh Waddell
The Atlantic, 2015-11-30


Why did this agency, which functions as the federal government’s human-resources department, have so much trouble protecting its data? For one, it didn’t know how much it had to begin with.

According to its inspector general, at the time of the breaches, OPM did not have a complete inventory of the servers, databases, and network devices that it owns, maintains, and operates. Not having the inventory “drastically diminishe[d] the effectiveness of its security controls,” wrote Michael Esser, the agency’s assistant inspector general for audits, in an oversight report published this month.

“Failure to maintain an accurate IT inventory undermines all attempts at securing OPM’s information systems,” the report read.

OPM only completed an inventory of its databases within the last few months, said Sam Schumach, a spokesperson for the agency. As far back as 2009, the inspector’s office began warning that the agency was having trouble keeping track of its information systems. The following year, auditors noted that OPM’s “passive approach” to maintaining its inventory was putting its sensitive data at risk.


A recent report compiled by the House Oversight Committee graded federal agencies on their implementation of a key federal IT law. The majority of agencies—including OPM—received a D grade. Three agencies received an F: the Department of Education, the Department of Energy, and NASA. No agency received an A.



OPM Still Hasn’t Answered Questions on Background Check Hack, Republicans Say
By Aliya Sternstein
NextGov, 2016-01-06


[The Oversight and Government Reform Committee]
is concerned with unfulfilled information requests
contained in letters sent July 24, 2015 and Aug. 18, 2015,
committee spokesman M.J. Henshaw told Nextgov.

The earlier letter asked for details on reports a contractor, CyTech,
discovered the intrusion during a product demonstration,
another majority committee staffer noted.
The second letter focused on revelations from June 2015 committee hearings
that the attackers stole manuals mapping out OPM’s IT environment.


In many cases, it is unclear whether an agency is withholding public information out of embarrassment, restricting information that could cause harm if released, or if there are other circumstances preventing disclosure, the staffer said.


Chaffetz chides OPM for withholding hack details
By Cory Bennett
The Hill, 2016-01-07

A long-running fight over the initial discovery of the massive data breach at the Office of Personnel Management (OPM) resurfaced Thursday at a House Oversight Committee hearing.

Lawmakers tussled repeatedly with an OPM official about an outside contractor, CyTech, that was brought in to examine the OPM networks shortly before the agency disclosed two breaches that exposed personal information for more than 20 million people involved in federal background checks.

At the center of the argument is CyTech’s digital forensics tool, called CyFir, that was used during the inspection. Before the OPM gave the tool back to the company in August, the agency wiped the information that CyFir had gathered.

Since then, House Oversight Committee Chairman Jason Chaffetz (R-Utah) has been seeking that data.

“We’ve been asking for months,” Chaffetz said on Thursday. “When will we get 100 percent of those requests?”


CyTech claimed it discovered the OPM intrusions during an April scan of the agency’s systems. But OPM officials later insisted their own team had already uncovered the breaches before CyTech was brought in.

In September, Chaffetz and Rep. Michael Turner (R-Ohio) sent the OPM a letter pressing the agency to hand over all documents and communications related to CyTech’s investigation.


House Panelists Scold Five Agencies for Slow-Walking Documents
By Charles S. Clark
Government Executive, 2016-01-07


Addressing the massive data breach at the Office of Personnel Management, Chaffetz voiced frustration as he held up a stack of released documents that were nearly all black with redactions, and Rep. Mark Meadows, R-N.C., held up a stack of binders of documents delivered by OPM that he said “offended” him because they were “duplicative” and already available online.

Jason Levine, director of OPM’s Office of Congressional, Legislative, and Intergovernmental Affairs, said his “small agency” had “received and provided responses to every question in six separate document production requests resulting in 19 separate document productions, including tens of thousands of documents and internal reports. He added his agency received more than 170 letters from Congress regarding the breach, made hundreds of calls to lawmakers, testified at four public hearings and conducted 10 classified and unclassified briefings.

OPM has hired additional staff and detailees from other agencies to increase document production capability, Levine said. The staff made redactions based on recommendations by security experts at other agencies and made “significant documents available for review by lawmakers in camera. “We believed we answered every question,” he said. “We will work with you.”


Lawmakers to agencies: Stop dragging your feet on doc requests
Federal agencies say they can barely keep up with all of the document requests from Congress, but lawmakers aren't buying that.
By Greg Otto
Fed Scoop, 2016-01-07

Federal agencies are falling woefully short on delivering documents requested by the House Oversight and Government Reform Committee, and members took umbrage during a Thursday hearing, accusing agency officials of trying to hide the truth from Congress.

It was an adversarial and at times acrimonious face-off between lawmakers of both parties and officials they slammed for dragging their feet in aiding the committee's oversight. Some Democratic congressmen counter-charged that the GOP leaders of the panel were singling out politically advantageous fights to pick with the administration — although no officials echoed that.

Rather, representatives from the Justice Department, Homeland Security Department, Office of Personnel Management, State Department, and the White House’s Office of Management and Budget told the committee they have been inundated with congressional requests and have worked tirelessly to fulfill the hundreds they have received over the past few years.

But, when it comes to requests for information related to high-profile incidents, such as the two data breaches at OPM or the Supreme Court case that dealt with the Justice Department use of GPS, Rep. Jason Chaffetz, R-Utah, said agencies consistently report the number of documents they produce — rather than the percentage — as a way to obfuscate their failure to give the committee what lawmakers want.

“When they want to talk about the number of documents they produced, I’m not interested in that,” Chaffetz said. “I’m interested in the percentage of documents that you produced. If we want 100 percent of the truth, we’re going to need 100 percent of the documents. Until we get them, it makes us think that you’re hiding something.”

Chaffetz was particularly irritated with the fact that OPM has sent documents that have been fully redacted, preventing the committee from learning any more about the data breaches that affected millions of current and former federal employees.

“The extraordinary lengths OPM has gone to keep basic information from the committee, leaves us with the conclusion that perhaps they’re having a lot to hide,” he said. “If something’s embarrassing, that’s not a reason to keep it from the Congress.”

When told by Jason Levine, OPM’s director of congressional, legislative and intergovernmental affairs that the redactions were to protect people's privacy, the committee chair scoffed at what he believed to be double-speak coming from OPM CIO Donna Seymour on whether the information provided was the information Chaffetz asked for.

“She tried to get us to go away,” Chaffetz said. “That was a lie. She misled Congress. She is going to pay the price.”


What DHS and the FBI learned from the OPM breach
By Sean Lyngaas
FCW (Federal Computer Week), 2016-01-11

A culture of poor cyber hygiene plagues the Office of Personnel Management and "likely aided the adversary" in the large-scale hack of the agency, according to a Department of Homeland Security and FBI report obtained by FCW. A lack of strong IT policies leaves OPM "at high risk for future intrusions," investigators concluded.

"Convenience and accessibility [have] been prioritized over critical security practices," states the Dec. 23 "cyber alert," distributed to cleared contractors by the Defense Security Service on behalf of DHS and the FBI. "Inadequate" patching of OPM's sub-system is "symptomatic of a greater patching problem" within the agency, the document states. The breach, revealed in June 2015, led to the loss of more than 21 million personnel records.

The unclassified memo reveals just what computer security experts at DHS' Computer Emergency Readiness Team and the FBI have learned from a hack that has roiled Uncle Sam's personnel agency, infuriated lawmakers and changed the cybersecurity conversation in Washington. The quietly distributed, dispassionate analysis is arguably more instructive for information security professionals than the hours of congressional hearings that have been devoted to the breach.

The memo lists a slew of generally recommended security practices based on the OPM breach, including: enable a personal firewall at agency workstations; monitor users' online habits and block potentially malicious sites; employ encryption for data at rest and in transit; and investigate "outbound network traffic observed over TCP port 53 that does not conform to the DNS [Domain Name System] protocol."

The document does not name OPM, referring only to "Organization 1" in a summary of lessons learned from two recent cyber incidents. But at least six cyber intelligence experts, some of whom are former officials, reviewed the document and said the unnamed organization is in all likelihood OPM based on several key data points. Two OPM officials who viewed the document also said "Organization 1" bore all the hallmarks of their agency.

The timeline, scope and aftermath of the breach, along with the technical infrastructure employed by the organization, all point to the OPM hack, the analysts said. Further, vendors listed as affiliated with "Organization 1," correspond with OPM's vendor relationships.

The fallout from the breach cost former OPM Director Katherine Archuleta her job and has put intense pressure on CIO Donna Seymour to carry out a sweeping overhaul of the agency's IT infrastructure.

"The timing of the breach discovery and the reference to IBM mainframes all match what we know about the OPM breach," Richard Stiennon, chief research analyst at IT-Harvest, told FCW after reviewing the document.

"Given the timing, the specifics of the intrusion, the tech infrastructure referenced, the type of data that was stolen, and the mitigations presented, this is almost certainly referring to the OPM breach," said a former government official. "The large impact of the penetration" described in the document also points to OPM, added another former cyber intelligence official.

Spokespeople at the Pentagon and DHS declined to authenticate the document or otherwise comment.

Identity management could have mitigated hack

The FBI and DHS analysis in the memo emphasizes that
the severity of the OPM breach could have been mitigated
had the agency employed "tiered" identity management controls for system administrators.

"When an organization's network is not segmented from others,
this could mean hundreds of sub-networks are affected versus one,"
the memo states.
Privileged access controls "would have helped detect the intrusion earlier
and made it significantly more difficult for the actor to spread across the network."

"Organization 1" is in the process of boosting identity management
via two-factor authentication from IT security firm Xceedium, the memo notes,
advising the agency to ensure that there is no way for administrators to bypass Xceedium controls.

Hackers used stolen credentials from contractor KeyPoint Government Solutions to access OPM networks.
[Stolen by whom, from specifically whom, and how?
More details needed.]

The intruders likely accessed OPM's local-area network on May 7, 2014,
then planted malware and created a backdoor for exfiltration,
according an official government timeline of the breach obtained by FCW.
It would be nearly a year before OPM officials knew they had a problem,
according to the timeline.

The Dec. 23, 2015, DSS alert also alludes to the ongoing shift at federal agencies
from a cyber defense based on known security signatures
to a "continuous monitoring" approach.

Moving away from a reliance on a "signature-based system" would increase an agency's "ability to detect and defend against more sophisticated malware and zero-day exploits," the memo states.
The agency should make greater use of "centralized aggregation and correlation of host events, network flows, and behavioral based analysis strategies" for cyber intelligence, according to the memo.

It was such a "signature-based system" -- DHS' Einstein intrusion-detection program -- that helped OPM discover the breach, albeit months after the fact.

The OPM hack has given greater urgency to a sweeping cybersecurity program known as Continuous Diagnostics and Mitigation, which offers a system of dashboards that give network managers a clearer view of vulnerabilities.

OPM has enlisted Booz Allen Hamilton and Campbell, Calif.-based ForeScout Technologies for cyber defense tools under CDM. The agency already has deployed ForeScout's continuous monitoring platform to OPM data centers, according to Niels Jensen, ForeScout's regional vice president of federal sales.

"You can't protect what you can't see," Jensen said, describing his firm's philosophy.

Jeff Wagner, OPM's director of security operations, has said that the full rollout of CDM tools will help the agency with its identity management struggles.

The DSS alert's description of lax IT security in some areas at OPM echoes conclusions from a recent audit by OPM's inspector general. Despite an increased post-breach focus on IT security, the agency continues to struggle to meet many requirements under the Federal Information Security Modernization Act, according to the watchdog.

OPM’s inspector general to resign
By Nicole Ogrysko
Federal News Radio, 2016-02-02

Office of Personnel Management Inspector General Patrick McFarland has announced his resignation.

He’s stepping down after his tenure as the longest serving presidentially appointed and Senate confirmed inspector general, McFarland wrote in a Feb. 1 letter to President Barack Obama.

McFarland’s resignation is effective Feb. 19.

Deputy IG Nobert Vint will step in as acting OPM inspector general until the President names a permanent replacement.


OPM’s Cobert Confronts Subpoena En Route to Confirmation
By Charles S. Clark
GovExec, 2016-02-04

While no lawmaker threatened to block her confirmation, acting Office of Personnel Management Director Beth Cobert onThursday faced a panel of senators concerned about a just-issued House committee subpoena ...


She testified two days after OPM Inspector General Patrick McFarland, a chief critic of OPM’s information technology security systems, announced his retirement. And she appeared just hours after House Oversight and Government Reform Committee Chairman Jason Chaffetz, R-Utah, and Ranking Member Elijah Cummings, D-Md., issued a subpoena and posted a letter calling OPM “uncooperative” in producing documents relating to how the data breach was uncovered—through OPM’s protections or through a private firm called CyTech Services.


[Sen. Ron Johnson, R-Wis., chairman of the Senate Homeland Security and Governmental Affairs Committee,] was joined by Sen. James Lankford, R-Okla., who said the view of OPM on the House side is “toxic.” Lankford complained that many of OPM’s document releases to Congress contain “thousands of unrelated documents, or 10 that are already on a website.” He recommended that OPM negotiate if the agency feels congressional requests are too broad.

Cobert said she had not yet read the letter but noted “we are working actively to respond.” She added that OPM had shown the documents in question to lawmakers in an “in camera” private setting and that discussion is ongoing.


Johnson pressed Cobert to address the national security risks of the breach, citing the vulnerability of intelligence community employees to blackmail. He mentioned new restrictions on employee use of Facebook and personal email at work due to cyber risks.

Cobert said follow-up to the data breach is a “critical priority” that needs to be done carefully, taking all input, especially from the National Counterterrorism Center. She said she met with IG McFarland on her first day and continued biweekly meetings. “We all need to change the way we work,” Cobert added. “I cannot access my personal Gmail account from my work computer. These simple actions make an enormous difference.”

She praised the Homeland Security Department’s cybersecurity programs, particularly U.S. CERT. “I’m impressed with the incredible interagency effort to help us respond,” giving us help on how to prioritize and take advantage of the tools in the software called Einstein. “We also are bringing cyber talent into the government, with the flexibility Congress created,” she said, to which Carper replied, “That is music to my ears.”


Asked about the Obama administration’s recently announced decision to move oversight of background checks to a new organization run by the Defense Department, Cobert said, “it’s a shared process,” with the National Background Investigations Bureau being housed at OPM but directed by Pentagon security experts.

[That sounds pretty screwy to me.
Divided responsibility often leads to disaster.
Who's in charge?]


[Among the comments to the above article was the following
(BTW, "me" was the name used by the poster of the comment):]


Dear Congress:
It was under the direct supervision of the former CIO at OPM [1996-2009] -
Janet Barnes-
that the decision was made to take files out of file cabinets, scan them,
and place that data onto servers that were connected to the World Wide Web.
For decades, OPM retired personnel could rest assured that our Personal Information was stored under ground in a cave in Boyers, PA that had machine gun armed guards out front.
But, Janet Barnes decided that wasn't good enough or for whatever reason,
she is the one person that put our data at risk.
She should be the person removed from service.
This will never be behind us until Congress takes action on this.

5 OPM issues hounding Cobert's confirmation – including that subpoena
by Carten Cordell
Federal Times, 2016-02-04

Nominee Explains OPM's Recovery from Massive Breach
Cobert Testifies Before Senate Panel Considering Her Confirmation as OPM Director

by Eric Chabrow
GovInfoSecurity, 2016-02-04


Cobert, who previously served as deputy director for management in the Office of Management and Budget,
outlined the methodical approach OPM is taking to address the cybersecurity deficiencies.
But lawmakers did not ask about a timetable for when they would be resolved.
The deficiencies include
weak IT security governance,
systems operating without valid authorizations and
weak technical security controls.


FISMA, the Federal Information Security Management Act, is the law that governs federal IT security. It requires agencies to meet specific IT security standards as well as to have their security standing reauthorized every three years. The IG, in a 2014 audit, recommended that Archuleta shutter systems that did not acquire valid authorizations required by OBM. At a June House Oversight and Government Reform Committee hearing, Archuleta explained that she didn't order the systems shut down because of other agency priorities, such as ensuring retirees received their benefits and that employees got paid.


Contracting Docs: OPM Seeks to Tighten IT Security of Background Investigation Companies
by Jack Moore
NextGov, 2016-02-05

Contractors that conduct background investigations for the federal government will have to report information security incidents to the Office of Personnel Management within half an hour, are required to use smartcards as a second layer of security when logging on to agency networks and must agree to let OPM inspect their systems at any time.


Two-Factor Authentication

Contractors are required to use personal identity verification cards to access OPM IT systems.

OPM, itself, before the big breach lagged on using smartcards as an added layer of log-on security. Before the hack, far fewer than half of agency employees -- 42 percent -- were required to use PIV cards to log on to the OPM network.

After the compromise, and a governmentwide “cybersecurity sprint” to quickly plug pressing security vulnerabilities, that percentage grew to 97 percent.

Among the other stipulations: Before contractors can use any commercial cloud service providers, they must obtain approval from the OPM CIO.


Official overseeing breached OPM computer systems retires just ahead of House hearing
By Eric Yoder
Washington Post, 2016-02-23

[Maybe someone will report just why she was, evidently, forced to resign,
i.e., what OPM feared would happen in the scheduled, but now canceled, House hearing.]

These NASA Researchers Saw the OPM Hack Coming a Decade Ago. But Nobody Listened.
By Mohana Ravindranath
NextGov, 2016-03-07


In 2007, Byrnes and Nelson along with 26 other scientists and engineers filed a lawsuit against the federal government and CalTech. Most of their case centered on the right to informational privacy -- that background checks, which often included open-ended questions about employees’ personal lives and character, were far too invasive for their level of work.

Beyond the intrusiveness of the questions, Nelson told Nextgov, the JPL contractors were convinced the information would be stolen -- many suspected federal data protection couldn’t effectively prevent a hack.

“We knew that it was not going to be well protected,” Nelson said. “They were lying to us about that.”


The case wound its way through the federal courts for the next three years before oral arguments were presented at the Supreme Court in 2010.

The team’s warnings about potential data breaches went unheeded. Transcripts of oral arguments show the justices didn’t even bother asking about the government’s track record of securing sensitive information or whether its data protection policies were adequate -- even though several amicus briefs strongly cautioned against the collection of sensitive data.


Still, in an 8-0 decision handed down in January 2011, the Supreme Court ruled against the 28 contractors...


The Supreme Court justices “didn’t want to hear” arguments that the government was unable to protect data,
[attorney for the plaintiffs Dan] Stormer said in an interview with Nextgov.
“We have numerous examples in our briefs … there was a demonstrated inability of the government to keep information which should be kept private,” he added.

Stormer said he isn’t sure the Supreme Court decision would have been any different even if it had been argued after the OPM hack.

“It should have had an impact,” he said. “I can’t say that it would.”

Why the OPM Hack Is Far Worse Than You Imagine
By Michael Adams
Lawfare Blog, 2016-03-11

The Office of Personnel Management (“OPM”) data breach involves the greatest theft of sensitive personnel data in history. But, to date, neither the scope nor scale of the breach, nor its significance, nor the inadequate and even self-defeating response has been fully aired.

The scale of the OPM breach is larger and more harmful than appreciated, the response to it has worsened the data security of affected individuals, and the government has inadequately addressed the breach’s counterintelligence consequences. While we can never know for sure exactly what the government is doing in secret to address the breach and mitigate its consequences, based on what is publicly known, the millions affected by the breach have good reason to fear.

Below, I explore the scale of the problem.

[This is an excellent lengthy analysis of the situation.]


A year after the OPM breach,
one cyber vendor is still looking for answers

By Zach Noble
FCW (Federal Computer Week), 2016-04-20


"The whole thing was bungled from the beginning by OPM,"
Ben Cotton, CEO of the service-disabled veteran-owned small business CyTech Services, told FCW.


OPM: A Year After the Big Breach
by Jack Moore
NextGov, 2016-05-11

[The message of this story: Cybersecurity at OPM is now quite good.
On the other hand, some would disagree with that sanguine assessment.]

EPIC to OPM: Stop collecting sensitive job applicant information if you can't secure the data
By Julie Bird
Fierce Government IT, 2016-05-26

OPM cyber breaches proof that hackers are getting smarter, more sophisticated
by Meredith Somers,
Federal News Radio, 2016-06-30

Curtis Dukes, director of information assurance at NSA, said he doesn’t know “precisely what the end objective was for the OPM breach,” but regardless of the reason, it’s a reminder that enemy objectives are not only shifting, but becoming more sophisticated.

“One school of thought was that it was done by nation-states to better understand U.S. government employees that maybe have certain roles in the intelligence field,” Dukes said, during a June 30 security briefing at the Cyber Security Summit in Tysons Corner, Virginia. “The other school of thought was it was simply to grab information potentially for identity theft. I actually think it’s going to turn out to be identity theft is the real reason behind that break in.”

The impact to millions of former and current federal employees as a result of recent hacks to federal systems, as well as the fallout felt across the departments, shows that “it pays to invest in strong defense,” Dukes said.

“If you look at the cost of [the Executive Office], State Department, Joint Staff, OPM, the incident response, the mitigation and the now having to re-architect those networks, we’re spending a lot of money in that area,” Dukes said. “If we’d only put a small investment up front, and actually been diligent about good, proper cyber hygiene, we wouldn’t have to worry about that bill. It actually pays in this case to invest a little bit of money in defense.”


Dukes, echoing recent sentiments of many CIOs and CISOs, said having good cyber hygiene starts with accepting that a cyber attack is going to happen.

“If you think for a moment that you can architect a system and be 100 percent effective against some type of cyber exploit, you’re kidding yourself,” Dukes said. “You need to architect your network today to understand yes, there are things that are going to happen with it, you want to limit the damage that adversary has on your network.”

To do that, Dukes said companies and agencies need to build in mitigation throughout a system, not just on the boundaries.

“There’s a lot of talk about intrusion prevention systems. The bottom line here is I believe the battle is now being waged down at the end point, not at the boundary,” Duke said. “The boundary is OK, it has a role, but more and more the actual battle is going to be waged down at the end point.”


"The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation"
Press Release
PDF (241 pages) of "The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation"
House Oversight Committee, 2016-09-07

The OPM breach report: A long time coming
by Taylor Amerding
Network World, 2016-10-13

The catastrophic breach of the federal Office of Personnel Management,
which exposed the personal information of more than 22 million current and former employees,
became public in mid-2015.
It took another 15 months for Congress to complete a report on it.


[D]ozens of other depressing details are in a timeline that is part of
a 241-page report released last month by
the House Committee on Oversight and Government Reform, bluntly titled,
“The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”


Inside the Cyberattack That Shocked the US Government
by Brendan I. Koerner
Wired, 2016-10-23


The routine nature of OPM’s business made the revelations of April 15, 2015, as perplexing as they were disturbing. On that morning, a security engineer named Brendan Saulsbury set out to decrypt a portion of the Secure Sockets Layer (SSL) traffic that flows across the agency’s digital network. Hackers have become adept at using SSL encryption to cloak their exploits, much as online vendors use it to shield credit card numbers in transit. Since the previous December, OPM’s cybersecurity staff had been peeling back SSL’s camouflage to get a clearer view of the data sloshing in and out of the agency’s systems.

Soon after his shift started, Saulsbury noticed that his decryption efforts had exposed an odd bit of outbound traffic: a beacon-like signal pinging to a site called ­opm­security.org. But the agency owned no such domain. The OPM-related name suggested it had been created to deceive. When Saulsbury and his colleagues used a security program called Cylance V to dig a little deeper, they located the signal’s source: a file called mcutil.dll, a standard component of software sold by security giant McAfee. But that didn’t make sense; OPM doesn’t use McAfee products. Saulsbury and the other engineers soon realized that mcutil.dll was hiding a piece of malware designed to give a hacker access to the agency’s servers.

The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, opmsecurity.org had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers.

Registering sites in Avengers-themed names is a trademark of a shadowy hacker group believed to have orchestrated some of the most devastating attacks in recent memory. Among them was the infiltration of health insurer Anthem, which resulted in the theft of personal data belonging to nearly 80 million Americans. And though diplomatic sensitivities make US officials reluctant to point fingers, a wealth of evidence ranging from IP addresses to telltale email accounts indicates that these hackers are tied to China, whose military allegedly has a 100,000-strong cyber­espionage division. (In 2014 a federal grand jury in Pennsylvania indicted five people from one of that division’s crews, known as Unit 61398, for stealing trade secrets from companies such as Westinghouse and US Steel; all the defendants remain at large.)

Once Captain America’s name popped up, there could be little doubt that the Office of Personnel Management had been hit by an advanced persistent threat (APT)—security-speak for a well-financed, often state-sponsored team of hackers. APTs like China’s Unit 61398 have no interest in run-of-the-mill criminal activities such as selling pilfered Social Security numbers on the black market; they exist solely to accumulate sensitive data that will advance their bosses’ political, economic, and military objectives.
“Everyone can always say,
‘Oh, yeah, the Pentagon is always going to be a target,
the NSA is always going to be a target,’”
says Michael Daniel, the cybersecurity coordinator at the White House,
who was apprised of the crisis early on.
“But now you had the Office of Personnel Management as a target?”

[Daniel was surprised at this? Shows the incompetence of Dems, other than Hillary's genius at making sure her files were deleted while avoiding responsibility for their destruction.]