In 2013, the worst cybersecurity intelligence breach in U.S. history happened. The target of the hack was the White House Office of Personnel Management (OPM). In today’s atmosphere of fear over data breaches and email hacks, what’s being done to protect the sensitive personal data housed in government networks? What lessons have we learned from the past?
How the Superhack Happened
The U.S. OPM is basically the human resources department for the federal government. That means the OPM oversees detailed information about federal employee operations: hiring and termination records, promotions, rates of pay, benefits and pensions for millions of current and retired employees. That’s a rich motherlode of sensitive information.
On the morning of April 15, 2015, a security engineer named Brendan Saulsbury was reviewing digital traffic records for the agency’s network. The OPM had been using Secure Sockets Layer (SSL) (the same type of security vendors and banks use to shield credit card numbers) to protect sensitive information. Unfortunately, SSL can and has been used by hackers to cover/encrypt their “sensitive” activities as well. Knowing this, the OPM cybersecurity staff had been monitoring their system to check for potential leaks.
Saulsbury noticed something odd: outbound traffic pinging to a site called opmsecurity.org. It sounded official enough, but the department doesn’t own an address by that name. It appeared he had discovered something built to deceive. Digging deeper, Saulsbury found the signal’s source appeared to be a file that was a standard component of software issued by the well-known cybersecurity company McAfee. That raised another red flag: the OPM doesn’t use McAfee. Soon Saulsbury and his colleagues discovered that the file was in fact a bit of malware – one that gave hackers access to OPM servers.
Even worse, the domain opmsecurity.org had been registered on April 25, 2014—nearly a year before. That is a long time for hackers to have had access to such important info. But more recent intelligence suggests that the breach actually occurred months earlier, in late 2013.
While the US government has remained reluctant to make accusations for diplomatic reasons; more evidence from IP addresses and email accounts indicates that China was the likely culprit behind the hack. The breach has been officially classified as an advanced persistent threat (APT). That term is cyber speak for a well-financed, often state sponsored, team of hackers.
Ultimately it was discovered that the sensitive personal information of approximately 25 million government employees was compromised. Millions of security clearance files and even fingerprint data from some 5.6 million employees were stolen. The intelligence value of the theft “cannot be overstated, nor will it ever be fully known,” said a report by the House Committee on Oversight and Government Reform.
The agency’s then-director, Katherine Archuleta testified before the House Oversight Committee. Her view of events was largely met with scorn and was regarded by some as evasive. Said representative Stephen Lynch (D-Massachusetts),
“I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are keeping information out of the hands of Congress and federal employees.”
The political climate remained heated; Archuleta soon resigned under pressure. CIO Donna Seymour, who had also testified, opted for retirement before she was to endure another round of grilling by the House committee.
Scapegoats aside, now, many months later, what has actually been done to prevent another attack?
What Has Happened Since the Attack?
The Office of the Inspector General is charged with protecting the integrity of the OPM services and programs through independent and presumably objective oversight. The Inspector General Act of 1978 requires audit reports to be posted publicly. These give us a unique window onto how the Inspector General (IG) views the progress made in the aftermath of the data breach. The condensed version? Some improvements have been made since the disaster, but the response has still been less than adequate. The public may be less than reassured to discover the IG’s verdict of “significant regression” in regards to compliance with information security requirements. The Full IG report is here.
As noted in the report, the department has yet to address longstanding security weaknesses and has failed to check the adequacy of security controls on computer systems. High staff turnover for positions responsible for sensitive information security as well as top management roles (there have been five Chief Information Officers in the past three years) isn’t helping matters. Perhaps most alarming is the fact that OPM still doesn’t have a full inventory of all its servers, databases, and software. It’s difficult to provide cyber-defense for a system you don’t even know you have. Other issues center around the department’s antiquated technology. To quote the report, OPM’s
“mature inventory system significantly hinders OPM’s efforts related to oversight, risk management, and securing the agency’s information systems.”
All in all, the IG issued 26 security recommendations for the Office of Personnel Management in this latest audit. A spokesperson for OPM declined to comment on the timetable for when/if all of them might be completed.
A government entity being hacked makes for big headlines. But if it’s your business being hacked, that may make for big losses.
That’s where 5i Solutions can help.
We take security seriously. Our data hosting and super-secure Cloud Vault offers up to AES-256 encryption, but as we learned from the superhack, encryption alone is sometimes not quite enough. That’s why we also offer firewalls, portioned LANs, and key management. 5i provides malware detection and mitigation, plus site penetration testing and user activity alerts. Our custom-tailored levels of identity verification and access control allow those who need access in and keep the bad guys out. Monitoring, logging, and on-demand reporting ensure the continued integrity of your data. Let us help you keep your system security up to date, and super hackers at bay.
5i Solutions. One single, secure point of intake, access, and storage. One singular solution.
5i Solutions, Inc.