Photographee.eu - Fotolia
Shocked that the massive OPM data breach reported earlier this year actually happened?
When compromised passwords at the United States Office of Personnel Management led to an epic breach, exposing the data of 22 million people, it raised the question: How can an organization, whose information security is managed without accountability and oversight from its leadership, be expected to tackle national cybersecurity risk at this level of complexity?
Like other federal departments, OPM is a monolithic agency run by politically appointed leaders who simply lack the expertise to make smart decisions about cybersecurity. More importantly, most directors in the U.S. government do not have the people within their organizations who are empowered to make changes, and many staff members are, simply, not right for the job. A CIO or CISO in the U.S. government is typically a Senior Executive Service (SES) Level 3 position, which pays $168,000 annually with few incentive bonuses and no stock options. An equivalent CISO role, in a company the size of OPM—which houses data from employment records, background checks and fingerprints for all past and present federal employees and jobseekers—would come closer to $400,000 in total compensation.
Bringing outside talent into the government at this level is challenging, and it’s not only the discrepancy in pay. Hiring directly into the SES requires an independent board of inquiry into the candidate’s five “Executive Core Qualifications,” developed (ironically) by the OPM:
- ECQ1 Leading change
- ECQ2 Leading people
- ECQ3 Business acumen
- ECQ4 Results driven
- ECQ5 Coalition building
The process is long, frustrating and, in the end, mysterious. (I applied to be the CISO at the Department of Commerce, was given a conditional letter of employment, but declined after months of waiting for the ECQ board to meet or even tell me what I needed to provide to them.)
What happened at OPM can happen anywhere when you are dealing with an advanced threat like a PRC-sponsored intelligence group with state-of-the-art attack techniques and tactics. It’s only when the leadership of an organization appreciates those risks that they can authorize their IT security department to develop and deploy an active defense against these unrelenting threats. In the private sector, cyber risk is the No. 1 item on most corporate boards’ minds. The directors are pressing CEOs to explain how they are getting in front of cyber risks. That in turn drives investment in quality tools, people and processes that are commensurate with the organization’s cybersecurity risk tolerance.
Not all organizations carry the same risks. Companies in the high tech, defense or aerospace industries have been historical targets of advanced adversaries; by now, most of these companies have made what is considered a reasonable investment in their cybersecurity organizations. In many enterprises, major security funding comes after a breach, or a high-profile incident in a company just like theirs. Organizations that are at lower risk for criminal or state-sponsored cyberintelligence groups may adopt a strategy that allows higher risk tolerance, and less investment in security programs.
The point is that how to stop, or slow down these attacks is no longer a mystery; the expertise and technologies have matured to the point that there is a blueprint that can effectively prevent or minimize the kind of OPM data breach that occurred. Many companies and some government organizations are deploying effective defenses against most of the risks they face, including advanced persistent threats (APTs).
What is the difference between those organizations and OPM? Accountability and leadership. OPM cannot be sued; it will not be fined, and over time, if everyone hunkers down and waits for the storm to blow over, it will get back to some old ways of doing business. Although Katherine Archuleta, OPM’s director, resigned after political pressure, there is a big rush to address some of the major flaws in the OPM systems reactively; this means the underlying organization and cultural issues are going to be harder to change.
Layers of management
A review of the OPM website shows an organization with a large management layer of senior advisors to the director, and a hierarchy that is not in line with the approach many companies are taking when it comes to cybersecurity. The new acting director at OPM, Beth Cobert, has 62 senior leaders in four groups reporting to her. Within one of the groups, called Support Functions, is the CIO, Donna Seymour, who has 28 staff listed in her direct organization, and four direct reporting organizations, none of which are security focused. There’s a reference to an IT Security Policy and an IT Security Operations Center, but the CISO function (if there is one) is not listed.
Seymour is a 34-year career government worker, with a mix of policy and IT management roles at the Department of Defense, among other agencies. While she has a degree in computer science and long history in information technology, cybersecurity is not part of her bio.
The Office of the CIO is responsible for the cybersecurity of the OPM’s IT infrastructure. Despite an upgrade from “material weakness in information security governance” to “significant deficiency” based on a planned reorganization of the Office of the CIO, a DHS Federal Security Information Management Act (FISMA) Audit for FY 2014 conducted by the Office of the Inspector General (OIG) found serious flaws in the network and the way it was managed. The OPM lacked an inventory of systems and baseline configurations, and 11 servers were operating without valid authorization (ATO). The auditors could not independently verify OPM’s monthly automated vulnerability scanning program for all servers. Another notable finding was a lack of a senior information security professional to own the security of the network—a role that is typically filled by a CISO.
The status of the reorganization of the Office of the CIO is unclear. Based on earlier FISMA audits and recommendations, OPM is moving toward centralized management of security with information system security officers (ISSOs) reporting directly to the CISO organization. The individuals in these positions will have professional security backgrounds, according to the report. In FY 2014, OPM had four ISSOs for 17 of the agency’s information systems, with 10 additional positions authorized.
The FISMA FY 2014 report, which Seymour signed on October 21, 2014, cautioned OPM that the systems were dangerously underpatched and vulnerable to security issues. The report was not technically detailed, but after the incidents, it’s clear that OPM was aware it had serious IT security problems. It lacked an effective PIV and multifactor authentication strategy, had poor management of user rights, inadequate monitoring of multiple systems, and an ineffective and decentralized cybersecurity organization. The sensitive data was unencrypted at rest, and stored in old database systems that were vulnerable. (It turned out, contrary to U.S. law, OPM used contractors from China to manage some of its databases.) Many machines were unpatched. All of these deficiencies have been pointed out to OPM over and over again, since the FISMA audit in FY 2007.
In retrospect, given the epidemic in state-sponsored hacking around the world, the consequence of a successful hack on OPM data should not be a surprise. The OIG report even said that there would be a national security impact if OPM was hacked. The signs were all there: It had the vulnerabilities, no security focused leadership, and a capable and motivated adversary.
So what happened in the period between the last OIG report and the discovery of the data loss? Not much. The compromise was noticed in April 2015, just six months after the OIG report, and evidence suggests that the compromise was ongoing much earlier. Social security numbers, security clearance information, fingerprint data were all lost. The adversaries, believed to be the Chinese, were able to steal millions of sensitive files. Given the findings of the OIG report, and the capabilities of the Chinese APT groups, this should not have surprised anyone.
In any large private organization, the CEO, the CIO and the CISO would be held accountable by the board of directors. In the end, Katherine Archuleta, OPM’s director, whose only qualification for the job was her role as the national political director of President Obama’s 2012 re-election campaign, resigned. Seymour, whose primary job was to advise Archuleta on IT and manage risk on the IT systems, is still employed as the CIO of OPM, which is amazing. She was unable to address the real risks to OPM’s data or articulate those risks to the director to force an accelerated remediation plan. The OIG FY 2014 audit noted that OPM still needs to “fully establish” an executive risk function.
As expected, there is massive post facto effort to clean up years of poor IT management and the lack of investment in people and processes. This “30-day Cybersecurity Sprint” ordered by the Obama administration across all agencies is going to apply fixes on the big issues. But, without a strong foundation, time and lack of attention could make this investment futile in the long run. Cybersecurity is a journey. The threat landscape changes, the tools and processes evolve, and rules and regulations change. OPM, and the government as a whole, need to invest in professional security executives and empower those individuals with real authority within their organizations.
A CISO with a mandate to bypass organizational apathy and expose the risks to decision makers is going to be hard to find in the government, but until this is figured out, many government organizations are going to continue to struggle with a cycle of apathy, crisis, and then sprinting to catch up again.
About the author:
Adam Rice is the CISO of Cubic Corp. An InfoSec professional with 17 years of experience, he has served as CISO of Alliant Techsystems; CSO of a global telecommunications company; general manager and vice president of a managed security services business; director in several network consulting companies; and is a retired U.S. Army noncommissioned officer. He is also a regular contributor to several information security publications.
For more on the White House’s government cybersecurity changes and 30-day Cybersecurity Sprint