The director of the Office of Personnel Management (OPM) revealed more unsettling details in hearings this week...
regarding the recent OPM breach and the theft of millions of federal employee and ex-employee records.
OPM director Katherine Archuleta spoke at a hearing with the Senate on Tuesday and the House Oversight and Government Reform Committee on Wednesday. Archuleta said stolen passwords for a federal contractor were used by hackers in the two cyberattacks targeting federal employee data. Archuleta has also gone on record noting how long the breached systems were "neglected."
Idan Tendler, head of Fortscale and a former agent of the 8200, Israel's cyberwarfare specialist group, said the use of stolen credentials in this attack should not surprise anyone.
"It's really no surprise that the OPM breach was traced back to a compromised credential as this is the case in nearly 80% of the breaches we have seen, including Target and Anthem," Tendler said. "Compromised users continue to create great challenges for security teams. With legitimate access, it is difficult to detect whether an employee's actions are actually being perpetrated by that employee or by an outside source."
As part of the "30-day Cybersecurity Sprint" ordered by the Obama administration, agencies have been tasked with limiting the number of privileged user accounts and expanding the adoption of multifactor authentication for all systems. Additionally, new NIST guidelines for contractors that handle federal data could help mitigate future incidents of stolen credentials.
Bob West, chief trust officer for cloud security vendor CipherCloud, was not convinced it is realistic to expect the aims of the Cybersecurity Sprint can be met in just 30 days.
"While the recommendations for the Cybersecurity Sprint exercise are sensible, it's very difficult to make a material difference in 30 days," West said. "It's easy to say 'fix vulnerabilities immediately,' but fixing them will take much longer. It will probably take 12 months to cover what they would like to cover in the Cybersecurity Sprint. "
Archuleta refused to speak directly on the total number of records breached but did try to distance herself from the new estimate that 18 million federal employee and ex-employee records were affected. This new estimate reportedly originated with FBI director James Comey speaking to Senators in closed-door briefings in recent weeks.
"It is my understanding that the 18 million refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigations data," Archuleta said. "It is a number that I am not comfortable with at this time."
A budget request written by Archuleta in February said because OPM has responsibility over "personally identifiable information for 32 million federal employees and retirees -- OPM has an obligation to maintain contemporary and robust cybersecurity controls."
Archuleta took responsibility for the breach, saying, "I hold all of us responsible; that's our job at OPM."
Other lawmakers were split on whether Archuleta should take the fall in this case. Rep. Ron DeSantis, R-Fla., stated constituents simply wanted to see consequences when government officials make mistakes, and House Oversight Committee Chairman Jason Chaffetz, R-Utah, called for Archuleta's resignation as well as that of OPM Chief Information Officer Donna Seymour. Chaffetz told Seymour, "I think you're in over your head."
Rep. Gerald Connolly, D-Va., described Archuleta as being a "scapegoat," but warned that placing this type of blame could mask the bigger picture that the U.S. is "facing a systematic, organized, financed, pernicious campaign by the Chinese government ... to penetrate our cyber world."
The White House has also shown support for Archuleta.
"She's obviously got a very difficult job and a very difficult challenge ahead of her," Press Secretary Josh Earnest said at the June 24 press briefing. "And the administration and the president continue to believe that she's the right person for the job."
Archuleta is scheduled to appear before the Senate Homeland Security and Governmental Affairs committee today.
Learn more about how to spot stolen credentials.