The 2014 and 2015 cyber breaches at the Office of Personnel Management were likely coordinated attacks, according to a scathing new congressional report that blames OPM’s “failure of culture and leadership” on the theft of the personally identifiable information of millions of federal employees and their families.
In the report’s findings, which were made public Sept. 7, investigators determined that the March 2014 hack and the April 2015 hack were related, and OPM “misled Congress and the public to diminish the damage.”
“The two attackers shared the same target, conducted their attacks in a similarly sophisticated manner, and struck with similar timing,” the report stated. “The data breach discovered in March 2014 was likely conducted by the Axiom Group. The data breaches discovered in April 2015 were likely perpetrated by the group Deep Panda (a.k.a. Shell_Crew, a.k.a. Deputy Dog) as part of a broader campaign that targeted federal workers.”
The conclusions for the breaches are based on the presence of certain malware, as well as procedures similar to other hacks publicly linked to the same hacking groups, according to the report.
The report, titled “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation,” is the result of a year-long investigation lead by the Republican majority of the House Oversight and Government Reform Committee.
The investigation is based on interviews, emails, news articles, congressional testimony and a range of office memos, audits and incident reports.
Rep. Jason Chaffetz (R-Utah) and chairman of the committee, addressed federal chief information officers in the opening letter of the report, warning them that while their work is more important now than ever before, the “margin for error has never been smaller.”
“For those whose personal information was compromised, I hope this report provides some answers on the how and why,” Chaffetz said. “Most of all, however, it is my hope that the findings and the recommendations contained herein will inform and motivate current and future CIOs and agency heads so we — as a government — can be smart about the way we acquire, deploy, maintain, and monitor our information technology.”
Chaffetz is speaking Wednesday at an AEI event in Washington, on the lessons learned from the OPM breaches.
A collaborative spirit
Acting OPM Director Beth Cobert said in a blog post that the report “does not fully reflect where this agency stands today.”
“Over the past year OPM has worked diligently with its partners across government and made significant progress to strengthen our cybersecurity posture, and reestablish confidence in this agency’s ability to protect data while delivering on our core missions,” Cobert said. “At OPM we recognize that cybersecurity is not just about technology — it’s about people. In addition to strengthening our technology, we have added seasoned cybersecurity and IT experts to our already talented team.”
The steps Cobert said OPM has taken in the past year include:
Hiring a new chief information officer
Requiring multi-factor authentication for people logging in to OPM’s systems
Fully implementing the continuous diagnostics and mitigation program developed by the Homeland Security Department
“The cybersecurity incidents at OPM provided a catalyst for accelerated change within our organization,” Cobert said. “Throughout this agency, management has embraced cybersecurity as a top priority. I am proud of the way the team at OPM rose to the challenge and appreciate the collaborative spirit with which our partners across government worked — and continue to work — side by side with us each and every day.”
In a response from Rep. Elijah Cummings (D-Md.), ranking member of the committee, he said he could not support his colleagues’ report because it fails to address federal contractors and their role in cybersecurity.
“The most significant deficiency uncovered in the committee’s investigation was the finding that federal cybersecurity is intertwined with government contractors, and that cyber requirements for government contractors are inadequate,” Cummings said in his report.
Cummings was also critical of the report’s “unfair” criticism of former OPM CIO Donna Seymour.
“Even before the committee began its investigation, Chairman Chaffetz demanded Ms. Seymour’s resignation, and he called for her resignation on at least five occasions,” Cummings said.
The committee found in its report that OPM used Cylance Inc., an outside contractor, to look for “malicious code present at OPM related to the breaches .”
Not only did Cylance uncover malicious activity, the report said, but “despite Cylance’s proven value during the 2015 incident response, OPM failed to timely make payments.”
According to someone familiar with the investigation who spoke to Federal News Radio on the condition of anonymity, the federal government learned a procurement lesson in this case, because a a limited version of Cylance was being used, and had OPM taken advantage of the product both before and after the breach, it could have “prevented a lot of damage to the country.”
The report recommends 13 actions OPM and other agencies should take to strengthen their cybersecurity posture.
Among the recommendations is for the Office of Management and Budget to adopt a zero trust IT security model, which “centers on the concept that users inside a network are no more trustworhty than users outside a network.”
Another person familiar with the investigation who spoke on background said the zero trust model was something forward-looking for OPM to consider.
“It’s kind of a philosophy that has both aspects of how you architect your network, how you give user privileges to different systems, different directories,” the individual said. “It’s taking that kind of critical look at user access.”
The report also directs OMB and the General Services Administration to establish a a contracting process for Cyber Incident Response Services — or have Congress create a statutory requirement for one.
OPM, OMB and DHS are also instructed to “map the entire cyber workforce across all agencies using the National Initiative for Cybersecurity Education (NICE) National Cybersecurity Workforce Framework.
Other recommendations include the already ongoing effort to reduce agencies’ use of social security numbers, adopting the Safe and Secure Federal Websites Act of 2015, and offering federal employees financial education and counseling to help them protect against and respond to identity theft.
“The longstanding failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the Inspector General, represents a failure of culture and leadership, not technology,” the report states.