Federal cyber experts are raising the prospect that tens of thousands more federal employees could be at risk of identity theft than first reported after the USIS cyber breach in August.
While much of the information is classified, Rep. Elijah Cummings (D-Md.) said there now is reason to believe the initial estimate of 27,000 feds impacted by the August data breach at USIS was wrong
“Apparently, the company’s desire to increase profits also may have been to blame for its failure to make cyber investments necessary to secure the large amounts of sensitive personal information it should have been protecting on its networks,” Cummings said during an Oversight and Government Reform Committee hearing Wednesday. “On Sept. 3, 2014, committee staff received a briefing from security experts at the Department of Homeland Security, the Office of the Director of National Intelligence and OPM, all of whom analyzed the cyber attack against USIS. While much of that briefing was sensitive, one point may be discussed publicly. Press accounts had initially reported that the attack may have compromised the personal information of up to 27,000 federal employees, however, government cyber security experts believe this number is a floor — not a ceiling.”
Hackers broke into USIS networks and exposed at least 27,000 Homeland Security Department employees identities in August 2014.
Cummings said investigating the data breach has been especially challenging as USIS and its parent company Altegrity haven’t responded to the committee’s requests for more information.
US-CERT limited by vendor
In fact, Office of Personnel Management Chief Information Officer Donna Seymour said USIS only let DHS’ U.S. Computer Emergency Readiness Team (US- CERT) have limited access to its network to determine the vulnerabilities and recommend improvements. Seymour used this example to demonstrate just how much access US- CERT had, “If you asked me to physically secure an apartment building but you only allow me to go into two apartments, I can’t tell you what’s in those other apartments, but clearly they are a part of the building you asked me to secure. We were not able to go to the boundaries of the network.”
After the hearing, Cummings offered few other details about just how many employees are at risk.
“We will continue to look at it, try to get as much information as we can, as fast as we can and it is a top priority to protect them,” he said.
Altegrity filed for bankruptcy for USIS in February, in part, because it lost the OPM security clearance contract.
Cummings said the committee continues to investigate both the USIS and the KeyPoint cyber breach. The KeyPoint breach impacted 48,000 federal employees and became public in December. Cummings wrote a letter to KeyPoint asking for assurances of how they are protecting federal data.
Cummings said he’s also looking into whether Altegrity may be suing the government over OPM’s decision to end the USIS contract.
In light of these two breaches and the ones other agencies were impacted by, the Office of Management and Budget initiated a governmentwide review of how agencies need to ensure contractors are protecting government data on their networks.
The President’s Management Council (PMC), which is made up of deputy secretaries, assessed a broad range of risks in how agencies are responding, detecting and identifying threats and incidents.
“During this response to these incidents and our subsequent review, two things became clear. First, third party contractors and vendors were inconsistently implementing protections over sensitive data. Second, federal agencies did not have adequate contractor language and policy direction to guide how contractors and agencies should respond to incidents,” said Tony Scott, the federal CIO. “Based on this review, agencies were directed to identify and review relevant contracts to ensure compliance with current laws and OMB guidance. Second, OMB directed an interagency effort to collect and disseminate contracting best practices relative to cybersecurity.”
Scott said OMB will follow up on those efforts in several ways.
First, he said OMB is asking agencies to take a hard look at the risk these vendors present.
“We’re conducting CyberStat reviews with each of the agencies that asks them to report and, in consultation with us, look at their maturity level across a number of different dimensions. Then we will ask each of the agencies to set goals and we will measure progress against those goals,” Scott said. “Each of these have to be a risk based assessment to start with. Some agencies have different kinds of risks than other ones do. That’s an important part of the work our unit is doing. The second thing is through the CIO council and our CAO council, disseminating information and sharing best practices as well as the guidance that we provide during the normal course of our work.”
Scott added that after going through the agency’s CyberStat reviews OMB will have a better grasp of how agencies are doing in protecting their networks and overseeing vendor efforts to protect federal data.
Over at OPM, more specifically, since it was the victim of two attacks against contractor run networks, Seymour said she took several steps to address the issues highlighted by the President’s Management Council.
“What we learned from those breaches is it’s important to have a contractual relationship that’s well defined with those contractors. At OPM, we had very well defined contract clauses in our contracts and that helped us have a better conversation with the contractor when the breaches occurred,” she said.
A lesson learned the hard way
Rep. Carol Maloney (D-N.Y.) pressed Seymour for more specifics about the changes.
“We have done two things. One is we’ve reviewed our contract clauses to strengthen them. The second thing that we are doing is we are reviewing all of our contracts to make sure that we have the appropriate clauses across the board in our OPM contracts,” Seymour said. “[For instance,] clauses that require segregation of data. One of the lessons that we learned is that if you have a network where all the data is co-mingled, then it’s very difficult to protect the data, to segregate the data, understand what the adversaries are about and therefore protect that information. If the data is well architected and segregated, you have a better chance of understanding what the adversaries are after and putting better protections around it in a very quick manner.”
Seymour added OPM also is improving its architecture by putting in firewalls between systems to better protect data and conducting more training for employees. In its 2016 budget request sent to Congress in February, OPM asked for $21 million to continue modernizing its IT infrastructure, which would include better cyber protections.
Greg Wilshusen, the Government Accountability Office’s director of information security issues, said agencies must make sure they clearly delineate roles and responsibilities for themselves and for the contractors when it comes to implementing security controls, and detecting and reporting incidents.
Wilshusen said agencies also need to have some assurance that contractors are effectively implementing the security requirements either through an independent assessment or another way.
This issue isn’t new, but it continues to challenge agencies. So much so that the National Institute of Standards and Technology recently issued a second draft special publication in early April about how vendors can protect controlled unclassified information on non-federal networks.