OPM’s archaic IT infrastructure opened door for massive data breach

The Social Security numbers of millions of current and former federal employees were not encrypted when hackers stole data from the Office of Personnel Management.

OPM Director Katherine Archuleta, who came under intense questioning from Republicans and Democrats alike, told House Oversight and Government Reform Committee members June 16 that the agency’s IT infrastructure didn’t necessarily support modern encryption technologies.

But Andy Ozment, the Homeland Security Department’s assistant secretary in the Office of Cybersecurity and Communications in the National Program Preparedness Directorate, said it may not have mattered anyway.

“If the adversary has the credentials of a user on the network, they can access data even if it’s encrypted just as the users on the network have to access data,” Ozment said Tuesday. “That did occur in this case. Encryption in this instance would not have protected this data.”

Advertisement

The fact that the Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details revealed about the data breach.

Archuleta, Ozment and other executive branch officials deferred most of the questions employees, their unions and lawmakers wanted answers to until after the public hearing when the committee was holding a classified briefing with the same witnesses as well as members of the intelligence community.

Rep. Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed.

But even that answer did little to make Lynch feel good about what OPM and others were providing.

“This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here,” he said. “As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It’s ironic. You are doing a great job stonewalling us, but hackers, not so much.”

New leadership called for

Lawmakers offered few new details of what they learned, except that committee Chairman Jason Chaffetz (R-Utah) came out of the briefing and spoke to the media briefly demanding Katherine Archuleta and OPM Chief Information Officer Donna Seymour to resign.

“Those two had an opportunity to right the ship. They were given strong recommendations for a number of years, but they didn’t get it done. There should be consequences,” Chaffetz told the National Journal. “If we want a different result, we’re going to have to have different people. I think it’s time for them to resign. And if they don’t, I think the President should fire them.”

Along with Chaffetz, Rep. Ted Lieu (D-Calif.) also called for someone to step forward and take responsibility.

“It’s clear to me there is a high level of technological incompetence across many of our federal agencies,” said Lieu, who was a computer science major. “We had over 10 federal data system breaches last year. There is a culture problem. There is a problem of civilian leadership not understanding we are in a cyber war. Every day, we are getting attacked in both the public and private sector. The U.S. military understands that, that’s why they stood up an entire U.S. Cyber Command. Until our civilian leadership understands the gravity of this issue, we will continue to have these breaches.”

He said the failure of not unencrypting SSNs is an example of the culture problems and poor leadership.

“When you have a culture problem as we have had here, in the past when agencies have had this, leadership resigns or they are fired,” he said, pointing out the changes at the Veterans Affairs Department, the Drug Enforcement Administration and the Secret Service as recent examples. “We as a government do that for two reasons. One is to send a signal that the status quo is not acceptable. We cannot continue to have this attitude where we make excuse after excuse. I’ve heard a lot of testimony today, but the one word I haven’t heard is ‘sorry.’ When is OPM going to apologize to over 4 million federal employees that just had their personal data compromised? The other reason is we want leadership that is competent. I’m looking here today for a few good people to step forward and accept responsibility and resign for the good of the nation. ”

Hackers and vendors connection

Committee Ranking Member Elijah Cummings (D-Md.) shed some light on the data encryption problem during the hearing and after the classified briefing.

Cummings said the reason why the hackers may have had the network user access keys is because of two earlier breaches at USIS and KeyPoint — both of whom were contractors to OPM conducting security clearances.

In fact, Steven Alesio, operating partner of the venture capital fund running USIS, Providence Equity, was supposed to testify, but backed out Monday night, Cummings said at the hearing.

DHS and OPM officials declined to comment publicly about how hackers may have gotten network access keys.

But in a statement after the classified briefing, Cummings said he now believes more strongly than ever that the committee needs to hear more directly from KeyPoint and USIS in either transcribed or formal testimony.

“The committee should now request a much more detailed, comprehensive, and classified briefing from government IT experts about the specific vulnerabilities that contractors pose to our government’s cyber security,” he said in a statement.

Cummings has been questioning the response by KeyPoint to the cyber breach and what long term impacts it could have on the government.

But beyond the contractor issue, OPM and DHS confirmed very little else during the unclassified hearing, including exactly how many federal employees or former feds are impacted by the second breach. Several lawmakers asked about the 14 million number, but all OPM and DHS would say is they are still investigating the extent of the breach.

A little light on Interior’s role

Beyond the Social Security numbers encryption tidbit, a few other interesting scraps of new information came out during the hearing.

Sylvia Burns, the Interior Department CIO, shed some light on the role of her agency in the breach.

Up until now, there were few details beyond the fact that the hackers took the data from servers hosted by Interior.

“In April, DHS US-Computer Emergency Readiness Team informed DoI about a potential malicious activity, which was later determined to be a sophisticated intrusion on DoI’s network,” she said. “DoI immediately began working with US- CERT, the FBI and other federal agencies to initiate an investigation and determine what information may have been compromised. DoI let US-CERT and other investigating agencies immediate access to the DoI computer systems and DoI dedicated people to support the investigation. Although there is evidence the adversary had access to the DoI data center’s overall environment. Today, the investigation has not discovered evidence that any data other than OPM data has been exfiltrated. However, the investigation remains ongoing.”

So what Burns seems to be saying is the attackers knew what they were looking for or had a good idea of what types of data they wanted.

Sources say that Interior separates its shared services data — payroll, financial management and acquisition data — from agency data or information its hosts for agencies such as OPM.

Sources also say Interior works hard not to co-mingle its data for this very reason of a potential cyber attack.

Burns told the committee that Interior is taking several steps to improve its cybersecurity. She said DoI already has implemented hardware and software asset management under the DHS Continuous Diagnostics and Mitigation (CDM) program, and is moving into phase 2, which includes the ability to do application whitelisting, network access control to hardware, and dashboarding functionality to provide a comprehensive view of the department’s security posture.

Like Interior, every agency now is taking a much harder look at its systems.

Cyberstat sessions to focus on biggest problems

The Office of Management and Budget initiated a 30-day cyber sprint and created a working group to develop a civilian cyber strategy.

Tony Scott, the federal CIO, told the committee that the E-Gov Cyber unit is leading the agencywide effort to figure out how best to address these problems.

“In FY2015, the E-Gov cyber unit is targeting oversight through cyberstat reviews, prioritizing agencies with high risk factors as determined by cybersecurity performance and incident data,” Scott said.

And OPM likely is going to be among the first agencies to go through the cyberstat process.

The agency’s inspector general and lawmakers hammered on OPM for having 11 systems without the authority to operate (ATO). But Archuleta and Seymour, after trying to explain the process to determine risk, finally confirmed those 11 major systems finally did receive their ATOs recently.

Seymour said the ATOs were one of several ongoing cyber improvements.

“We have implemented two-factor authentication for remote access to our network, so that means without a [HSPD-12 smart identity] card or some other type of device, our users can’t log on to our network remotely,” she said. “We have implemented additional firewalls in our network. We have tightened the settings of those firewalls. We have reduced the number of privileged users in our account and we have even further restricted the access privileges those users have.”

Seymour said OPM will continue to work on systems security going forward. DHS’ Ozment said that as to the best of their ability they believe the hackers are out of the systems.

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.

RELATED STORIES:

OPM warns 48,439 federal employees of data exposure

Rep. Cummings demands answers from background investigation contractor on data breach

Agencies notify employees of second cyber breach

OMB orders 30-day cyber spring to secure agency networks, data

OPM Data Breach