Three hearings. Nearly seven hours of testimony. Enough frustration to fill the Potomac River.
That was Katherine Archuleta’s week. The director of the Office of Personnel Management had a bullseye on her back as House and Senate lawmakers pressed her time and again for answers about the massive data breach impacting anywhere from 4 million to who knows how many current and retired federal employees, congressional members and staff, contractors and average citizens.
While details about the breach dribbled out at each consecutive hearing, many left the hearings unsatisfied and unhappy with OPM’s communications about what happened and when.
Here are my four takeaways from the seven hours of testimony across three hearings that I covered last week:
Go on the offensive. Too often agencies are playing catch up in the news cycle and during hearings. The curl-up-in-a-ball syndrome was evident during the first two hearings—June 16 before the House Oversight and Government Reform Committee and June 23 before the Senate Appropriations Committee. And without a doubt, OPM’s defensive posture hurt them. Finally during the second House hearing, OPM officials were more proactive, releasing a cyber strategy and coming up with better responses to questions such as why Archuleta didn’t turn off systems that didn’t have an authority to operate. (I’ll have more on that later in the notebook.) Learn from OPM’s poor handling of this crisis. First, agencies need a crisis communication plan as soon as they know there are problems—cyber or otherwise. Agencies should control the narrative, or, at the very least, get a full and complete say in the discussions. The best example I can point to in recent memory is the General Services Administration’s preemptive press conferences back in 2004 when its inspector general pointed out it was breaking the law for “parking” money for the Defense Department. Before the IG would release its report or before news would come out, GSA would hold a press conference to announce the steps it was taking to fix the problems outlined by the IG, and answer questions about what happened and when. Agencies always will get better treatment by the media if they are open and prepared to answer any and all questions about the situation.Since we know your agency is next, you should consider how you will handle the press and congressional inquiries. As many cyber experts have said, there are two kind of people, those who have been hacked and know it; and those who have been hacked and don’t know it. How are you going to react when you’re called up to Capitol Hill to explain your cyber incidents? Hopefully, not curl up in a ball.
What is an ATO? Could someone please explain to Congress how an authority to operate works? Every time a technology problem comes front and center, lawmakers mistakenly seem to believe two things: an ATO is the chief information officer’s responsibility; and if there isn’t an ATO, then the system or site is insecure. The issue came up once again during the hearings last week, with lawmakers pressing Archuleta and OPM CIO Donna Seymour about why 11 of 41 systems didn’t receive an ATO in fiscal 2014. Lawmakers asked Archuleta why she didn’t take those 11 systems offline when the ATOs weren’t renewed. Members also are using this fact as an example of why Archuleta and Seymour aren’t qualified to fix the mess they inherited.What’s frustrating is this is a similar discussion lawmakers had during the Healthcare.gov hearings.Let’s be clear here: the granting of an authority to operate doesn’t lie with the CIO. It lies with the system owner, which is the mission or program executive. Seymour has no authority to accept or not accept the risk. Now Archuleta, as the head of the agency, has the ultimate authority to take a system down or require an ATO before it goes live, but let’s be pragmatic here. No secretary or administrator or equivalent is worried about the day-to-day workings of a particular system. If Seymour was especially concerned, she could have brought the issue to Archuleta’s attention, but if Congress really wanted to get to the heart of the problem, bring in the business or program folks for questioning about why they accepted risk.Secondly, an ATO is granted based on the acceptance of risk, not whether it’s secure or insecure. Again, it’s the mission owner’s decision and they are supposed to weigh the security needs with the mission requirements. And that goes back to the ridiculous suggestion by both the IG and the members of Congress that Archuleta should’ve shut down those 11 systems without valid ATOs.Part of the problem was it took OPM way too long to have a valid answer as to why it couldn’t shut down those systems—Archuleta said OPM “made a conscious and deliberate decision” to keep those systems online because the impact of taking those systems down would have meant OPM no longer would be able to process annuity checks to retirees or do background investigations for the Federal Aviation Administration and the Transportation Security Administration. She said the agency made a conscious decision to move forward but make improvements as rapidly as possible to those 11 systems.Finally, a system without an ATO isn’t insecure. An ATO is not an all or nothing security feature. Agencies always have security tools and procedures protecting a system whether or not the ATO is valid.But Congress can’t seem to understand this, and unfortunately Seymour and federal CIO Tony Scott didn’t explain how the Federal Information Security Management Act (FISMA) works.Now I can give Scott a bit of a pass given the fact that he’s been in government for about 100 days and this concept of ATO, at least the way the government does it, is not replicated in industry.But Archuleta and Seymour should have pushed back to explain how the ATO process works and why not having an ATO is not the end of the world by any means.And members—really their staffs—should better understand how the ATO process works so they can ask questions that matter.
Four steps to better cyber. OPM Inspector General Patrick McFarland detailed four initiatives the agency should do immediately to protect its network and data:
Implement multi-factor authentication using smart identity cards.
Develop a comprehensive inventory of servers and databases
Implement encryption and data loss prevention tools
Proceed with IT infrastructure overhaul
All are good ideas. But the first three also are things the Office of Management and Budget has been calling for over the last decade or longer.
There are policies about using two-factor authentication and data encryption dating back to 2006. FISMA, which became law in 2003, requires agencies to have a comprehensive inventory of systems and databases.
But the fiscal 2014 FISMA report to Congress shows OPM is not alone in its shortcomings.
OMB says 72 percent of all agencies require two-factor authentication to log-on to the network and 77 percent mandate the use of smart identity cards for remote access to the network.
But 14 agencies reported less than 10 percent of all employee use two-factor authentication for remote access, including the 10 departments, such as State, Education and NASA that do not use this technology at all.
OPM is clearly to blame for its cyber shortcomings that led to the massive data breach, but the lack of enforcement by OMB of its own policies also should be in this discussion. The administration shoulders some of the responsibility for the troubling state of cybersecurity in government.
Before Tony Scott, the federal CIO was not outwardly engaged in cyber. The White House’s Cybersecurity Coordinator started off focused on internal dot-gov issues, but over the last few years shifted to work with industry and critical infrastructure.This left DHS to do the heavy lifting but with little enforcement authority. And we know giving someone the responsibility, but not the authority to enforce the rules never works in any organization.It’s good to see OMB jumping back into the cyber ring. The question is just how aggressively will the E-Gov cyber unit come out swinging?
An analogy for every occasion. After watching Andy Ozment, the Homeland Security Department’s assistant secretary of the Office of Cybersecurity and Communications (CS&C) within the National Protections and Programs Directorate, testify three times last week—he also offered insight during the House Homeland Security Committee hearing. I feel confident to proclaim: Ozment is the king of analogies. Not only did Ozment testify calmly and confidently, but his use of analogies to explain to the non-technical members of Congress how the EINSTEIN program works and what benefits it brings was excellent.
“Consider protecting a government facility against a physical threat. Adequate security is not only a fence, a camera or building locks, but combination of these measures that in aggregate make it difficult for an adversary to gain physical access. Cybersecurity also requires this defense in-depth, these multiple layers of security. No one measure is sufficient,” he said. “Our first line of defense against cyber threats is the EINSTEIN system, which protects agencies at its perimeter. Returning to the analogy of the physical government facility, EINSTEIN 1 is similar to a camera at the road onto a facility that records all traffic and identifies anomalies in the number of cars entering and leaving. EINSTEIN 2 adds the ability to detect suspicious calls based upon a watch list. EINSTEIN 2 doesn’t stop the cars, but does set off the alarms. The latest phase of the program, which is known as EINSTEIN 3A, is akin to a guard post at the highway that leads to multiple government facilities. It uses classified government information to look at the cars and compares and compares them to the watch list, and then it actively blocks prohibited cars from entering the facility.”
Ozment’s simple approach to detailing EINSTEIN is exactly what members of Congress need to understand the complexities of the program.
Other executives should follow the “King of Analogies” lead and simplify how you talk to lawmakers.