The Office of Personnel Management is a much different place than it was one year ago.
Of course, it has to be after OPM announced on June 4, 2015 that it had suffered a major cyber breach. In the end, that hack affected more than 22 million current and former federal employees.
As part of Federal News Radio’s special report, The OPM Breach: What’s different now, Beth Cobert, the acting director of OPM, said the agency is approaching cybersecurity, technology and people much differently as part of how it’s rebuilding the trust of federal employees.
“There is not anyone at OPM that doesn’t think differently about cyber than they used to. I think that’s true for many places across the government and the economy,” Cobert said in an exclusive interview with Federal News Radio. “We see evidence in that in a lot of different forms. We’ve participated with Homeland Security Department in phishing exercises and you see much, much greater awareness of individuals that they shouldn’t be responding to things. In fact, the pace at which they were calling the security desk and say, ‘I got this funny e-mail and it doesn’t look right,’ is completely different than it was before. So we’ve raised that awareness at the individual level.”
That DHS phishing exercise surprised even the most cautious cyber professionals at OPM.
Clif Triplett, the senior cyber advisor for OPM, said at a recent conference that DHS was having such a problem doing a phishing attack the agency had to help.
“They couldn’t get to the door. So we had to talk to them and work out how to get the attack in because they couldn’t get in, which I thought was a really awesome problem. So we dropped the door, let them in, let them run around and then they had some other problems so we had to keep dropping our defenses to get this phishing attack going because it’s supposed to be at the end user, but they just couldn’t make it,” he said. “We eventually had to drop all the doors to get to the end user. We had raised the culture awareness of cybersecurity. DHS will not tell us for sure, but I can guarantee you that we are top decile of our phishing performance.”
He said OPM saw an 80 percent increase in stopping the phishing attack as compared to its last test six months ago.
“This program, if done right, can deliver very demonstrable results and help create the overall awareness and culture change,” Triplett said. “I think part of the test was can they do it without any of our assistance. If we have to assist, then that’s just awesome. I feel great. I feel like I’m winning the test if we have to help them get in or allow the test to take place.”
Cobert said it’s not just the change with individual employees.
She said senior leaders have a better understanding that cyber is not just an IT issue.
“It is a management issue. It is a leadership issue. It is a legal issue. It’s a privacy issue and you’ve got to bring all those disciplines together to think about what are we doing to protect our assets, what are we doing to defend ourselves against attacks when they occur, and what are we doing to provide services to people who’ve been affected?” Cobert said.
But it’s not just at OPM that the culture and management focus has changed because of the cyber attack.
The Office of Management and Budget, through the cyber sprint that came soon after OPM announced the second breach in July, and the post-sprint plans and strategies helped align efforts across the government.
Just take a look at the use of two-factor authentication using smart identity cards under Homeland Security Presidential Directive-12. OMB says agencies now stand at 81 percent of all users must log-on to the network using some form of two-factor authentication. That is up from 42 percent in July when the cyber sprint began.
TSA finds money for cyber
Agencies had been working on this with limited progress for more than a decade previously.
Additionally, agencies made progress in all cyber sprint categories at a rate not usually seen —particularly in reducing critical vulnerabilities and in eliminating most of the indicators of compromise.
And cyber changes are happening at individual agencies as well.
Stephen Rice, the Transportation Security Administration’s chief information officer, said the cyber sprint was an awakening for his agency.
He said TSA found about $62 million for a one-time infusion of funding in 2015 to address many of those cyber and IT areas that had been neglected over the last few years.
Many other CIOs and chief information security officers have highlighted the positive impact the sprint and the focus more generally the cyber breach has brought across the government.
The White House has backed up its strategies and plans with the money to make them happen too. President Barack Obama requested a 35 percent increase in cyber spending for fiscal 2017, to $19 billion from $12.4 billion in 2016.
And a new exclusive survey by Federal News Radio reinforced the fact that there still is a long way to go as 44 percent of the respondents said their agency wasn’t better prepared to protect against cyber threats than a year ago, while 24 percent said their agency was better prepared and 32 percent said they weren’t sure.
Many respondents (45 percent) also weren’t confident their agency understood the cyber risks it faces while the rest was evenly split between they were confident (27 percent) and they weren’t sure (27 percent) if their agency understood its cyber risks.
OPM transforms across three areas
At OPM, however, Cobert said the changes she has made around people, process and technology are making a real difference.
“I am very confident about the measures to protect people’s data and where we are today. We will continue to invest in this because the world changes, but it is fundamentally different,” she said. “Whether it is two-factor authentication to access the network, tools that can detect data coming in and data going out, and the EINSTEIN 3A tools from DHS, we are one of the first ones to install that. The work we are doing already with DoD as we look at the background investigations systems. We actually have people in DoD working with us already. We have taken a whole series of steps that have made a real difference in where we are.”
Cobert said among the comprehensive steps OPM has taken also includes bringing in an experienced cybersecurity executive in Triplett as well as Lisa Schlosser, the acting chief information officer, and a new team of cybersecurity professionals to work on the agency’s IT modernization initiatives.
And it goes beyond people, it’s also about culture change.
“In my mind IT and cyber is a whole of agency issue. It is not a problem for my CIO or CISO. It is an issue every single leader in this organization needs to be focused on,” she said. “Each individual agency and office has to think about what data do I have, is it protected, what tools do I have in place, how do I think about managing that information and how do I think about security? We have taken an approach that we need multi-layer defenses. You need things that detect things coming in, restrictions on access, tools to detect and awareness training and changes in how people work from home. It touches everyone and we are really building from what we learned and moving forward.”
Cobert said she understands OPM has a long way to go to earn back the trust of federal employees and retirees.
“We are on the path to doing that. We need to continue to communicate. We need to continue to educate people,” she said. “I think we all need to recognize the world we live in today is one where cyber threats are real for everyone, and no matter how much progress we’ve made, we have to do more. We have to keep at it with multi-layered defenses. We have to continue the work we have been doing through our IT modernization program. We need to leverage our interagency partners, particularly DoD and DHS because we need all those skills and capabilities and it works when we work together. In my mind, earning people’s trust is something we have to focus on every single day.”