While it’s far from a full-fledged cyberattack, the “technical malfunction” that besieged an Office of Personnel Management Web portal Monday underscores a governmentwide problem that, experts say, is not easy to fix.
A security glitch in the agency’s retirement services portal let some users log in and access other retirees’ personal information. The site is back up and running today. OPM says it will notify retirees if their personal information is compromised.
“Although this breach may not have been the result of a cyber attack, it still demonstrates the challenges faced by federal agencies and private sector organizations in safeguarding personally identifiable information,” said Rep. Elijah Cummings (D-Md.), who has raised concerns about other recent breaches impacting federal employees.
Last month, OPM warned nearly 50,000 federal employees that their personal information may have been exposed because of a cyber breach at KeyPoint, a provider of background checks.
Databases that hold security clearance information are especially attractive to hackers. But even the more mundane glitches suggest civilian agencies and their contractors suffer from a lack of cybersecurity knowledge and skills, said Alan Paller, director of research at the SANS Institute.
“There is competition for people who know how to secure systems. It’s tougher and tougher as commercial companies start to pay attention to cybersecurity,” he said. “Contractors have a lot of trouble hiring strong technical people. The ones who are able to tend to get the very valuable contracts from the intelligence community.”
Civilian agencies and their contractors are left with people who don’t have the same skills, he said.
“What you get in return are applications with security flaws in them because they don’t have procedures and people in place to stop it. It’s a supply and demand problem that doesn’t have a short-term solution,” he said.
Federal agencies have seen a dramatic uptick in information security incidents involving personally identifiable information. In 2013, agencies reported 25,566 cases, according to the Government Accountability Office.
Sometimes agencies are not adequately protecting their data. At other times, they are not paying enough attention to their contractors’ security measures, said Greg Wilshusen, GAO’s director of information security issues. Unintentional incidents often come from programming errors or failures in equipment and software, he said.
Still, it’s unlikely the technical malfunction on OPM’s retirement services portal will have lasting damage, because the few users who saw other retirees’ information probably don’t have malicious intent, Wilshusen said. The breaches at contractors with security clearance information raise greater concerns.
Cybersecurity at civilian agencies is “the underbelly of the government,” said Simon Crosby, cofounder and chief technology officer of Bromium, which advises agencies on cybersecurity.
From OPM to larger agencies such as the departments of Health and Human Services or Veterans Affairs, agencies lack the budget and skill set to deal with cyber attacks.
“You have organizations that are basically going about their missions and whose core goals is not to be cyber-aware,” he said. “But they’re bound to be attacked because they are the federal government and because of the value of the data that they hold.”
President Barack Obama is urging Congress to pass legislation that encourages companies to contact the government when they’ve been victims of cyber breaches, as Sony Pictures recently was. While data sharing would be helpful, the effort is misplaced, Paller said.
“There isn’t a focus on making sure applications are secure. There is a focus on making sure bad guys go to jail for longer, which doesn’t work at all with international criminals because they’re not subject to our laws, and sharing data, which tends to be overvalued because often when you get the data, you don’t have the technical people in place to fix the problems.”
Rather, the federal government needs to lead by example in hardening their applications and systems, he said.
“Just like the government trains pilots, it needs to be developing the applications developers who can develop security code and systems administrators who can run systems securely and they’re not,” he said.