News of a massive cyber breach at the Office of Personnel Management may have taken a lot of people by surprise — especially the nearly 4 million current and former federal employees whose personally identifiable information may have been exposed — but the news was not so surprising to those familiar with how the government protects its electronic data.
“I can tell you that we have known for a long time that there are significant vulnerabilities and that these vulnerabilities are going to accelerate as time goes by, both in systems within government and within the private sector,” President Barack Obama told the press early today after the G7 Summit in Krun, Germany.
The initial intrusion into OPM’s cyber systems occurred last December, but the agency didn’t detect the breach until April and then didn’t become aware that information was potentially compromised until May.
“Millions of federal employees whose Social Security numbers, dates of birth, addresses and other vital financial information are entrusted to your care are vulnerable to serious harm due to this breach,” said Rep. Chris Van Hollen (D-Md.), in a letter to OPM Director Katherine Archuleta. “This is particularly disturbing given reports that OPM has known about the breach for months, but chose to disclose the information only now.”
Part of the problem, Obama said, was the government needs to update its cybersecurity systems.
“We discovered this new breach in OPM precisely because we’ve initiated this process of inventorying and upgrading these old systems to address existing vulnerabilities,” Obama said. “And what we are doing is going agency by agency, and figuring out what can we fix with better practices and better computer hygiene by personnel, and where do we need new systems and new infrastructure in order to protect information not just of government employees or government activities, but also, most importantly, where there’s an interface between government and the American people.”
Government needs to go beyond just monitoring for intrusions
Alan Paller, director of research at the SANS Institute told Federal Drive with Tom Temin on Monday morning that the focus to date has been on detecting cyber intrusions earlier, but not fixing them when they’ve been found or preventing further attacks from occurring.
“Noticing earlier really matters,” he said. “But what really makes the difference between competence and incompetence is what you do when you’re attacked. And right now the federal agencies are doing exactly the opposite of what they should be doing when they’re attacked.”
Although there has been much focus on Continuous Diagnostics and Mitigation program, Paller said more needs to be done.
“In fact, the continuous diagnostics haven’t come into play either, if you go and look at what’s actually happened under the CDM program, the answer is nothing,” he said. “They’ve talked about readiness to implement, but the actual implementation is so thin that it’s embarrassing. The reason I’m being so negative is that we have to stop pretending that the people who are implementing FISMA (Federal Information Security Management Act) compliance are actually doing security. They are actually doing reporting.”
To improve cybersecurity, Paller said agencies have to find a way to detect cyber intrusions before they do any damage.
“We’re finding them after they’ve done a lot of damage,” Paller said. “What you’ll find at a CISCO is they actually monitor all of their attacks and learn from them. You’ll find that at all of the solid organizations. Google does that. Facebook does that. All of the places that actually care about security in actionable sense, they monitor. But more importantly, they bring in teams of people, not that they hire as contractors, but actually on staff, who can dig in and find the bad code fast before it does a lot a damage.”
OPM, on the other hand, just doesn’t have the staff to fix it fast.
“You build in continuously monitoring log-analysis tools that show you that something’s doing something differently from the way it should be doing it,” Paller said. “And then you have people with technical skills who can go in and see if that corresponds with something that shouldn’t be happening. Tools won’t solve this problem, because people can buy the tools, work their attacks to go around the tools and then the tools are dead.”
President Obama called on Congress to pass new legislation to address the cybersecurity vulnerabilities in the federal government.
“And this problem is not going to go away,” he said. “It is going to accelerate. And that means that we have to be as nimble, as aggressive, and as well-resourced as those who are trying to break into these systems.”