Ironically, it was the Office of Personnel Management’s own efforts to improve its cybersecurity that revealed that hackers had breached its IT systems.
Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications at the Homeland Security Department, told reporters Thursday OPM had been in the process of aggressively improving its cybersecurity and adding new tools since the end of 2013.
“In April, OPM caught an intrusion because of the tools that it had rolled out,” he said. “OPM reached out to DHS and our partners, including the FBI. We worked with OPM to investigate this incident.”
The investigation then split into two separate threads.
In the first, OPM cybersecurity indicators processed through DHS’ EINSTEIN intrusion detection system revealed that the intruder had also broken into the Interior Department’s systems, where an OPM database was held. Investigators were able to confirm with high confidence that information had been stolen from that database.
“That thread of investigation is the 4.2 million personnel records that OPM had previously notified the affected individuals for last month,” Ozment said.
The second thread remained at OPM, where the forensics proved to be more difficult.
“We were only able to confirm recently that some data had been, in fact, stolen, and OPM has spent the last few weeks working to identify which data exactly was taken,” he said.
The stolen data proved to be background investigation records, which affected 21.5 million current, former and prospective federal employees, as well as people whose personal information was included in the security clearance application forms.
“DHS and our interagency partners remain working with OPM as OPM continues the effort it began at the end of the 2013 to dramatically improve its cybersecurity, Ozment said.
OPM Director Katerine Archuleta led a press conference Thursday with Ozment and other administration officials to talk about the results of the investigation into the second cyber breach. This came the day before Archuleta announced her resignation.
Investigators decline to identify intruders
The investigation revealed that it was the same intruder in both incidents and, therefore, the two intrusions were related but concerned different networks.
Michael Daniel, special assistant to the President and Cybersecurity Coordinator on the National Security Council, declined to identify during the press briefing the identity of the intruders, citing the ongoing nature of the investigation.
“We are exploring all the different options that we have and we’re not really prepared to comment at this time on the attribution behind this event,” he said. “What I will say is that we are continuing to look at the different ways and all the different tools that we have to respond. Just because we’re not doing public attribution does not mean that we’re not taking steps to deal with the matter.”
Although OPM first detected the intrusions in April 2015, the intruders were on the networks before then.
“At OPM, the adversary was on the network from May 2014 through April of 2015,” Ozment said. “However, the adversary was really active on the network only from June of 2014 to January of 2015.” At Interior, the adversary was active from October 2014 through April 2015.
An analysis of OPM’s systems indicates the hackers are no longer active.
“In light of recent events, I have requested a review of key questions related to information security, governance, policy, and other aspects of the security and suitability determination process to ensure that it is conducted in the most efficient, effective and secure manner possible,” Archuleta said.
The review will be completed by the Suitability and Security Performance and Accountability Council, which is an interagency group chaired by the Office of Management and Budget and made up of the OPM director and Director of National Intelligence James Clapper, as well as representatives from the FBI, the departments of Defense, Homeland Security, Justice and Energy, among others.
Archuleta announced OPM will be hiring a cybersecurity adviser, who will report directly to the director and work with OPM Chief Information Officer Donna Seymour on the agency’s response to the two breaches. The cyber adviser will also finish the development of OPM’s plan to mitigate future incidents and determine what long-term changes OPM may need to make to its IT structure. The cyber adviser is expected to be in place by Aug. 1.
Following the initial notification of the second cyber breach on June 12, Tony Scott, the federal chief information officer, ordered a 30-day cyber sprint for all agencies. Although the sprint addressed a number of areas, it focused primarily on “increasing the level of two-factor authentication for privileged system users, patching critical vulnerabilities and widely disseminating the indicators of compromise,” he said.
The order has a number of work streams, targeting policies and processes and the adoption on new resources and technologies governmentwide.
As the end of the sprint draws near, Scott had positive results to share with reporters.
“In several areas, we’ve dramatically increased the amount of two-factor authentication for privileged users across the federal government,” he said. “A number of agencies have hit 100 percent and, broadly across the government, it’s increased by more than 20 percent.”
After the sprint is completed, agencies will issue reports on the various work streams.
“This is important work across all of the agencies of the federal government to make sure that we greatly enhance the cybersecurity profile of the U.S. government as a whole,” Scott said.
Cyber intrusions sign of changing IT landscape
The second OPM breach is not without precedent, Daniel said, during Thursday’s press briefing.
“We live in a world where the cybersecurity threats that we are facing are consistently growing broader as we hook more and more stuff up to the Internet,” he said. “The adversaries are growing more sophisticated as they bring organizational techniques into what they are doing in cyberspace. They are becoming more dangerous, as adversaries are willing to cross lines that use to hold back from. It’s becoming increasingly a tool used by criminal organizations and nation-states to try to accomplish their goals.”
21.5 million people impacted by breach of OPM’s background investigation databases
Daniel outlined three things the U.S. needs to do effectively to deal with this threat.
“We have to raise our level of cybersecurity in both the private sector and in the public sector, and we need to do that in both the short-term and in the long run,” he said. “We also need to enhance our ability to deter, disrupt, and interrupt what the bad guys are doing in cyberspace. And lastly, we need to improve our ability to respond and recover from incidents when they do occur.”
Daniel added that cybersecurity is not just about technology; it’s about changing one’s mindset and the culture.
“Certainly, during the Cold War, nobody would’ve thought of OPM as a target for identity theft or espionage,” he said. “Just the nature of paper files and the way we thought about information didn’t lend itself to that. And the truth is that both in the private sector and in the public sector, we have not fully made the shift to what living in a truly digital environment means for how we have to think about the kinds of information we have, where it’s stored, how it’s stored, how we’re protecting it and how we need to think of that in a much more integrated fashion.”