The OPM Aftermath
Print Issue: June 2016
It was by all accounts the hack of the century. In June, one year ago, the U.S. Office of Personnel Management (OPM) revealed to the world that the background investigation records of current, former, and prospective federal employees and contractors had been stolen. Initially, OPM said just 4.2 million people were impacted by the breach.
But after further investigation, it would soon realize that 21.5 million individuals were affected by the breach: 19.7 million individuals who had applied for a background investigation through OPM and 1.8 million nonapplicants—spouses or cohabitants of applicants.
Along with having their Social Security numbers compromised, these individuals also had the usernames and passwords they used to fill out their background investigation forms compromised. Detailed information on where they had lived, the family members they had lived with, and their previous jobs was also stolen. And for an unlucky 5.6 million, information such as fingerprints and interview details gathered by background investigators was compromised.
The breach was a major embarrassment for the human resources department of the U.S. federal government. Hearings were launched, notifications were rolled out to alert victims, and OPM Director Katherine Archuleta’s feet were held to the fire as she answered questions about how the hack happened and why OPM lacked standard security features, such as encryption for Social Security numbers to prevent them from being compromised.
Archuleta would eventually resign in July 2015, and the federal government would begin a cybersecurity sprint to assess and beef up its security across the board. For OPM, this meant implementing a variety of measures that were not in place before, says OPM Press Secretary Samuel Schumach.
First up was implementing more stringent access controls by enforcing multi-factor (PIV) authentication for all network users, a major undertaking completed during the Office of Management and Budget’s Cyber Sprint.
“We have also expanded continuous monitoring of our network and systems through the implementation of an enterprise Network Access Control solution, which monitors and controls network access and immediately quarantines all identified threats and unknown devices,” Schumach explains. “This technology allows OPM to effectively contain and eradicate potential threats in real time. These actions have significantly improved our perimeter and internal security defenses.”
Schumach did not explain why OPM did not have these systems in place before the breach, but did say that moving forward, the office plans to define and accelerate its response to cyber incidents.
“We have assessed cyber risk across the organization, prioritized actions, developed plans, and implemented many enhancements to the computer and network environment to minimize future cyberattacks,” he adds. “We are working with other agency partners not only on the implementation of technology, but also on improved processes and cyber training within OPM. We are committed to doing everything in our power to prevent any further loss of information for which we are the custodians.”
These actions have put OPM in a better position to protect the data stored in its networks, and Schumach says that OPM plans to continue to improve its security posture.
It will do this by “working with agencies to hire high-quality IT talent, share lessons learned with the Office of Management and Budget and other agencies to improve the government’s ability to respond to incidents, and provide our workforce and citizens with necessary services to protect their identities,” he explains.
While progress has been made in some areas, OPM has been criticized for how it handled the notification process to alert victims that their information had been compromised. As of Security Management’s press time, 93 percent of the 21.5 million victims had been notified via mail about the breach.
OPM created an online verification center to continue to assist individuals who believe their data was taken but have not received a notification letter, Schumach says. “The center will also assist those who have received a letter informing them that they were impacted by the background investigation intrusion but have lost their PIN code.”
And to help protect injured parties from further victimization, OPM is offering credit and identity restoration services through ID Experts—in a contract worth more than $130 million. Initially, the service was offered through 2018, but Congress passed legislation that authorized funding for the service through 2025.
As of March 13, 2016, only 2,595,318 individuals had signed up for the service. This could be because some victims don’t think they need the service, or because they do not believe it will be effective.
Lance Cottrell, CTO of Ntrepid, is one of those critics who say offering only credit and identity theft monitoring services isn’t doing enough to prevent victims from being targeted for future cyberattacks.
“After the [breach] announcements came out and we started to understand the scope and nature of what was going on, we looked at this as a target on our backs because so many of us in the company were directly impacted by this,” Cottrell says. “And a vast majority of us started saying, ‘What do we need to be doing to protect ourselves?’”
Their answer was not to get identity theft protection. Instead, with the realization that the level of detailed data compromised would allow nefarious individuals to conduct very targeted attacks, Cottrell and others at Ntrepid-owned Passages began working on making a consumer version of their product available to OPM data breach victims for free.
Passages takes an individual’s Internet browser and isolates it in a hardened, virtual machine. This machine segregates all communications from the browser and the local network, hides the user’s identity and corporate affiliation from attackers, quarantines infected downloaded files in a private cloud, and works like a normal Internet browser because it uses Firefox.
This system protects users from Web-delivered malware, watering hole attacks (where a legitimate website is infected with malware), spear phishing, passive information leakage, and drive-by downloads. And it could be especially beneficial for OPM data breach victims, who are likely to see an unprecedented level of sophisticated cyberattacks targeted towards them in the future, Cottrell says.
“With Passages, you never look like who you are when you go to a website,” he explains. “In the case of targeted attacks, that attack literally never even happens because you don’t look like who they’re trying to go after.”
Passages has been available at an enterprise level and is used by private companies and government agencies, but the consumer version is a new endeavor for Ntrepid that requires it to make changes to the product to prevent certain data from being collected.
To do this, Ntrepid is “removing the essential administration, but also all the audit and tracking tools [in the enterprise version] so that there will be zero capture by our system of user activity—where they went, what they looked at,” Cottrell explains. “We don’t want to have it. If the data exists, it’s vulnerable to insider threat, outsider threat, hackers, foreign governments, you have it. The only safe approach is to make sure that the data doesn’t exist in our systems.”
Ntrepid formally announced its plan to make Passages available to OPM data breach victims in February and held an initial sign-up for victims at the RSA Conference in San Francisco the first week of March. There is no firm deadline for when the solution will be available to victims, but Richard Helms, CEO of Ntrepid, says he plans to have it rolled out by the end of 2016.
By taking this approach, Helms says he hopes it will encourage the federal government to think about extending the perimeter it secures. And Cottrell agrees.
“We’ve got secure systems at work and we know people have computers at home, and they do unclassified nonsensitive activity there, and that’s their problem,” Cottrell says. “But because of the way targeting works—the way you can take over an individual’s home computer to get access to their e-mail to launch the phishing attack against the next person up the chain to get better access—it really is the employer’s problem. It’s the government’s problem.”
One other concern raised post-OPM is the tendency to fire or vilify the individuals who identified and alerted others to a cyber breach, says Sam Curry, CTO and CSO of Arbor Networks.
“The fact that there was a breach is terrible,” he explains. “The people who found it and highlighted it shouldn’t be vilified. I think there’s a stigma right now, especially with the way we handle things, where we could create a system we don’t want where someone is not encouraged to step forward to report a problem.”
Instead, Curry says there should be a renewed focus on rewarding those who step forward to report problems or identify areas of vulnerability—such as whistleblowers are encouraged to do under Sarbanes-Oxley.
And aiding in this effort to encourage individuals to report problems will be continued awareness and education efforts about what cybersecurity is and why it’s critical. Spearheading this effort on Capitol Hill is the recently created Coalition for Cybersecurity Policy and Law, led by Coordinator Ari Schwartz.
The coalition focuses on education and collaboration with policymakers to address the increasingly complicated legislative and regulatory policies related to cybersecurity. Since its creation in February, Schwartz says there has been a great deal of interest as the coalition uniquely focuses on bringing security companies to the table to give policymakers greater details on the risks associated with cybersecurity.
Schwartz, who is the former White House special assistant to the president for cybersecurity, says that during the last several years more and more members of Congress and the executive branch are taking an interest in cybersecurity.
“If you look at it—the President’s national action plan—you can see how tied it is to his proposed budget,” Schwartz explains of Obama’s cybersecurity national action plan released earlier this year. “There’s a 45 percent budget increase in this area. You can see that a lot of that is going to the idea of defending agencies themselves.”