June’s catastrophic hack of Office of Personnel Management records, which may have compromised the personal information of at least 4 million current and former federal employees, could have been mitigated through the application of basic cybersecurity practices, according to a GAO report released Wednesday. The report alleges that federal agencies have failed to address fundamental safe practices even despite numerous warnings.
The frequency and potency of cybersecurity incidents have escalated rapidly in the past 10 years. In 2006, 5,503 incidents were reported by agencies to the U.S. Computer Emergency Readiness Team. By 2014, that number had risen to 67,168.
“These incidents and others like them can adversely affect national security; damage public health and safety; and lead to inappropriate access to and disclosure, modification, or destruction of sensitive information,” said Gregory C. Wilshusen, director of GAO information security issues.
This upward trend has peaked in the past six months. The report cites the September 2014 USPS cyber-intrusion, which compromised the personal information of 800,000 employees; the June 2015 IRS hack, in which unknown parties accessed the information of more than 100,000 taxpayers through flaws in the “Get Transcript” application; and the June 2015 OPM data breach as the most significant examples.
These incidents come in spite of “hundreds” of warnings and suggestions from the GAO to enhance cybersecurity at small agencies.
Foremost among these is reform in personal identity verification systems. In 2004, President Barack Obama mandated that governmentwide standards for the verification of employees and contractors be established. Although the Office of Management and Budget subsequently issued a directive pursuant to this mandate, a 2014 OMB report declared that only 41 percent of user accounts at a sample 23 contracting agencies required secure personal identification credentials.
A statement by OPM Director Katherine Archuleta on Tuesday during a Senate hearing suggested that the source of the data breach was compromised contractor login information.
Wilshusen spoke to the potentially grave consequences of a perpetual failure on the part of agencies to alter security protocol.
“Until federal agencies take actions to address these challenges — including implementing the hundreds of recommendations GAO and agency inspectors general have made — federal systems and information, including sensitive personal information, will be at an increased risk of compromise from cyber-based attacks and other threats.”