The massive data breach at the Office of Personnel Management is indicative of a federal government approach to cybersecurity policy that has been an abject failure — full stop.
There’s no other way to describe the history of OPM’s cybersecurity efforts in light of the fact that it has presided over the compromise of personal identity information and highly sensitive background investigation information belonging to as many as 14 million current and former federal employees.
In addition to a series of inspector general reports that skewered the agency in the most public fashion for its cybersecurity shortcomings, OPM’s own annual security reports required by the Federal Information Security Modernization Act (FISMA) provided ample warnings that the agency was a cybersecurity disaster waiting to happen.
Yet nobody in the federal government did anything about it — not the White House, not the Department of Homeland Security, not Congress and certainly not the technology leadership at OPM.
The security gaps identified during OPM’s 2014 annual FISMA audit included having no remote access connections configured for malware scanning or for forcing users to re-authenticate after a session timed out. These glaring security holes not only went unnoticed as hackers were infiltrating the OPM network for more than a year but are also present at more than a dozen other federal agencies. DHS, which receives the detailed reporting through CyberScope, knew about these vulnerabilities, yet nothing was done.
Then there is OPM’s leadership, which remains in a state of denial. During heated exchanges Tuesday with members of the House Oversight Committee, OPM Director Katherine Archuleta defended her agency’s record on cybersecurity, arguing that the cybersecurity shortfalls faced by OPM were not the making of this administration but of years of neglect before she arrived.
We should also be asking serious questions of OPM’s Director of Security Operations Jeff Wagner, who published a white paper in March — just a month before the latest data breach was discovered — that was highly critical of the government’s defense-in-depth approach to cybersecurity and called for a more proactive approach involving searching for unknown malware and compromises.
“Given what they’ve seen with regard to highly sophisticated malware that’s been hidden for years (Energetic Bear, Poodle Bug, APT1, and Heartbleed) and the even more insidious activities of trusted insiders, agencies should approach security as if they’ve already been compromised,” Wagner said. “By beginning here we can take a proactive approach to searching for those intruders rather than a reactive approach that focuses on known incidents – government has to start searching for the unknown.”
Did Wagner know something about the security of OPM data when he wrote this paper? Of course he did. He may not have been aware of an ongoing intrusion targeting the crown jewels of federal employee identity information (even though his own thinking on cybersecurity would indicate he was looking for one), but he certainly understood the vulnerabilities that remained open.
There’s one core leadership trait that Archuleta, Wagner and his boss, OPM Chief Information Officer Donna Seymour, cannot escape. I learned it as a young Marine Corps officer, and it applies to every IT leader in the federal government: You’re responsible for everything your organization or unit does and fails to do.
“You have completely and utterly failed,” Oversight Committee Chairman Rep. Jason Chaffetz, R-Utah, told Archuleta.
Rep. Ted Lieu, D-Calif., called on OPM’s IT leaders to resign. “I’m looking here today for a few good people to step forward, take responsibility and resign for the good of the nation,” Lieu said.
“Well said,” responded Chaffetz.
For once Congress might be on the right track here. But they should not limit their condemnations to OPM’s failed leadership. DHS and the larger federal cybersecurity reporting structure, including the White House, has a lot to answer for.
As one former White House official told me in the immediate aftermath of the OPM hack, “Washington is full of people who are spending hundreds of thousands of dollars traveling to speaking engagements on cybersecurity, but what we need is people who can execute.”