How OPM data breach could have been prevented

The director of the U.S. government's Office of Personnel Management is out after revelations that the recently disclosed data breach was far larger than initially thought. Inspector general says warnings went ignored.

archuleta opm data breach

U.S. Office of Personnel Management Director Katherine Archuleta testifies Tuesday before the Senate Appropriations Committee concerning a recently revealed data breach affecting millions of federal employees' personal data.

Credit: Jonathan Ernst/Reuters

The recently disclosed data breach at the U.S. government's Office of Personnel Management follows a long history of lax security at the agency, according to the inspector general's office.

In testimony before a joint House subcommittee hearing, Michael Esser, OPM's assistant inspector general for audits, told lawmakers that the agency's "long history of systemic failures to properly manage its IT infrastructure" may have invited a pair of related hacking incidents that compromised more than 21 million current and former government employees' personal information.

[ Related: The OPM lawsuit will only make the lawyers rich ]

That figure was more than five times larger than the agency initially had estimated the scope of the breach was, which OPM says it first discovered in April.

Then late Friday word emerged that the embattled head of the agency was stepping down.

Esser says that OPM has made some improvements in its security posture, but at the same time he expresses frustration that many recommendations his office has made over the years -- some dating back to 2007 -- have essentially been ignored within the agency.

"We are pleased to see that the agency is taking steps to improve its IT security posture, but many challenges still lay ahead," Esser says.

OPM face budget and resource challenges in fight to improve IT security

Esser acknowledges that OPM, like virtually every other entity in the federal government, faces a challenging budget environment that limits the organization's ability to undertake major IT initiatives, but that's only part of the problem.

"Resources, I think, are always an issue, but are not the sole answer. Sometimes we feel that things that we report don't get the attention that they should get," Esser says.

Lawmakers noted that the CIO of OPM had been invited to testify, but declined owing to a scheduling conflict.

[ ALSO ON CSO: OPM director resigns after unprecedented data breach ]

But the breach has reverberated throughout the organization, with Friday bringing the resignation of the agency's director, Katherine Archuleta.

"I think what the president thinks is that it's quite clear that new leadership, with a set of skills and experiences that are unique to the urgent challenges that OPM faces are badly needed," White House Press Secretary Josh Earnest told reporters on Friday. At the daily White House press briefing, Earnest explained that Archuleta offered her resignation "of her own volition," and he praised her for elevating cybersecurity as a priority within the agency.

"And it's precisely because of some of the reforms that she initiated, that this particular cyber breach was detected in the first place," Earnest said.

Beth Cobert, who has been serving as OPM's chief performance officer, will take the director's job on an interim basis while administration searches for a permanent replacement.

Inspector general pushes for better security practices

In the meantime, the inspector general continues to press for OPM to take steps to address lax security practices that he says left the agency vulnerable to the massive breaches that exposed millions of names, addresses, Social Security numbers and other personal information.

Esser describes an inconsistent governance framework for information security, which he sees as the inevitable byproduct of a decentralized organizational structure. The agency has been making some strides on that front, but much work remains, he says.

"It is vital to have a centralized governance structure," Esser says. "OPM has made improvements in this area, but it's still working to recover from years of decentralization."

Additionally, he takes aim at the assessment and authorization mechanisms in place to ensure the security of the applications in use within the agency. In a 2014 audit, Esser's team discovered that 11 of 47 major OPM systems were operating without a valid authorization, as set forth by OMB standards.

Esser also says that OPM needs to improve its technical security controls in areas like authentication and configuration management.

OPM, which oversees sensitive data including files relating to security clearances for federal workers, today finds itself the focal point of the debate over information security within the government, but insiders note that the problems are hardly confined to a single agency.

Gregory Wilshusen is the director of Information Security Issues at the U.S. Government Accountability Office. At the House hearing, he was asked how he would grade the federal cybersecurity apparatus, generally. After only the slightest hesitation, Wilshusen responded, "D."

"In many respects there are improvements within federal information security and some initiatives, but it's getting to the effective implementation of those security controls and some of the initiatives over time consistently that's been proved challenging," he says.

Following the revelations of the OPM data breach, the White House announced what it called a "cybersecurity sprint," a 30-day blitz across the federal government to address some of the most critical vulnerabilities. Then, last week, the administration issued a fact sheet touting the successes of that program and others focused on cybersecurity.

Wilshusen credits the administration for taking steps to improve security and to call attention to the threats, though he takes issue with the terminology of the latest effort, calling for a more fundamental shift that would embed security considerations within the daily operations of the departments and agencies.

"The need for assessing and monitoring the effectiveness of security controls needs to be done on a continuous-monitoring basis because threats change every day," Wilshusen says. "It's not a sprint -- it's a marathon."

This story, "How OPM data breach could have been prevented" was originally published by CIO.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.