The OPM breach report: A long time coming

The catastrophic data breach of the federal Office of Personnel Management (OPM), which exposed the personal information of more than 22 million current and former employees, became public in mid-2015. It took another 15 months for Congress to complete a report on it

katherine archuleta
REUTERS/Jonathan Ernst

If you want to have even a chance of defeating cyber attacks, you have to be quick.

So, in hindsight, there is no mystery why the federal government’s Office of Personnel Management (OPM) was a loser to attackers who exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data – of more than 22 million current and former federal employees.

Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.

These and dozens of other depressing details are in a timeline that is part of a 241-page report released last month by the House Committee on Oversight and Government Reform, bluntly titled, “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”

Indeed, the report opens with a series of quotes from high-level intelligence officials, all declaring in stark terms how catastrophic the effects of the breach will be, for decades.

FBI Director James Comey spoke of the information contained in the so-called SF-86 form, used for conducting background checks for employee security clearances.

“My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses,” he said. “So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

The SF-86 also contains information on financial history, investments, arrest records, medical problems, any drug or alcohol problems and other material that could be used to blackmail an employee.

The report itself wasn’t exactly turned around quickly either – it took around 15 months from the time the breach was made public, even though much of what is contained it had been covered in the IT or mainstream press much earlier. Indeed, there are a number of citations in it to news articles.

There were also plenty of early warnings about how vulnerable the department was. It had no IT security staff until 2013. An inspector general’s report from November 2014 was blunt about a lack of basic security measures including:

  • A lack of encryption
  • No two-factor authentication for workers remotely accessing the system
  • No inventory of servers and databases
  • Lack of awareness of all the systems connected to its networks

Or, as the report summarized it, the breach, and the failure to detect and contain it were, “in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems.”

One of the key findings in the report was that, “OPM failed to heed repeated recommendations from its Inspector General,” which began in 2005.

It said the discovery of who it called “Hacker X1” in March 2014, “should have sounded a high level, multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data.”

Yet, a June 2015 letter from then OPM CIO Donna K. Seymour to the millions of victims of the breach said the OPM, “takes very seriously its responsibility to protect your information,” and offered credit monitoring service and identity fraud insurance as “a courtesy.”

But it followed that with a declaration that the OPM would not take any responsibility for failing to protect it. “Nothing in this letter should be construed as OPM or the US Government accepting liability for any of the matters covered by this letter or for any other purpose,” it said.

Seymour was not fired. She retired this past February, two days before she was scheduled to appear before Congress to talk about the breach. The head of OPM during the intrusion, Kathleen Archuleta was not officially fired either. She resigned under pressure from Congress in July 2015.

All of which raises the question of whether the report itself is more evidence that government is not up to the task of safeguarding what Joel Brenner, former National Security Agency (NSA) senior counsel, called, “crown jewel material.”

If it takes Congress more than a year simply to report on what went wrong, what chance does the bureaucracy have to keep up with ever-evolving cyber threats?

A number of security experts agreed that the report was slow in coming, but pointed out that a report is not the response.

All agreed that OPM had what former Department of Homeland Security (DHS) official Stewart Baker called, “a lousy security culture.

Baker, now a blogger, partner at Steptoe & Johnson and a board member of the Association of Former Intelligence Officers (AFIO), added that, “someone probably should have been fired sooner.”

But he and others said politics can put a drag on any report. “It’s a congressional investigation,” he said. “I’m sure the executive branch was cautious in cooperating, so I’m not surprised it took as long as it did.”

John Chirhart, federal technical director at Tenable Network Security, compared it to the way the National Transportation Safety Board (NTSB) works. “One of the cardinal rules of any investigation is not to officially determine the cause or cast blame until the investigation is complete,” he said. “Based on the OPM report, one could argue that OPM took the NTSB approach to investigating the breach.”

The so-called actionable indicators of compromise (IOC) were shared with both private and public sectors, “as soon as the findings cleared the equitable process,” said Ann Barron-DiCamillo, CTO of Strategic Cyber Ventures and the former director of US CERT (Computer Emergency Readiness Team).

“This report wasn’t sharing actionable data but provided forensic assessment of the activities and shortcomings leading to the breaches,” she said, adding that investigations like this, “are complicated with many moving parts and stakeholders involved but further exacerbated by being a federal entity with multiple oversight bodies.”

Leo Taddeo, CSO of Cryptzone and former special agent in charge at the FBI’s New York City cybercrimes division, was not surprised at the time it took to complete the report. “Conducting interviews of key personnel can be delayed by the fact that they are in crisis mode trying to remediate the damage,” he said. “There is also significant time required to schedule witnesses and arrange hearings.”

But Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said he was “disturbed” at how long it took to finish the report.

“Most of the details were leaked to the press and left it to the imagination of professionals trying to defend their organization from possible similar attacks to ascertain fact or fiction,” he said.

And Baker, while not surprised at the time it took, agreed that, “the internal reporting could and should have been much faster.”

Justin Harvey, security strategy leader at Gigamon said that while the completion of a report is much less significant than the "dwell time" between an intrusion and the discovery of it, it still matters.

"The report should have taken anywhere between three and six months to be written, reviewed and released," he said. "In that timeframe, other departments and organizations could have been compromised without getting the lessons learned from this report."

Whether the report’s blistering findings will change the security culture within the government is uncertain. As noted earlier, those in charge – Archuleta and Seymour – were allowed to resign rather than be fired. The government made it clear that it accepts liability for any damages to the victims.

And while, in the wake of the breach, President Obama, the federal CIO and the Office of Management and Budget directed all federal agencies to use 100 percent encryption and digital certificates on all websites, Bocek said, “they failed to mention any direct preparation to deal with the new threats that arise from using encryption.”

Those include the malicious use of digital certificates. “If encryption is the default, every website will use certificates to make the padlock glow green in your browser and turn on encryption,” Bocek said. “The hackers behind the OPM breach understood this, and when they created the website, they used a digital certificate to make users feel safe.”

Also, if everything is encrypted, it is easier for malicious actors to hide. “Security controls like firewalls, IPS/IDS, sandboxes and more all expect to scan traffic,” he said. “Unless they can look inside encrypted traffic, they are blind and useless.”

Incoming traffic can create problems as well, he said. “It means all these security systems will need to have all the keys and certificates from an organization loaded in to them. This is a huge challenge and one that only automation can help solve,” he said.

Taddeo added that the report didn’t go into much detail about how quickly the IOCs were shared with network defenders. Besides IOCs, “the information most important to network defenders includes the hacker tactics, techniques, and procedures (TTPs), IP addresses, virus signatures, URLs or domain names of botnet command and control servers, and MD5 hashes of malware files,” he said. “This type of information should be shared very quickly by investigators and in most cases it is.”

But the report, he noted, “is not clear how long it took to publish the TTPs and IOCs.”

The report does say that the committee, “remains hopeful that OPM, under the new leadership of Acting Director Beth Cobert, is in the process of remedying decades of mismanagement.”

And it offers 13 recommendations for reform, including updated technology, better training, better cyber hygiene and to, “ensure that agency CIOs are empowered, accountable and competent.”

None of it inspires much confidence in Chirhart, who said he is among the breach victims.

If OPM had been a private corporation subject to various state laws, “its response could have led to litigation,” he said. “But the federal government is protected by sovereign immunity, so victims are ‘lucky’ to have received what they did, and have very little, if any, legal recourse for compensation.”

The enormous irony, he noted, is that the stolen data was what the government used to determine whether a person could be trusted to handle sensitive, classified data. “The very same people who determine worthiness for everyone else proved themselves to be the ones incapable of properly handling sensitive information,” he said.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)