In March 2014, the U.S. Computer Emergency Readiness Team notified the U.S. Office of Personnel Management that its systems had been breached. The attackers eventually made off with the personnel files of at least 4.2 million former and current federal employees, fingerprint data on 5.6 million individuals and files containing information on the background investigations of 21.5 million people.
In a 231-page report released on Sept. 7, the U.S. House of Representatives' Committee on Oversight and Government Reform spelled out the series of missteps that resulted in the treasure trove of data stolen by digital spies working on behalf of another nation.
"OPM leadership failed to heed repeated recommendations from its Inspector General, failed to sufficiently respond to growing threats of sophisticated cyber attacks, and failed to prioritize resources for cybersecurity," the Republican leadership of the House Committee on Oversight and Government Reform stated in a press release.
While acknowledging those missteps, many security experts took exception to the tone of the report and instead argued that the lack of action, which in hindsight seems so obvious, is a current fixture at most companies and organizations.
"It is easy to sit on the sidelines for those who don't have to deal with the complexities of information security, like a congressional committee, and put out a partisan report with a lot of woulda-shoulda-coulda, and there is a lot of woulda-shoulda-coulda that could go around today with data breaches," Phillip Dunkelberger, former CEO of PGP and current CEO of Nok Nok Labs, told eWEEK. "The big issue for any company or organization is the balance between usability and security, and we have to take a better look at where we put that."
The OPM breach will continue to affect the United States for decades. The information stolen included fingerprints, personal identifiable information (PII) and sensitive information that could be used to socially engineer victims or blackmail federal applicants.
"The intelligence and counterintelligence value of the stolen background information for a foreign nation cannot be overstated, nor will it ever be fully known," the report stated.
Unless businesses can make security a higher priority, they will likely suffer the same uncertainties.
Yet, rather than focus on blaming the OPM for the loss of data, companies should take to heart the obvious lessons from the multiple breaches suffered by the agency.
1. Doing the right thing is not easy.
The House report faults the OPM for only spending $7 million on cyber-security for each of the past three fiscal years, near the bottom of all federal agencies. Yet, the implication that requests for significantly more money would have resulted in the needed funds is a stretch, Paul Vixie, co-founder and CEO of Farsight Security, told eWEEK.
"If you are going to protect that kind of information from nation-state adversaries, you need to be spending an order of magnitude more," he said. "And you are going to need a whole bunch of ex-military and ex-intelligence people who are part of the executive team and you are going to need to have a strong dose of security in your DNA."
Companies and government agencies need to realize that security can get expensive quickly and so need to either decide to do the right thing or find some other way to reduce the risk, Vixie said.
"This report makes it sounds like these people could have fixed their problems if they said that they needed help, but I don't think the federal government would have been willing to pay what would be needed to fix these folks," he said.
2. Take stock of what data you have.
On May 27, 2014, the OPM technical staff kicked off the "Big Bang," shutting down compromised systems to clean the attacker's malware from its network. Attempts by the attackers to load keyloggers onto the systems of database administrators prompted the shutdown, according to the report.