Massive OPM Breach Reveals Glaring Vulnerability of Federal IT Systems
Because of the attack, the agency initiated a major project to secure existing systems and modernize its infrastructure. The initial effort to shore up its security, called the tactical phase, was completed in April 2015, and led to the discovery of the attack. "The reality is that integrating comprehensive security technologies into large, complex outdated IT systems is a lengthy and resource-intensive effort," OPM Director Archuleta said in her statement to the Senate Homeland Security and Governmental Affairs. "It is a challenging reality … the fact is that we were not able to deploy them before these two sophisticated incidents, and, even if we had been, no single system is immune to these types of attacks." In the latest attacks, the intruder gained access through credentials of a third-party supplier known as KeyPoint Government Solutions, which conducts background checks on behalf of the government. On Monday, to stymie further attempts to breach its systems, the Office of Personnel Management announced that it would shutdown its system, known as e-QIP, used to do background checks on prospective government workers. The OPM needs to take a more proactive approach to security, according to security experts. First up? Hire a chief information security officer, one CISO for a higher-education institution, who requested anonymity, told eWEEK.Currently, the OPM has a system where information system security officers (ISSOs) for different groups report to the CIO. While the chain of command is an improvement on the previous structure which gave each program office carte blanche with little oversight, too many issues still fall through the cracks, according to the OPM Office of the Inspector General. Beyond improving the data security of all federal agencies, the United States needs to do more to fend off attacks, said RSA's Brown. While not recommending any particular course of action, Brown stressed that the amount and type of information significantly raises the stakes in nation-state cyber-espionage. He put the incident on the same level, in terms of U.S. national security as the leaks of operational data from former National Security Agency contractor Edward Snowden. "When I look at something like this, because of the enormous amount of information included in the breach, it is a treasure trove of target rich data that allows the adversary to use it in multiple ways to harm individuals as well as organizations," he said. "The morale of all those folks is not good, because the concern over how that information will be used." Unless the United States can find a way to forestall attackers or better defends its system, the OPM breach may be just the start of a spate of significant espionage.
"Federal agencies should be hiring CISOs that are not silenced by agency officials and can paint a realistic portrait of risks and threats affecting particular agencies," the CISO said. "These CISO’s won’t come cheap because, and rightfully so, those information security leaders that truly understand how to develop a comprehensive information security program—think people, process, and technology—are in demand in every sector."