Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Massive OPM Breach Reveals Glaring Vulnerability of Federal IT Systems

    By
    Robert Lemos
    -
    July 1, 2015
    Share
    Facebook
    Twitter
    Linkedin
      OPM Record Theft 2

      Since the U.S. Office of Personnel Management announced a pair of network breaches this month, Michael Brown, a former admiral in the U.S. Navy, has waited for the notification that his sensitive personal information was stolen in the breach.

      While the Office of Personnel Management estimated that attackers had stolen the employment and insurance records of some 4.2 million government employees, officials still did not know the extent of a second breach the agency disclosed in mid-June in which attackers apparently gained access to a sensitive database storing the results of the background investigations required to gain clearance for sensitive government positions.

      A preliminary estimate, based on the Social Security numbers in the database, estimated that the personal details of 18 million people were stolen in the attack that the Obama Administration linked to China.

      While Brown, now a vice president for security giant RSA, is concerned what the attackers might do with his information, more worrisome is what they might do with the information of people who failed to get a security clearance, he told eWEEK.

      “I worry about those folks over the many years who have not received a clearance, they are a prime target,” he said. “Because the rationale for them not to get clearance—whether they are still in government or not—the evidence is in that database, and I think that is a major risk for us right now.” Details of arrests, drug use, infidelity and poor finances would likely be top targets, Brown said.

      The issue underscores the unanswered questions that remain nearly a month after the OPM announced the first of the breaches. The initial breach underscored that a federal agency that knew it was under attack by apparent Chinese attackers could not defend itself. Details of the second attack, however, made the breach a national security issue, according to security experts.

      Federal job seekers fill out an in-depth questionnaire, known as Standard Form 86, when they apply for a job requiring a security clearance. In addition to the document, however, investigators compile their own dossier on the applicant, known as an adjudication.

      Investigators believe that both sets of data have been compromised, a number that preliminary investigations indicate could be at least 18 million, although Katherine Archuleta, director of the OPM, emphasized that no official estimate has yet been released.

      “It is not a number that I feel comfortable, at this time, represents the total number of affected individuals,” she said in a statement delivered to the U.S. Senate Committee on Homeland Security and Governmental Affairs on June 25.

      The breach will have a significant impact on U.S. government workers and U.S. national security, security experts said. “Is OPM about as bad as it can possibly be? No, it’s worse. The Chinese know [now] everything the [government] learned,” a security expert known as The Grugq summed up.

      The Office of Personnel Management has been struggling with modernizing its systems, and securing those same systems, for more than a year. In March 2014, the agency discovered a major breach of its systems, and while it claimed no data had been stolen, it pointed the finger at Chinese hackers.

      Massive OPM Breach Reveals Glaring Vulnerability of Federal IT Systems

      Because of the attack, the agency initiated a major project to secure existing systems and modernize its infrastructure. The initial effort to shore up its security, called the tactical phase, was completed in April 2015, and led to the discovery of the attack.

      “The reality is that integrating comprehensive security technologies into large, complex outdated IT systems is a lengthy and resource-intensive effort,” OPM Director Archuleta said in her statement to the Senate Homeland Security and Governmental Affairs. “It is a challenging reality … the fact is that we were not able to deploy them before these two sophisticated incidents, and, even if we had been, no single system is immune to these types of attacks.”

      In the latest attacks, the intruder gained access through credentials of a third-party supplier known as KeyPoint Government Solutions, which conducts background checks on behalf of the government. On Monday, to stymie further attempts to breach its systems, the Office of Personnel Management announced that it would shutdown its system, known as e-QIP, used to do background checks on prospective government workers.

      The OPM needs to take a more proactive approach to security, according to security experts. First up? Hire a chief information security officer, one CISO for a higher-education institution, who requested anonymity, told eWEEK.

      “Federal agencies should be hiring CISOs that are not silenced by agency officials and can paint a realistic portrait of risks and threats affecting particular agencies,” the CISO said. “These CISO’s won’t come cheap because, and rightfully so, those information security leaders that truly understand how to develop a comprehensive information security program—think people, process, and technology—are in demand in every sector.”

      Currently, the OPM has a system where information system security officers (ISSOs) for different groups report to the CIO. While the chain of command is an improvement on the previous structure which gave each program office carte blanche with little oversight, too many issues still fall through the cracks, according to the OPM Office of the Inspector General.

      Beyond improving the data security of all federal agencies, the United States needs to do more to fend off attacks, said RSA’s Brown. While not recommending any particular course of action, Brown stressed that the amount and type of information significantly raises the stakes in nation-state cyber-espionage. He put the incident on the same level, in terms of U.S. national security as the leaks of operational data from former National Security Agency contractor Edward Snowden.

      “When I look at something like this, because of the enormous amount of information included in the breach, it is a treasure trove of target rich data that allows the adversary to use it in multiple ways to harm individuals as well as organizations,” he said. “The morale of all those folks is not good, because the concern over how that information will be used.”

      Unless the United States can find a way to forestall attackers or better defends its system, the OPM breach may be just the start of a spate of significant espionage.

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×