Since the U.S. Office of Personnel Management announced a pair of network breaches this month, Michael Brown, a former admiral in the U.S. Navy, has waited for the notification that his sensitive personal information was stolen in the breach.
While the Office of Personnel Management estimated that attackers had stolen the employment and insurance records of some 4.2 million government employees, officials still did not know the extent of a second breach the agency disclosed in mid-June in which attackers apparently gained access to a sensitive database storing the results of the background investigations required to gain clearance for sensitive government positions.
A preliminary estimate, based on the Social Security numbers in the database, estimated that the personal details of 18 million people were stolen in the attack that the Obama Administration linked to China.
While Brown, now a vice president for security giant RSA, is concerned what the attackers might do with his information, more worrisome is what they might do with the information of people who failed to get a security clearance, he told eWEEK.
“I worry about those folks over the many years who have not received a clearance, they are a prime target,” he said. “Because the rationale for them not to get clearance—whether they are still in government or not—the evidence is in that database, and I think that is a major risk for us right now.” Details of arrests, drug use, infidelity and poor finances would likely be top targets, Brown said.
The issue underscores the unanswered questions that remain nearly a month after the OPM announced the first of the breaches. The initial breach underscored that a federal agency that knew it was under attack by apparent Chinese attackers could not defend itself. Details of the second attack, however, made the breach a national security issue, according to security experts.
Federal job seekers fill out an in-depth questionnaire, known as Standard Form 86, when they apply for a job requiring a security clearance. In addition to the document, however, investigators compile their own dossier on the applicant, known as an adjudication.
Investigators believe that both sets of data have been compromised, a number that preliminary investigations indicate could be at least 18 million, although Katherine Archuleta, director of the OPM, emphasized that no official estimate has yet been released.
“It is not a number that I feel comfortable, at this time, represents the total number of affected individuals,” she said in a statement delivered to the U.S. Senate Committee on Homeland Security and Governmental Affairs on June 25.
The breach will have a significant impact on U.S. government workers and U.S. national security, security experts said. “Is OPM about as bad as it can possibly be? No, it’s worse. The Chinese know [now] everything the [government] learned,” a security expert known as The Grugq summed up.
The Office of Personnel Management has been struggling with modernizing its systems, and securing those same systems, for more than a year. In March 2014, the agency discovered a major breach of its systems, and while it claimed no data had been stolen, it pointed the finger at Chinese hackers.
Massive OPM Breach Reveals Glaring Vulnerability of Federal IT Systems
Because of the attack, the agency initiated a major project to secure existing systems and modernize its infrastructure. The initial effort to shore up its security, called the tactical phase, was completed in April 2015, and led to the discovery of the attack.
“The reality is that integrating comprehensive security technologies into large, complex outdated IT systems is a lengthy and resource-intensive effort,” OPM Director Archuleta said in her statement to the Senate Homeland Security and Governmental Affairs. “It is a challenging reality … the fact is that we were not able to deploy them before these two sophisticated incidents, and, even if we had been, no single system is immune to these types of attacks.”
In the latest attacks, the intruder gained access through credentials of a third-party supplier known as KeyPoint Government Solutions, which conducts background checks on behalf of the government. On Monday, to stymie further attempts to breach its systems, the Office of Personnel Management announced that it would shutdown its system, known as e-QIP, used to do background checks on prospective government workers.
The OPM needs to take a more proactive approach to security, according to security experts. First up? Hire a chief information security officer, one CISO for a higher-education institution, who requested anonymity, told eWEEK.
“Federal agencies should be hiring CISOs that are not silenced by agency officials and can paint a realistic portrait of risks and threats affecting particular agencies,” the CISO said. “These CISO’s won’t come cheap because, and rightfully so, those information security leaders that truly understand how to develop a comprehensive information security program—think people, process, and technology—are in demand in every sector.”
Currently, the OPM has a system where information system security officers (ISSOs) for different groups report to the CIO. While the chain of command is an improvement on the previous structure which gave each program office carte blanche with little oversight, too many issues still fall through the cracks, according to the OPM Office of the Inspector General.
Beyond improving the data security of all federal agencies, the United States needs to do more to fend off attacks, said RSA’s Brown. While not recommending any particular course of action, Brown stressed that the amount and type of information significantly raises the stakes in nation-state cyber-espionage. He put the incident on the same level, in terms of U.S. national security as the leaks of operational data from former National Security Agency contractor Edward Snowden.
“When I look at something like this, because of the enormous amount of information included in the breach, it is a treasure trove of target rich data that allows the adversary to use it in multiple ways to harm individuals as well as organizations,” he said. “The morale of all those folks is not good, because the concern over how that information will be used.”
Unless the United States can find a way to forestall attackers or better defends its system, the OPM breach may be just the start of a spate of significant espionage.