OPM: 'Victim-as-a-Service' ProviderMaking It Easy for Hackers to Wage an Attack
The U.S. Office of Personnel Management breach continues to reveal such staggering levels of information security problems, paper-pushing and seeming incompetence that it's creating a new cyber-espionage category I call the "victim-as-a-service" provider.
This is today's espionage made easy because people and organizations fail to understand nor care about the security measures that they should be implementing.
By "victim as a service," I mean an organization has such poor security controls that little or nothing stands in the way of a would-be hacker. How else should the information security community view defenses that were so shoddy that they enabled remote attackers to execute a mass data breach by apparently using only a username and password?
Numerous government officials and security experts have suggested the hack was a Chinese espionage operation. But it appears that OPM was easy prey for any attacker who might want to amass names and personally identifiable information for 4.2 million current and former federal employees.
For starters, none of the data being stored by the agency was encrypted, OPM Director Katherine Archuleta told the House Committee on Oversight and Government Reform committee this week, because the relevant systems were "too old" (see Lawmakers Lambaste OPM Chief Over Hack). Such protection could have rendered the data unusable in the event that the agency was breached.
Espionage Made Easy
The security problems at the agency were - and likely still are - staggering, including the absence of multi-factor authentication. The lack of encryption and two-factor authentication also reveals OPM leaders' collective failure to either ask - or react to - the basic question of what would happen if online attackers wanted to steal information on millions of federal workers.
"This is today's espionage made easy because people and organizations fail to understand nor care about the security measures that they should be implementing," self-described "cyber nihilist" Scot Terban - a.k.a. Dr. Krypt3ia - says in a blog post. "This is a constant cry among the infosec community but hey we never seem to really learn."
Finding a Scapegoat
While long-term fixes will be required to secure OPM, and no doubt scores of other federal agencies, in the short term - perhaps predictably - some legislators are calling for Archuleta's resignation. "Since 2007, the OPM Inspector General has continuously pointed out serious deficiencies in OPM's cybersecurity posture. OPM's response has been glacial," says Rep. Jim Langevin, D-R.I., a senior member of the House Committee on Homeland Security. "I am fully aware that cybersecurity is a problem that cannot be solved, but merely managed. However, we must not allow leaders in government or the private sector to use this as an excuse for operating without a risk-based cyber strategy. I have seen no evidence Ms. Archuleta understands this central principle of cyber governance, and I am deeply concerned by her refusal to acknowledge her culpability in the breach."
Then again, might not the same be said of most members of Congress, which holds the budgetary purse strings?
Whatever her culpability, Archuleta inherited a problem that she - like her predecessors - has long failed to solve. The OPM's Office of the Inspector General issued a report in 2012, highlighting numerous weaknesses. Most damning, however, was OIG noting that it had been warning about "a material weakness in controls over the development and maintenance of OPM's IT security policies" since 2007. It repeated that warning in 2008, and added in 2009 that things were getting worse - affecting the organization's entire information security governance and management structure - after which it repeated the same warnings in 2010 and 2011. And in 2012, the OIG warned that the OPM's CIO office "continued to operate with a decentralized IT security structure that did not have the authority or resources available to adequately implement the new policies."
Coming Up Short
If that is the macro view, the micro view is equally disheartening. For example, the OIG noted that although OPM owned "a software product with the technical ability to compare and correlate security incidents over time," it was only receiving data from 20 percent of OPM's major systems, relied on inconsistent logging practices, and staff were only monitoring the security-incident tool during Washington business hours. In response to the OIG warning that not one of the OPM's 47 major systems required personal identity verification card authentication, the OPM's CIO office replied that it had begun requiring PIV for remote authentication, but said nothing about access from within the OPM network. "The OCIO's response to this recommendation leads us to believe that it does not fully understand the requirements of OMB M-11-11 ... [which] requires each major application to enforce two-factor authentication via PIV credentials," the OIG wrote in just one of a number of particularly exasperated-sounding exchanges.
A reminder that OPM cannot just wave a "magic wand" to fix its poor information security culture arrived this week with reports that the agency's emailed breach notification included a link to a third-party identity-theft monitoring service provider, and by doing so not only looked like a phishing attack, but may have violated Department of Defense guidelines, which prohibit employees from clicking on links to untrusted sites.
The 2016 OPM budget request - submitted in February - sought $32 million more than in 2015. "Most of these funds will be directed toward investments in IT network infrastructure and security," the budget request said. "As a proprietor of sensitive data - including personally identifiable information for 32 million federal employees and retirees - OPM has an obligation to maintain contemporary and robust cybersecurity controls."
Such obligations are easy to put on paper. But OPM has long been a data breach victim waiting to happen. And it's not clear how the White House - and agency officials - will fix that.