The immediate thoughts from the security community when news broke of the data breach at the Office of Personnel Management (OPM) that exposed personnel files of four million federal workers were that this was yet another sign of the room for improvement in the federal government on the cybersecurity front. But as details continue to emerge about the true state of security at the agency prior to the breach and the plans officials have laid out to prevent such attacks in the future, the problem seems to be much bigger than originally thought. Room for improvement implies at least a baseline level of understanding of security principles -- a state which many security pundits following the story question really exists in the first place.
The situation exposes a "lack of professionalism and knowledge" that is about 20 years behind where the security industry stands, says Pierluigi Stella, CTO of Network Box USA.
"The Inspector General had already told OPM about their material weaknesses but nothing at all was apparently done. There was no IT security staff until 2013. Most of IT was operated by contractors whose contracts were expired," he says. "OPM apparently wasn't sure of what they had in their own network. They could not provide a comprehensive inventory of servers, databases and network devices. Apparently the hackers knew this network better than the people that operated it."
In response to the breach, OPM officials tipped their hand in how penetrable the agency's systems really have been all along. They told the public that since the breach, the agency has made improvements to its network security, including deploying anti-malware technology and restricting remote access for network administrators.
The fact that those table-stakes systems are not already in place at an agency that handles such sensitive human resource data is worrisome enough. But that they're posted as the agency's path forward toward preventing similar breaches is even more troublesome to veterans in the security world. The belief that anti-malware is going to save the agency from breaches in the future belies an understanding of what good security posture looks like in the first place, experts say.
"Judging from the government’s response, the root cause of the problem seems to be a lack of experience in its personnel, not just missing security controls. The information security industry knows a lot about what defense measures are effective and not," says Jeremiah Grossman, founder of WhiteHat Security. "It’s not just about installing anti-virus and thinking you’re done. That seems to be their current level of thinking, which virtually guarantees a similar incident."
Unfortunately, this may be symptomatic of deeper problems across the board and not just at OPM. As Richard Bejtlich explained in a blog earlier today, the "fundamental misunderstanding of the nature" of the federal government's Continuous Diagnostic and Mitigation (CDM) program that has shifted priorities away from actually repelling intruders in favor of focusing on cyber "hygiene" is one such issue. According to him, many have conflated CDM -- which at heart is just a vulnerability management program -- as a way to help find intruders, particularly in light of long delays in the government's Einstein intrusion detection program.
"CDM is either being sold as, or misunderstood as, a way to detect intruders," wrote Bejtlich, chief security strategist for FireEye. "The focus on CDM has meant intruders already present in Federal networks are left to steal and fortify their positions, while scarce IT resources are devoted to patching. The Feds are identifying and locking doors and windows while intruders are inside the house."
And, unfortunately, the fallout from this breach means that attackers are all the more firmly entrenched inside that proverbial house. There's an even more troubling element to this OPM breach, which is the enormous consequence that the exposure of this data set in particular brings to the overall federal government risk posture. The damage has already been done on this front and the data exposed will help attackers not only carry out further cyberattacks, but greatly aid in foreign counterintelligence (CI), says John Schindler, security strategist and author of The XX Committee blog.
As Schindler explains, the most sensitive of data stolen from the OPM was background investigation (BI) material on anyone seeking security clearances.
"Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side — since all that is recorded in security clearance paperwork."
According to Schindler, the government will feel the consequences of the breach for decades.
"If this sounds like a nightmare scenario for Washington, DC, that’s because it is," he says. "Decades of neglect have gotten us here and it will take decades to get us out of it."