OPM Security Was a Data Breach Waiting to Happen

Things could get worse before they get better as the FBI, US-CERT and Office of Personnel Management investigate a data breach that may have compromised the personal information of some 4 million current and past federal employees.

Additional exposures of personal identifying information could be discovered, officials have warned.

The OPM made the breach public last week, but the intruders had been inside the agency’s systems since December.

This was the second intrusion reported by the agency in the last 15 months. As a result of the earlier intrusion, OPM beefed up its security systems. The latest intrusion, though, took place before the security improvements were fully deployed.

To protect federal employees from any fraud or identity theft resulting from the breach, OPM is offering free-of-charge credit report access, credit monitoring, and identity theft insurance and recovery services, which includes $1 million in identity theft protection services.

Bonanza for Spies

Because of its size and sophistication, the breach has been attributed to a nation, most likely China. If that’s the case, fraud and identity theft may be less of a concern for victims of the breach than other types of exploitation.

“They’ve collected security clearance data back to 1985. It’s very possible that some of those employees have gone on to higher and more sensitive positions in government,” said G Data Security Evangelist Andrew Hayter.

“I think the Chinese are building a database that they can use for blackmail or espionage,” he told the E-Commerce Times.

The kind of information compromised at OPM commonly has been sought after by spy agencies seeking to cultivate assets in foreign governments. Computers just make it easier to get the info, without the painstaking process of manually building a dossier on a target.

“You literally have the personal information of every federal employee going decades back in time. You know their Social Security number, their financial situation, where they’ve lived, who they’ve married, and even where and with whom they’ve traveled,” said LogRhythm CISO James Carder.

“This data gives the attacker a list of individuals that have access to the most sensitive data in the country,” he told the E-Commerce Times. “They can target specific individuals to obtain data on specialized defense projects, R&D efforts, defense strategy — virtually anything as it relates to the protection of our country.”

Systems as Prisons

OPM data is protected by two federal security systems: Einstein, and Continuous Diagnostics and Mitigation. Those systems may be inadequate to cope with today’s threat landscape, as the latest breach indicates.

They “are not up to speed with the latest and greatest threats out there,” G Data’s Hayer said.

The federal government has been widely criticized for depending too heavily on its perimeter defenses and intrusion detection. Once attackers breach those perimeter defenses, they can remain undetected for long periods of time.

“We have to move away from castles and more toward prisons,” said Tom Kellermann, chief cybersecurity officer at Trend Micro.

“Systems need to be like prisons, so it’s more difficult for an adversary to move freely inside the system,” he told the E-Commerce Times, and “more difficult for the adversary to exfiltrate data.”

Einstein’s Folly

Depending on an intrusion-detection system like Einstein to protect government computer systems is “folly,” noted Scott Borg, CEO and chief economist at the US-CCU(United States Cyber Consequences Unit).

“Once attackers are inside a system, an intrusion-detection system isn’t good for much, and there are many ways to get inside systems that intrusion-detection systems can’t detect,” he explained.

That message doesn’t seem to be getting through to federal planners, though.

“A system like Einstein has its uses, but putting too much faith in it is not a good idea,” Borg said.

“There have been proposals to extend Einstein over critical infrastructure in America, [but] that is a very foolish idea,” he warned. “Nothing of that kind can successfully protect those systems, and the OPM incident is a good demonstration of that fact.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Government

E-Commerce Times Channels