OPM chief’s testimony highlights cybersecurity shortcomings, challenges

In the wake of every data breach at a federal agency, observers both inside and outside the government inevitably renew their focus on cybersecurity. It is clear that federal bodies have not yet implemented strategies or solutions that are capable of fully protecting sensitive data and networks, and each subsequent breach is a further reminder of these shortcomings, as well as the consequences of continued failure. 

Recently, the Office of Personnel Management suffered not one but two breaches, both of which serve as examples of this recurring pattern. As a result, OPM Director Katherine Archuleta was called to testify before the U.S. House of Representatives Committee on Oversight and Government Reform. Archuleta's comments highlighted both the nature of the agency's shortcomings in regard to these breaches, as well as the scope of the challenges that the OPM and the government as a whole face as they attempts to ward off{ numerous} increasingly dangerous cyberattacks. Given all of this, it's easy to see that new cybersecurity efforts are necessary to keep the public sector safe from hackers.

"Current efforts have fallen behind the fast-evolving realm of cyberattackers."

Old habits
During her testimony, Archuleta indicated that a big part of the problem is the government's failure to update its cybersecurity capabilities in recent years. In many regards, current efforts have simply fallen behind the fast-evolving realm of cyberattackers.

"Cybersecurity issues that the government is facing is a problem that has been decades in the making, due to a lack of investment in federal IT systems and a lack of efforts in both the public and private sectors to secure our Internet infrastructure," said Archuleta. 

The OPM director went on to explain it was only through recent cybersecurity upgrades that the agency was even able to discover the recent intrusions. Preventing them would obviously have required even greater defenses. 

However, while Archuleta primarily blamed insufficient budgets for the OPM's cybersecurity failure, critics also highlighted the lack of experience and knowledge among agency leaders. Notably, Michael Esser, the assistant inspector general for audit, said in testimony to the committee that for years OPM leaders have not had the technical knowledge necessary to shore up defenses against the growing threat of cyberattack, according to the Associated Press.

"In some cases the agency's mission conflicted with best practices."

New attacks
Further damaging the OPM's cybersecurity capabilities, in some cases the agency's mission conflicted with best practices. Perhaps most significantly, Esser testified that in the wake of an audit, his office recommended the OPM shut down a number of its networks due to their extreme vulnerabilities. Archuleta rejected the suggestion, however, because they were necessary for performing the OPM's responsibilities, the Associated Press reported.

Even more significantly, Archuleta revealed that the OPM is the target of a tremendous number of cyberattacks on a regular basis.

"Government and nongovernment entities are under constant attack by evolving and advanced persistent threats and criminal actors," said Archuleta, National Journal reported. "These adversaries are sophisticated, well-funded and focused. In an average month, OPM, for example, thwarts 10 million confirmed intrusion attempts targeting our network. These attacks will not stop – if anything, they will increase."

In light of these evolving, accelerating attacks, the only way for the OPM and other government agencies to remain safe is by upgrading their cybersecurity capabilities. At the same time, though, the OPM's recent experiences with data breaches demonstrate fairly clearly the difficulty in actually achieving this goal.

Federal cybersecurity options
Given the present state of affairs, officials in the OPM and beyond need to take a close look at both their current cybersecurity capabilities and the threat landscape. In most cases, it will become clear that agencies are simply not prepared to ward off the dangers they now face and will continue to encounter in the coming years. These groups therefore face a question of how best to move forward. 

Obviously, this will typically require agencies to boost their IT budgets and devote more funds to cybersecurity-related upgrades. But as Esser explained, many agencies also struggle simply in terms of expertise. Without the right knowledge and skills, there are limits to how effective increased cybersecurity budgets can prove to be.

This makes a third-party cybersecurity consulting firm invaluable for virtually any federal effort in this area. Decision-makers should reach out to such organizations in order to gain greater insight as to how to structure and guide their cybersecurity upgrades going forward, leading to a more efficient, effective plan for thwarting cyberattacks in the years to come.