OPM breach underscores need for strong cybersecurity

When news of the security breach at the Office of Personnel Management in broke in July 2015, officials and the public alike reeled at the sheer size and scope of the breach. The theft of personnel information for over 22 million federal employees who had been checked for security clearance sent shockwaves through the government.

Unfortunately, it's been difficult for those in charge to figure out the exact causes and details of the breach. The Hill reported on hearings held by the House Oversight Committee questioning officials from the OPM on their cybersecurity policy and actions taken regarding a security tool used by a contractor, but exact details remained frustratingly vague. Head of the Oversight Committee Rep. Jason Chaffetz chastised the agency for either not providing or heavily redacting most of the documents the committee asked for.

Missing pages
The documents center around a security device supplied to the agency by a private contractor, which claimed that it identified the breach – though the OPM states that it had identified the breach first. Regardless, before the security tool was returned to the contractor, it was wiped by the OPM. The data on that device before it was wiped is what the Oversight Committee is looking for.

"And there's no excuse in withholding that information from Congress. You have it, it's in your systems. We know it because we're looking at hard copies. And we're checking to see if you give it to us as well. And you're not. And that's why you're going to be back before this committee." said Chaffetz, The Hill reported.

Some of those documents were provided by the contractor, but there are still others that OPM has yet to offer. Considering the breadth of documents not provided to the Oversight Committee, it's possible that there are serious gaps in Congress's knowledge of the leak.

However, officials from the OPM claim that it is simply too difficult for an agency as small as OPM to produce such a large volume of documents, and that it has focused on providing the most important files, according to the source.

Fixing the OPM
Meanwhile, Federal Computer Week discussed a document the publication obtained from the Department of Homeland Security and the Federal Bureau of Investigation. The memo in question outlined a number of recommendations for OPM that include security monitoring and personal firewalls that would help make the agency more secure.

According to the memo, an IT policy that puts accessibility and convenience over security concerns, and an agency{-}wide issue with deploying patches contributed to the high risk conditions that led to the breach.

Most specifically, the memo recommended tiers of strong access controls and identity management, which could have prevented the OPM breach entirely. A strong segmented network makes it more difficult for security holes to open. That way, if one segment of a network is infiltrated, it doesn't affect everything. 

Furthermore, the memo touched upon changing the model of cybersecurity that agencies use – going from a chain of trusted authentications to a policy of continuous monitoring. The signature system is what led to the OPM breach – the attackers gained access to OPM systems through security keys stolen from government contractor KeyPoint Government Solutions

Continuous monitoring is a major key for modern security policy, where breaches and zero-day exploits need to be identified immediately and settled swiftly – not more than a year later, as in the case of OPM. In diagnosing cybersecurity issues, every moment matters, and the size and scope of the hack, combined with the large span of time it went undetected, led to one of the largest intelligence losses in U.S. history.

All of this underscores how important cybersecurity is for every agency. Implementing best security practices – or, at least, partnering with a firm that can – needs to be a priority in order to keep an agency secure.

The breach at the OPM is not the first, and certainly not the last data breach that will occur because of poor security implementation. Cybersecurity can't be an afterthought of IT policy. It needs to touch every part of an organization's technology use, and should have the same level of importance that physical security has. The new battlefield is digital, and data is the spoils of victory. Get control over agency cybersecurity before a high{-} profile data breach like this one occurs.