Assuring lessons learned from the Office of Personnel Management identity and fingerprint cyber theft
This is a guest post by Janice Kephart, founder of the Secure Identity & Biometrics Association (SIBA).
The U.S. Office of Personnel Management’s (OPM) tapered transparency on the cyber theft of 22.1 million personal records and 1.1 million fingerprints from a combination of electronic live-scans and digital hardcopy fingerprints for use by the Federal Bureau of Investigation has caused perhaps the worst form of identity theft for dedicated US government employees, and may, in some cases, put safety at risk for those that work in clandestine environments. Two types of information were breached, personnel records and background investigations.
While the CIA was not affected, anyone that worked for the government after 2000 – especially those of us that had a clearance (including myself) – are now not only subject to identity theft based on our biographic information, but our fingerprints are now linked to that biographic data. While a simple identity thief in today’s world would have little use for the fingerprints, the fact that the attack is linked to China raises troubling concerns about use of the fingerprints to compromise us in war, one by one.
Having drafted the current version of the federal digital identity theft law in 1998, I am well aware of how bad this compromise is. Yet there is a lurking question amongst the fear of identity theft and compromise of national security: Are biometrics the cause of the problem, or the solution? Is the problem the biometric or its retention and protection?
We don’t know the answers with the high level of certainty we would like to as an industry simply because, while OPM has been forthcoming with some details, it seems from recent press statements the agency itself can not answer basic questions about the fingerprint cyber theft. From our perspective at the Secure Identity & Biometrics Association, while questions remain that require answering, there are simple protocols and standards that the biometrics industry has been following for years that OPM should have been following as well.
What we don’t know and questions remaining:
1. How does OPM store the fingerprints for background investigations, whether actual images or templates?
2. If images were stored (outside of the FB-258), were they encrypted both or either at rest and also while in use? OPM states that legacy systems were not able to be encrypted, however the definition of “legacy” has not been provided.
3. Was OPM storing the full FD-258 (electronic or paper) which also provides the biographic data associated with the fingerprints? Were any of the forms encrypted both or either at rest and while in use? If not, this is the most dangerous scenario as it means no reverse engineering of the fingerprint data was necessary, and the biographic information was basically there for the taking.
4. Was the data useful? As it is noted it was stolen, that means it was likely saved because the hackers thought it could be useful.
5. If any of the biometric data was acquired outright, was reverse engineering necessary? If it was, was it successful to the point of enabling spoofing to create fake government credentials or searching other databases for more information on the identities harvested?
6. Was there a backup or archive of the stolen data – in other words, does OPM still have any of the stolen data, or is it gone so that our adversaries have it and the US no longer does?
7. What is being done to track/retrieve the information (e.g., any forensic markers that can be tracker – network or data)?
8. What is being done to resolve the OPM security issues; i.e., what are the proper security controls that should be in place?
9. Which other agencies (and private institutions) have the same vulnerabilities? What is being done across the government to assure that personnel files and background investigation material are adequately protected?
10. What should be the Congressional response? Oversight? Legislation that has consequences for failure to employ proper information technology security protocols?
Fact-finding and lessons learned:
1. Despite the concern of risk to those who use other identities to support covert work, for most individuals, while the threat of biographic identity theft is high, the risk to exploit the fingerprint data is still a bit low because of the lack of general use of biometrics for access control in US government. Certainly the biometric data to create a government credential such as a PIV (CAC, HSPD-12, etc) exists, but to be effective the individual would still need the keys for validation used by the agencies. Secondly, since most agencies do not use the fingerprints for access control (physical or logical) the fingerprints add little value.
2. The more serious potential is taking the images to search other databases to discover additional identities, but that assumes the bad actors also have access to other biometric databases for this discovery.
3. Biometrics are less critical to this hack than the biographic information, but that is really more because the federal government has failed to get up to speed with biometric access control. Which brings us back to making sure the data that access is dependent upon is secure to begin with.
1. Any data system that holds biometric identity data should be required to undergo a biometric vulnerability test.
2. Fingerprint images should not be retained once identity is authenticated or clearance is established, whichever comes first.
3. Fingerprint templates, if retained, must be separated in encrypted data storage and sets from biographic information, with an encrypted bridge between them.
4. Biometrics could have secured the OPM system from the breach in the first place. This is the case for any government agency that actively interacts with the public: IRS, Social Security Administration, OPM, Health and Human Services, US Citizenship and Immigration Services, etc.
5. To assure the biometric access data is not breachable, make system biometric access device-centric and not password system centric, where possible.
6. Biometric access must require liveness scans so that cleared individuals can not impersonated and systems spoofed with the stolen prints.
7. Multi-modal provides another layer of protection, as for highly secure systems multi-modal should store different biometrics on different databases (so if fingers are stolen, the corresponding iris or face is not).
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.