House oversight committee OPM breach report calls for zero trust model, empowered CIOs
House Oversight Committee Republicans blasted the US Office of Personnel Management (OPM) Wednesday in a report on the 2014-2015 theft of millions of personal records and fingerprint data for 5.6 million individuals collected for security clearance background checks. The report calls for strengthened CIOs to lead a broad-ranging upgrade of government agencies’ data protection practices.
“The long-standing failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the inspector general, represents a failure of culture and leadership, not technology,” according to the report (PDF via Politico).
Though the Homeland Security Department’s Computer Emergency Readiness Team found malware dating back to 2012, the first breach was internally recognized in March 2014, according to the report, and the second breach began with the creation of a network backdoor that May. Among the committee’s findings is that at least one private company, CyTech, appears to have played a role in detecting the breach, without ever receiving payment from the OPM. The OPM says it ran a trial version of the company’s software, and it received no bill.
Committee Democrats issued a response (PDF) emphasizing the role of private contractors in the breach, saying that some of the records were stolen from them, rather than directly from the OPM, and that “contract requirements for sharing information with private sector companies that handle sensitive government data need strengthening.”
OPM Director Beth Cobert, who replaced previous Director Katherine Archuleta when she and Chief Information Officer Donna Seymour resigned in the wake of the breach, immediately published a blog post responding to the majority report. Cobert took issue with several aspects of the report, but also pointed out its acknowledgement of improvements eventually made in the OPM response.
The majority report includes 13 recommendations to federal agencies, from replacing legacy IT systems and reducing reliance on social security numbers to identify individuals to adopting a “zero trust model” and making sure “agency CIOs are empowered, accountable, and competent,” pointing out that the average 2-year span of time in the position is inadequate.
The breach raised a number of serious questions not just about the security of federal agencies’ networks, but also about the use and storage of biometric data. The report includes several statements from high-ranking US intelligence officials on the catastrophic effects of the data theft on national intelligence efforts.
A drive for strong multi-factor authentication and a zero trust model among federal agencies should involve a significant increase in agency use of biometric authentication, though likely not the storage of all biometric credentials in a centralized database. Then again, the report says explicitly that the OPM neglected security recommendations from inspector general, and failed to respond appropriately to the March 2014 breach discovery, so a culture of slow adaptation and reticence to new security measures could be part of the root problem.