OPM Just Tip of the Iceberg: Hacking Expected to 'Dramatically Accelerate'

Regarding reports that as many as 18 million records may have been compromised, Archuleta said the figure refers to a “preliminary, unverified and approximate number of unique social security numbers in the background investigations data. It is not a number that I feel comfortable, at this time, represents the total number of affected individuals. The Social Security number portion of the analysis is still under active review and we do not have a more definitive number.”

Archuleta told lawmakers she intends to address the ongoing problems by hiring a new cybersecurity adviser who will report directly to the director. She also cited OPM’s Strategic Information Technology Plan aimed at modernizing and securing the agency’s aging legacy system.

“Many of the improvements have been to address critical immediate needs, such as the security vulnerabilities in our network,” she said. “These upgrades include: the installation of additional firewalls; restriction of remote access without two-factor authentication; continuous monitoring of all connections to ensure that only legitimate connections have access; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of cyber-crime tools that could compromise our networks.”

It was those upgrades, she said, that led to the discovery of “malicious activity,” enabling OPM to immediately share the information so that other agencies could protect their networks.

“OPM thwarts millions of intrusion attempts on its networks in an average month,” Archuleta said. “We are working around the clock to identify and mitigate security weaknesses. The reality is that integrating comprehensive security technologies into large, complex outdated IT systems is a lengthy and resource-intensive effort.  It is a challenging reality, but one that we are determined to address.”

OPM utilizes encryption when possible but the age of some of the legacy systems often renders data encryption impossible. She added that encryption would not have prevented the data theft of this data because “the malicious actors were able to steal privileged user credentials and could decrypt the data.”

For those approximately 4 million current and former federal civilian employees who were potentially affected by the incident announced on June 4 regarding personnel information, OPM is offering credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services and is available immediately at no cost to affected individuals identified by OPM.

Patrick McFarland, OPM’s inspector general, also testified, telling lawmakers that despite Archuleta’s rationalizing over legacy systems that some of the systems involved in the data breaches “run on modern operating and database management systems.”

“Consequently, modern security technology such as encryption or data loss prevention could have been implemented on these specific systems,” he said. “Also, OPM has stated that because the agency’s IT environment is based on legacy technology, it is necessary to complete a full overhaul of the existing technical infrastructure in order to address the immediate security concerns.  While we agree in principle that this is an ideal future goal for the agency’s IT environment, there are steps that OPM can take -- or has already taken -- to secure its current IT environment.”

McFarland said he supports OPM’s efforts to modernize its IT environment but expressed concern that “there is a high risk that its efforts will ultimately be unsuccessful.” The agency could wind up with half of its systems in different environments. Neither, he said, would be fully secure and OPM would be in a position where it is forced to pay indefinitely for the overhead costs of both infrastructures.

“System development projects by their very nature are complex and prone to failure,” he said. “Even with the application of strict project management techniques, many projects either fail entirely or are only partially successful. Even so, there is a chance that this effort will ultimately succeed given time, leadership and strong project management.”

Archuleta also told the committee that OPM is offering credit monitoring services and identity theft insurance to the 4.2 million workers who could be affected by the breach.

Johnson said it doesn’t appear that the Obama administration “is devoting enough attention to this reality.”

“We need leadership to develop and implement an effective plan to stop future cyberattacks,” he said. “Without effective cybersecurity, our nation will not be safe and secure.”