OPM Just Tip of the Iceberg: Hacking Expected to 'Dramatically Accelerate'

WASHINGTON – The director of the Office of Management and Budget maintains that her agency has taken “significant steps” to protect sensitive cyber data but recent security breaches clearly establish that efforts to guard against future hacking attempts must “dramatically accelerate."

Katherine Archuleta, who assumed her post 18 months ago, told members of the Senate Homeland Security & Governmental Affairs Committee that her office is under “constant attack by evolving and advanced persistent threats and criminal actors” who are “sophisticated, well-funded and focused.” Given that, steps must be taken not only on behalf of those individuals whose personal information has been accessed “but also as a matter of national security.”

These cyberattacks, she told the panel, “will not stop. If anything, they will increase.”

OPM announced early in June that over the past year hackers stole personnel records of about 4.2 million federal employees. Subsequently, it was revealed that the attack was actually far greater and involved some of the most sensitive data the federal government maintains on its employees, and likely, many more records, perhaps as many as 18 million.

The massive data theft is considered one of the largest – if not the largest – security breach within the federal government to date. One internal OPM assessment, disclosed to Congress by the FBI, said the hacking likely was conducted by a Chinese intelligence-gathering operation.

Some lawmakers, including Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, have called for Archuleta’s resignation because of the security failure.

“It is hard to overstate the seriousness of this breach,” said Sen. Ron Johnson (R-Wis.), the committee chairman. “It has put people’s lives and our nation at risk.”

OPM has been hacked five times in the past three years and the agency “still has not responded to effectively secure its network,” Johnson said, asserting that cybersecurity “must be a top priority.”

“Cybersecurity on federal agency networks has proved to be grossly inadequate,” Johnson said. “Foreign actors, cyber criminals and hacktivists are accessing our networks with ease and impunity. While our defenses are antiquated, our adversaries are by comparison proving to be highly sophisticated. Meanwhile, agencies are concentrating their resources trying to dictate cybersecurity requirements for private companies, which in many cases are implementing cybersecurity better and more cheaply.”

Archuleta said she became aware of OPM’s security vulnerabilities within what she characterized as “the agency’s aging legacy systems” when she assumed office and made the modernization and security of the network and its systems a priority.

Regardless, Archuleta said two kinds of data found in two different systems -- personnel records and background investigations -- were affected in two recent incidents. While the agency has placed the number of records involved in the personnel data breach at 4.2 million, it continues to analyze the background investigation data to determine what was compromised.

“We are not at a point where we are able to provide a more definitive report on this issue,” she said.

Regarding reports that as many as 18 million records may have been compromised, Archuleta said the figure refers to a “preliminary, unverified and approximate number of unique social security numbers in the background investigations data. It is not a number that I feel comfortable, at this time, represents the total number of affected individuals. The Social Security number portion of the analysis is still under active review and we do not have a more definitive number.”

Archuleta told lawmakers she intends to address the ongoing problems by hiring a new cybersecurity adviser who will report directly to the director. She also cited OPM’s Strategic Information Technology Plan aimed at modernizing and securing the agency’s aging legacy system.

“Many of the improvements have been to address critical immediate needs, such as the security vulnerabilities in our network,” she said. “These upgrades include: the installation of additional firewalls; restriction of remote access without two-factor authentication; continuous monitoring of all connections to ensure that only legitimate connections have access; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of cyber-crime tools that could compromise our networks.”

It was those upgrades, she said, that led to the discovery of “malicious activity,” enabling OPM to immediately share the information so that other agencies could protect their networks.

“OPM thwarts millions of intrusion attempts on its networks in an average month,” Archuleta said. “We are working around the clock to identify and mitigate security weaknesses. The reality is that integrating comprehensive security technologies into large, complex outdated IT systems is a lengthy and resource-intensive effort.  It is a challenging reality, but one that we are determined to address.”

OPM utilizes encryption when possible but the age of some of the legacy systems often renders data encryption impossible. She added that encryption would not have prevented the data theft of this data because “the malicious actors were able to steal privileged user credentials and could decrypt the data.”

For those approximately 4 million current and former federal civilian employees who were potentially affected by the incident announced on June 4 regarding personnel information, OPM is offering credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services and is available immediately at no cost to affected individuals identified by OPM.

Patrick McFarland, OPM’s inspector general, also testified, telling lawmakers that despite Archuleta’s rationalizing over legacy systems that some of the systems involved in the data breaches “run on modern operating and database management systems.”

“Consequently, modern security technology such as encryption or data loss prevention could have been implemented on these specific systems,” he said. “Also, OPM has stated that because the agency’s IT environment is based on legacy technology, it is necessary to complete a full overhaul of the existing technical infrastructure in order to address the immediate security concerns.  While we agree in principle that this is an ideal future goal for the agency’s IT environment, there are steps that OPM can take -- or has already taken -- to secure its current IT environment.”

McFarland said he supports OPM’s efforts to modernize its IT environment but expressed concern that “there is a high risk that its efforts will ultimately be unsuccessful.” The agency could wind up with half of its systems in different environments. Neither, he said, would be fully secure and OPM would be in a position where it is forced to pay indefinitely for the overhead costs of both infrastructures.

“System development projects by their very nature are complex and prone to failure,” he said. “Even with the application of strict project management techniques, many projects either fail entirely or are only partially successful. Even so, there is a chance that this effort will ultimately succeed given time, leadership and strong project management.”

Archuleta also told the committee that OPM is offering credit monitoring services and identity theft insurance to the 4.2 million workers who could be affected by the breach.

Johnson said it doesn’t appear that the Obama administration “is devoting enough attention to this reality.”

“We need leadership to develop and implement an effective plan to stop future cyberattacks,” he said. “Without effective cybersecurity, our nation will not be safe and secure.”