The Office of Personnel Management has been forced to admit, yet again, that the devastating hack of its computer systems was worse than the agency had previously acknowledged. The latest revelation: Fingerprint data from 5.6 million people has been stolen, a fivefold increase from the agency's previous estimate of 1.1 million. Overall, the agency estimates that hackers took information related to 22 million people.
The hack has been such a disaster that OPM head Katherine Archuleta was forced to step down in July. Government inspectors had been warning for years that the agency's IT systems were not properly secured, and Archuleta failed to properly secure them during her 20-month tenure as the head of the agency.
Information about the hacks at OPM, which is the human resources arm of the federal government, has been trickling out for months. OPM manages some of the most sensitive data the government has. The most alarming information obtained by the hackers — who are suspected to have ties to the Chinese government — was collected by US officials while conducting background checks for employees seeking security clearances. It includes information about federal employees' substance abuse and gambling problems, financial difficulties, and mental health problems. Having this kind of information fall into Chinese hands would damage American national security for years to come.
OPM systems have been vulnerable for years
The federal government's security monitoring practices are so weak that we don't know how long the hackers had access to OPM systems. It appears the attacks had been underway for months when they were discovered in June.
The attackers appear to have had virtually unfettered access to OPM's computer systems. They were finally detected when the government made improvements to Einstein, a system that monitors federal networks for suspicious activity. Network administrators realized that someone was downloading large volumes of data from OPM databases.
OPM's inspector general has been warning for years that OPM's security practices were inadequate. At a recent hearing, Rep. Jason Chaffetz (R-UT) read from a 2009 report by OPM's inspector general warning of "continuing weakness in OPM information security programs." He noted similar warnings in the 2010, 2012, and 2014 reports.
Given that OPM hosts some of the most sensitive data in the federal government, these OPM reports should have set off alarm bells for Archuleta (who had been leading the agency since 2013) and her predecessors. The IG's 2014 report did acknowledge that OPM had made some progress in locking down its systems. But obviously those changes weren't sufficient to safeguard OPM's data.
The stolen information was extremely sensitive
The hackers targeted two specific databases.
The first, known as eOPF, holds the kind of standard personnel data that any HR department collects: Social Security numbers, contact information, records about promotions, retirement benefits, and so forth. Having this kind of data about millions of federal employees would be a boon for a criminal looking to engage in identity theft, and it could be valuable for a foreign government, too.
But the real problem for the US comes from the other system that got compromised, known as EPIC. EPIC is a suite of applications that manage information collected during the intensive background-checking process the federal government does before giving someone a security clearance.
Among other things, EPIC stores federal employees' responses to form SF-86. That's a 127-page form that asks employees about their past addresses, jobs, close friends, relatives, current and former spouses, foreign contacts, mental health problems, criminal record, illegal drug use, drinking problems, gambling problems, and bankruptcies.
US intelligence agencies collect this information because they want to ensure that people in sensitive positions don't have relationships that could compromise their loyalty to the US and aren't vulnerable to blackmail or bribery. Which, of course, makes the same information invaluable to a foreign government seeking to influence US personnel.
The Department of Defense maintains a separate database for security clearance decisions, but according to Ars Technica, OPM employees had access to the DOD data so they could cross-check records. So it's likely that the hackers were able to access military personnel records as well. One agency that may have been spared is the CIA, which maintained a separate system for background checks that (as far as we know) has not been compromised.
China is the leading suspect
There are many ways for sophisticated hackers to cover their tracks, so definitively proving the source of any online attack is challenging. But media reports indicate that — despite Chinese denials — US officials believe the Chinese government is behind the attacks. While they've avoided publicly naming China as the attacker, they have also been preparing to retaliate.
Some cybersecurity experts believe the OPM attack was by a hacking group dubbed Deep Panda. The group is believed to have ties to the Chinese government and is also suspected in other recent attacks, including one on the insurance company Anthem discovered in February.
Sen. Susan Collins (R-ME), who serves on the Senate Intelligence Committee, has described the attacks as "extremely sophisticated," suggesting the culprits had the resources of a nation state at their disposal.
Securing the federal government will require some big cultural changes
The revelations of the last three months will surely make Congress and Obama administration officials more focused on securing the federal government's computer systems. But actually preventing future attacks will require more than additional resources — it will require a change in how the federal government thinks about security.
The conventional way the federal government approaches security is by making lists of security requirements — use this kind of encryption, require employees to use that kind of password — and then requiring every agency to comply with the requirements on the list. But as Ars Technica's Sean Gallagher has written, this way of thinking misunderstands the nature of online security threats.
This checkbox approach to computer security is akin to evaluating the security of a building by checking the quality of the locks on the doors — without bothering to check if any windows have been left open. And it's exacerbated by government agencies' tendency to outsource IT work to a variety of different federal contractors. Often security vulnerabilities arise because no one checks to see if software remains secure when it's combined with other software.
Therefore, it's important that agencies develop the capacity to perform security audits not only of individual systems but also across their entire network, to look for cases where decisions made by one contractor created security vulnerabilities elsewhere in an agency's network. (Car companies are facing similar challenges as their products become more software-based.)
Effectively securing computer systems requires doing three things:
1) Security needs to become an integral part of the software design process. That means security experts should be involved in every aspect of building and maintaining IT systems. And the best security experts are almost all outside of government right now, so the feds need to work harder to recruit top security experts.
2) Agencies should hire "red teams" of seasoned hackers to attack their systems. No checklist is going to cover all the possible ways a computer system might be vulnerable. The only way to tell if a system is truly secure is to have security experts probe it for weaknesses.
3) The final and most difficult change is that government agencies — and especially agencies like OPM that hold highly sensitive information — need to take security concerns seriously. Identifying security problems won't do any good unless the problems get fixed. And that will only happen if the agency's leaders insist that it be a priority. Otherwise, the people in charge of building the software will be tempted to brush off security warnings as alarmist.