The US federal government has designated November as National Critical Infrastructure Security and Resilience Month (CISR Month). Effective cybersecurity measures are one crucial component of our country’s critical infrastructure. So as part of CISR Month, bTrade would like to offer what MFT Nation likes to call a “case study in what-not-to-do” in the world of cybersecurity.
Here’s the Situation
You are the IT person responsible for maintaining a vast collection of highly sensitive data for your organization. More than a year ago, your system was hacked and the cyber thieves absconded with a major part of your organization’s sensitive data. The incident was widely reported by all forms of media, even the fact that the organization’s auditors had been issuing reports which rated your cybersecurity measures as “deficient,” or words to that effect.
So what do you do? You listen to your auditors and become more vigilant about your cybersecurity efforts, right? Most would think that, especially if you’re in the private sector. But this particular situation doesn’t involve a private sector business. It concerns a prominent government agency within the White House called Office of Personnel Management (OPM), and the most sad/maddening part of this case study is that the latest audit report finds that OPM’s cybersecurity measures are actually regressing.
I kid you not, and here are the pertinent details of this sad/maddening case study in what-not-to-do.
History of Cybersecurity Warnings from OPM’s Auditors
In a previous post, bTrade’s MFT Nation described the importance of OPM’s activities within our country’s critical infrastructure. We also explained that OPM’s inspector general had issued a series of warnings beginning in 2007 about glaring problems with OPM’s cybersecurity measures. In fact, the IG issued a “flash audit alert” stating that OPM’s “severely outdated” security procedures put its data at risk.
OPM Breach – Most Damaging Cybersecurity Intelligence Breach in US History
The risk was realized last year when hackers gained access to OPM servers for an extended period of time and made off with highly sensitive data collected during security clearance investigations on some 22 million federal employees. A major print publication reported that U.S. officials considered the breach to be “among the most potentially damaging cyber heists in U.S. government history.”
OPM’s Deplorable Conduct hasn’t Changed since the Breach
The OPM auditor recently released a new report which finds that OPM’s cybersecurity defenses have gotten worse since the devastating breach. The report points to a “significant regression” in the agency’s compliance with a 2014 cybersecurity law, and notes that the agency “failed to meet requirements that [it] had successfully met in prior years.”
The report also found the agency still suffers a “significant deficiency” in its information security management, doesn’t have a full inventory of its servers, only two of its applications met government user verification, and it doesn’t track fixes of routine security weaknesses. In fact, of the 26 recommendations issued by the auditor, 17 of them had been issued before, with some dating back to 2008.
The auditor offered these striking facts to support its deficiency findings:
- “OPM has a history of troubled system development projects. Despite multiple attempts and hundreds of millions of dollars invested, OPM has encountered well publicized failures to modernize its retirement claims processing, financial, and background investigation systems. In FY 2016, the agency’s enormous IT infrastructure overhaul initiative was significantly behind schedule.”
- “We believe that OPM’s IT security management structure – as currently defined on paper – can be effective with some minor improvements (see the next section of this report). However, this structure was not operational for the majority of FY 2016, and therefore we believe that this issue again rises to the level of a significant deficiency.”
- “At the end of fiscal year (FY) 2016, the agency still had at least 18 major systems without a valid Authorization” ”—i.e., an assessment/evaluation of whether a system’s security controls are meeting the security requirements of that system.
- “OPM has not established an agency-wide risk management strategy. In addition, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 are not all fully implemented.”
- “OPM does not have configuration baselines for all operating platforms. This deficiency impacts the agency’s ability to effectively audit and monitor systems for compliance.”
- “The majority of OPM systems contain Plan of Action and Milestones that are over 120 days overdue,” and “contingency plans for most of OPM’s systems have not been reviewed or tested in FY 2016.”
- “Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.”
Basically, all aspects of OPM’s IT infrastructure have problems. The equipment is outdated despite “well publicized failures to modernize.” The infrastructure is not well managed as there is “a history of troubled system development projects,” including the “IT infrastructure overhaul initiative” which is “significantly behind schedule.” OPM’s policies and procedures are either lacking or not followed (the “12 primary elements” of OPM’s “agency-wide risk management strategy” are “not all fully implemented”). The human resources are not properly trained, including those individuals with “significant information security responsibility” that have not taken “specialized security training” required by “OPM policy.” Not a pretty picture.
But the most galling aspect of OPM’s IT infrastructure is that all these deficiencies are still present after a historically bad data breach and “[de]spite multiple attempts and hundreds of millions of [taxpayer] dollars invested.” Pitiful. Just pitiful.
If a private sector business had such a poor cybersecurity track record, all hell would break loose. Congress would call for hearings, the media would be outraged, lawyers would sue, and government agencies would levy heavy fines. But we see no similar steps taken with respect to OPM. Why? Where is the outrage? Have we come to accept government waste as a fact of life? Are we willing to look the other way when we get shoddy work despite spending “hundreds of millions of [taxpayer] dollars”?
We certainly hope not. It’s time to treat all critical infrastructure the same, whether it be in the public or private sector. So join us in saying to OPM: You need to get your house in order, and time is of the essence because you are responsible for highly sensitive data affecting tens of millions of Americans.
Stay tuned to MFT Nation for developments in the OPM case study, and to stay current on developments in the world of cybersecurity by following bTrade on Twitter, Facebook, LinkedIn and Google+.
The year 2000 was also a memorable time for the IT world. We survived the feared Y2K problem, but the dot-com bubble was about to burst. Google was just a baby and desktop computers dominated the IT landscape.
But the year 2000 is significant in another respect—it was the last time the U.S. federal government (the “Feds”) reviewed and updated its data security policies. We kid you not. Until recently, the Feds were relying on 16 year-old data security policies. As you might expect, the policies contained antiquated notions of data security, including one that listed “password protection” as the only “effective security technique.”
The good news is that the Feds recently reviewed the outdated policies and have released a revised version entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”). The impetus for the Circular, according to the Feds, is the “rapidly evolving digital economy.” If that is true, logic suggests the Feds would have reviewed/updated their data security policies much earlier than they did. The truth is that Feds were forced to take a more proactive approach to data security after a hack occurred last year at the Office of Personnel Management that was described as the “most devastating cyber attack in our nation’s history.”
Certain statements in the Circular demonstrate an understanding by the Feds of the gravity of the situation. For example, the Feds state an awareness that IT is “at the core of nearly everything the Federal Government does.” And to their credit, the Feds acknowledge they “cannot afford to authorize a system and not look at it again for years at a time.” Time will tell whether the Feds practice what they preach.
The release of the Circular generated a great deal of attention, but it is really nothing extraordinary. It’s the type of document the Feds have required of private sector organizations for quite some time. For example, the Federal Trade Commission has a document containing a 10-step data security policy guide for businesses, and the Federal Communications Commission created a similar document for private sector businesses entitled Cyber Security Planning Guide. The Circular incorporates the policies from these two documents (as well as a whole lot more, because it’s tough to stop the Feds once they start writing policies).
The Feds have consistently fined businesses for failing to “implement and maintain” data security policies. Similarly, companies have avoided the wrath of the FTC by showing they had established and implemented “comprehensive” data security policies. Talk about hypocrisy; judging private sector businesses by standards with which the Feds had never complied. I guess it’s good to be the king, so to speak.
They claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.” Let’s just say that we are skeptical.
Why? To be effective, policies should be written clearly and concisely, targeted to the end user. Too many policy manuals are ignored or never read because they are too wordy, boring, or confusing. The Circular is all of that. It’s an 85-page monstrosity with a host of problems.
To start with, there are a total of 90 definitions that consume the better part of 12 pages of single-spaced text. To make matters worse, the Circular is replete with general statements of policy, but lacking in understandable specifics. The Circular also points readers to plethora other regulations, such as a requirement to “[i]mplement security policies issued by OMB, as well as requirements issued by the Department of Commerce, the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Office of Personnel Management (OPM). If that weren’t enough, the Circular directs users “to apply the standards and guidelines contained in the NIST FIPS, NIST SPs (e.g., 800 series guidelines), and where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).” Good luck with that one!
That said, the Circular has certain favorable aspects that are worth noting. We will discuss this in an upcoming post.
If you have questions about the above content, contact our data security experts at firstname.lastname@example.org.
Also, to stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.
This is the last in a series of data security case studies offered by bTrade in support of National Cyber Security Awareness Month (NCSAM). As mentioned previously, bTrade is examining documents from public cases/proceedings initiated by regulators alleging bad data security practices, with the hope that lessons can be learned of what “not-to-do” when it comes to data security. This post will examine not one, but three separate cases involving two private companies from different industries as well as a government entity that was the subject of what some call the “most devastating cyber attack in our nation’s history.”
HIPAA Settlement Underscores the Vulnerability of Unsupported, Out-of-Date Software
An investigation was opened by Health and Human Services, Office for Civil Rights (OCR), after Anchorage Community Mental Health Services (ACMHS), a nonprofit mental-health care provider, gave notice of a breach involving malware that compromised unsecured electronic protected health information (ePHI) affecting 2,743 individuals. OCR’s investigation revealed that ACMHS failed to: (1) conduct “accurate and thorough” risk assessments; (2) implement policies and procedures to safeguard its e-PHI; and (3) implement “technical security measures to guard against unauthorized access to e-PHI” such as installing firewalls and ensuring that “information technology resources were both supported and regularly updated with available patches.”
ACMHS agreed to settle potential violations of HIPAA’s Security Rule by paying $150,000 and adopting a corrective action plan to correct deficiencies in its HIPAA compliance program. The corrective action plan requires ACMHS to report on the state of its compliance to OCR for a two-year period.
What is the lesson learned from this data security case study? Although multiple violations were alleged, OCR’s public statements focused on just one of ACMHS’s data security problems–running unsupported, out-of-date software. For example, in a public bulletin issued after the settlement, OCR said the data security breach was “the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.” OCR Director Jocelyn Samuels echoed these same sentiments:
Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.
SEC Settlement Underscores the Need to Adopt Written Policies and Procedures to Safeguard Customer Information
The Securities and Exchange Commission (SEC) censured and fined a St. Louis-based investment advisor, R.T. Jones Capital Equities Management, for not having required data security policies and procedures in place. According to the SEC’s order, R.T Jones stored sensitive personally identifiable information (PII) of clients and others on its third party-hosted Web server. The server was attacked by an unknown hacker who gained access and copy rights to the data on the server rendering the PII vulnerable to theft.
Without admitting or denying the SEC’s findings, R.T. Jones agreed to pay a $75,000 penalty to settle charges that it violated the “safeguards rule” because it “failed entirely” to adopt written policies and procedures reasonably designed to safeguard customer information. For example, the SEC alleged that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server or maintain a response plan for cybersecurity incidents.
What is the lesson learned from this data security case study? In a prepared statement, Marshall Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit, provided the lesson:
As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information, and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.
OPM Lawsuit Underscores the Need, in Certain Situations, to Shut Down and Start Over
An FAA employee recently filed a federal court class action lawsuit arising out of multiple cyber-breaches of systems at the U.S. Office of Personnel Management (OPM). OPM provides investigative products and services for over 100 federal agencies to use as a basis for suitability and security clearance determinations. According to the lawsuit, hackers compromised the security of at least 21.5 million individuals and top lawmakers described the breach as the “most devastating cyber attack in our nation’s history.”
What do plaintiffs allege that OPM did wrong? Plenty, according to OPM’s Office of Inspector General (“OIG”), the agency required under federal law to conduct annual audits of OPM’s cyber security program and practices. OIG identified “material weaknesses” as far back as 2007 that OPM not only failed to cure, but in many areas OPM’s performance actually got worse. According to a 2014 OIG report, the “drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.” As a result, the OIG concluded that OPM’s software systems were so vulnerable that OPM should consider “shutting [them] down.”
What is the lesson learned from this data security case study? Although this saga has not yet played out since the lawsuit was only recently filed, we now know that certain data security systems can be so bad that the best solution is to “shut them down” and start over. At this point, it appears OPM’s problems result from the horrible operations of a government agency and its incompetent staff, rather than with technology or policies/procedures.
So stay tuned on this one because we guarantee it will produce lessons of what not-to-do when it comes to data security. bTrade’s MFT Nation will keep you updated on events as and when they occur.