The US federal government has designated November as National Critical Infrastructure Security and Resilience Month (CISR Month). Effective cybersecurity measures are one crucial component of our country’s critical infrastructure. So as part of CISR Month, bTrade would like to offer what MFT Nation likes to call a “case study in what-not-to-do” in the world of cybersecurity.
Here’s the Situation
You are the IT person responsible for maintaining a vast collection of highly sensitive data for your organization. More than a year ago, your system was hacked and the cyber thieves absconded with a major part of your organization’s sensitive data. The incident was widely reported by all forms of media, even the fact that the organization’s auditors had been issuing reports which rated your cybersecurity measures as “deficient,” or words to that effect.
So what do you do? You listen to your auditors and become more vigilant about your cybersecurity efforts, right? Most would think that, especially if you’re in the private sector. But this particular situation doesn’t involve a private sector business. It concerns a prominent government agency within the White House called Office of Personnel Management (OPM), and the most sad/maddening part of this case study is that the latest audit report finds that OPM’s cybersecurity measures are actually regressing.
I kid you not, and here are the pertinent details of this sad/maddening case study in what-not-to-do.
History of Cybersecurity Warnings from OPM’s Auditors
In a previous post, bTrade’s MFT Nation described the importance of OPM’s activities within our country’s critical infrastructure. We also explained that OPM’s inspector general had issued a series of warnings beginning in 2007 about glaring problems with OPM’s cybersecurity measures. In fact, the IG issued a “flash audit alert” stating that OPM’s “severely outdated” security procedures put its data at risk.
OPM Breach – Most Damaging Cybersecurity Intelligence Breach in US History
The risk was realized last year when hackers gained access to OPM servers for an extended period of time and made off with highly sensitive data collected during security clearance investigations on some 22 million federal employees. A major print publication reported that U.S. officials considered the breach to be “among the most potentially damaging cyber heists in U.S. government history.”
OPM’s Deplorable Conduct hasn’t Changed since the Breach
The OPM auditor recently released a new report which finds that OPM’s cybersecurity defenses have gotten worse since the devastating breach. The report points to a “significant regression” in the agency’s compliance with a 2014 cybersecurity law, and notes that the agency “failed to meet requirements that [it] had successfully met in prior years.”
The report also found the agency still suffers a “significant deficiency” in its information security management, doesn’t have a full inventory of its servers, only two of its applications met government user verification, and it doesn’t track fixes of routine security weaknesses. In fact, of the 26 recommendations issued by the auditor, 17 of them had been issued before, with some dating back to 2008.
The auditor offered these striking facts to support its deficiency findings:
- “OPM has a history of troubled system development projects. Despite multiple attempts and hundreds of millions of dollars invested, OPM has encountered well publicized failures to modernize its retirement claims processing, financial, and background investigation systems. In FY 2016, the agency’s enormous IT infrastructure overhaul initiative was significantly behind schedule.”
- “We believe that OPM’s IT security management structure – as currently defined on paper – can be effective with some minor improvements (see the next section of this report). However, this structure was not operational for the majority of FY 2016, and therefore we believe that this issue again rises to the level of a significant deficiency.”
- “At the end of fiscal year (FY) 2016, the agency still had at least 18 major systems without a valid Authorization” ”—i.e., an assessment/evaluation of whether a system’s security controls are meeting the security requirements of that system.
- “OPM has not established an agency-wide risk management strategy. In addition, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 are not all fully implemented.”
- “OPM does not have configuration baselines for all operating platforms. This deficiency impacts the agency’s ability to effectively audit and monitor systems for compliance.”
- “The majority of OPM systems contain Plan of Action and Milestones that are over 120 days overdue,” and “contingency plans for most of OPM’s systems have not been reviewed or tested in FY 2016.”
- “Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.”
Basically, all aspects of OPM’s IT infrastructure have problems. The equipment is outdated despite “well publicized failures to modernize.” The infrastructure is not well managed as there is “a history of troubled system development projects,” including the “IT infrastructure overhaul initiative” which is “significantly behind schedule.” OPM’s policies and procedures are either lacking or not followed (the “12 primary elements” of OPM’s “agency-wide risk management strategy” are “not all fully implemented”). The human resources are not properly trained, including those individuals with “significant information security responsibility” that have not taken “specialized security training” required by “OPM policy.” Not a pretty picture.
But the most galling aspect of OPM’s IT infrastructure is that all these deficiencies are still present after a historically bad data breach and “[de]spite multiple attempts and hundreds of millions of [taxpayer] dollars invested.” Pitiful. Just pitiful.
If a private sector business had such a poor cybersecurity track record, all hell would break loose. Congress would call for hearings, the media would be outraged, lawyers would sue, and government agencies would levy heavy fines. But we see no similar steps taken with respect to OPM. Why? Where is the outrage? Have we come to accept government waste as a fact of life? Are we willing to look the other way when we get shoddy work despite spending “hundreds of millions of [taxpayer] dollars”?
We certainly hope not. It’s time to treat all critical infrastructure the same, whether it be in the public or private sector. So join us in saying to OPM: You need to get your house in order, and time is of the essence because you are responsible for highly sensitive data affecting tens of millions of Americans.