For most anyone interested in cybersecurity and black- or white-hat hacking, the House Committee on Oversight and Government Reform 241-page report on the OPM Data Breach is required reading.
The report puts OPM on the sacrificial altar for the world to see. It is all-encompassing. It covers the timeline of the hack, the extent of the damage, an ominous sounding “Table of Names” that lists the key personalities like the playbill cast of characters in a Shakespearian tragedy—both villains and heroes. What follows is the narrative, the details of exactly what happened when and who did and didn’t do what to whom.
Lax security at the forefront of the OPM Breach
The bottom line seems to be that a lackadaisical cybersecurity program is at fault. No matter how good the cybersecurity plan might have been, failures in leadership and oversight up and down the chain are to blame. The report reads, “Despite the high value of information maintained by OPM, the agency failed to prioritize cybersecurity and adequately secure high value data.”
In (very, very) short, the hackers got inside OPM, made themselves at home, and went on a three year shopping spree. Aliya Sternstein’s Nextgov review reports that “the first traces of adversary activity on OPM’s network date back to 2012, too far back in time to know what else beyond 21.5 million background check records might have been compromised.” Politico’s Tim Starks writes, “The report arrives at several new conclusions, among them that the series of breaches over 2014 and 2015 were ‘likely connected and possibly coordinated’ by two Chinese government-sponsored groups.” There are so many good reports out there to read, it’s simply impossible to even begin to do them justice. Just grab some coffee, Google OPM hack report, and get to work.
The impact on national intelligence
A series of teasers called “The Damage Done” from noted members of the intelligence community read like back-cover reviews of a summer pop novel. Joel Brenner observes, “’This is not the end of American human intelligence, but it’s a significant blow.’” Former NSA officer Joel Schindler writes, “We cannot undo this damage. What is done is done and it will take decades to fix.’” Former director of the NSA writes, “’There’s no fixing it.’” He reminds that until those whose information was compromised age-out, they are vulnerable to exploitation.
The report paints a sober, grim picture of Federal agencies’ cybersecurity and calls the OPM breach “a defining moment” in information security. The Executive Summary opens, “The government of the United States has never before been more vulnerable to cyberattacks. No agency appears safe.” It provides some historical context by citing hacks into the US Postal Service, into the Department of State, the Nuclear Regulatory Commission, the IRS, and the White House. The report conspicuously and conveniently fails to mention the recent hack into the NSA’s Equation Group that culminated with Shadowbrokers’ embarrassing auction of cyberweapons for bitcoin.
Chairman Jason Chaffetz’s message in his Opening Letter is as disappointing as it is not reassuring. He essentially excuses himself and apologizes to the CIO community for having to release the report at all by reminding CIOs of the Committees’ oversight duty to taxpayers. The letter rings so hollow, contrived, and transparently juvenile that it would be comical if its topic was not so serious. He writes, “[I]t is up to you—the community of federal chief information officers—to determine how the country will respond.” He asks CIOs, “Can you as the CIO be trusted to with highly personal, highly sensitive data on millions of Americans?” Chaffetz’s question begs the answer, “Well, no, we can’t. Not given the current cybersecurity threat the nation faces and the state of spending on cybersecurity.”
He assigns responsibility for the future of national information security to the CIOs and Congress “to ensure it does not happen again.” In all seriousness, I would have thought it would be up to, say, like the President of the United States and the heads of the various Federal agencies to make that determination and do what they can to make sure this never happens again. Chaffetz goes on to sort of guilt-threat-rah-rah-speech CIOs to get to work. Ultimately, he tells them—in case they didn’t know it already or need a lift to their spirits—that “Federal CIOs matter.”
Right now, legions of information security professionals, partisan and bi-partisan political news outlets, and others are tearing the report apart like sharks in a feeding frenzy. Analysis of the analysis that the report represents will be important reading, as well, as well, and great fodder for the closing days of this campaign season.