There are far more questions than answers about the massive Office of Personnel Management breach that exposed the personal data of millions of current and former federal employees.
In the wake of OPM’s June 4 announcement that some 4 million people were affected by the cyber hack, new reports have surfaced that create a much bleaker picture than was initially reported by the agency.
“During the course of this investigation, the incident response team shared with relevant agencies a high degree of confidence that there was a separate intrusion into OPM systems that may have compromised information related to the background investigations of current, former, and prospective Federal government employees, and other individuals for whom a federal background investigation was conducted," OPM Press Secretary Samuel Schumach told GovLoop.
“OPM continues to work with US-CERT and the FBI to determine the type of records that may have been compromised and the population of individuals affected," Schumach said, noting that "OPM will notify those individuals whose information may have been compromised as soon as practicable."
Early on, OPM did warn that the ongoing investigation might reveal more instances where personal data was compromised. But that doesn’t soften the blow for millions of current and retired feds whose Social Security numbers, birthdates, job assignments, training records and benefits selections may have been compromised. Many of the details about the breach are coming from unnamed government officials and varying reports, leaving feds wondering what’s really going on.
Neither feds nor House lawmakers are satisfied with OPM’s current explanation of the cyber hack. That’s why the House Oversight and Government Reform Committee is hosting a 10 a.m. hearing on Tuesday to find out directly from OPM all the things we wish we knew about the breach: who was affected, what information was stolen, was it encrypted, how many breaches were discovered? OPM Director Katherine Archuleta, OPM Chief Information Officer Donna Seymour, Federal CIO Tony Scott and Sylvia Burns, CIO for the Interior Department, are among those invited to testify at tomorrow’s hearing. (Read our coverage of the hearing)
I expect Scott will talk about the administration’s newly launched effort to implement key cybersecurity measures governmentwide over the next month and a newly launched review of federal cybersecurity policies, procedures and practices.
Enhanced Cybersecurity Governmentwide
Details about a second breach add yet another troubling dimension to the already grim reports. And the sad — but true — reality is that it often takes catastrophic events to usher in reform.
The Office of Management and Budget announced last Friday new steps the administration would take to beef up cyber defenses governmentwide. The federal CIO will lead a 30-day Cybersecurity Sprint, focused on better protection of federal data, improving indications and warnings of cyber threats, decreasing the time it takes to patch software vulnerabilities and a host of other action items.
Here are the key efforts agencies will carry out and report on over the next 30 days:
- Using information provided by the Department of Homeland security, agencies are instructed to immediately scan their systems and check security logs for evidence of malicious cyber activity. DHS provides agencies with indicators or data used to describe and identify specific cyber threats, based on traits such as the IP and email addresses from which the attack originated.
- Agencies are also tasked with patching critical security risks that are easy to identify and correct because they’re well known. Agencies receive weekly reports from DHS’ automated security checks of federal civilian networks, and agencies are expected to immediately resolve any issues detailed in those reports.
- To the greatest extent possible, agencies should also minimize the number of privileged users and limit the functions they can perform when accessing agencies’ networks remotely. Agencies must also ensure that the online activities of privileged users are properly monitored and logged.
- Agencies are instructed to accelerate the use of multi-factor authentication because usernames and passwords alone are not sufficient. For years agencies have struggled to enforce the use of Personal Identity Verification cards not only for physical access to federal buildings but also to log on to their computers. Other forms of multi-factor authentication include biometrics and tokens.
You may have noticed that OPM added a few new features to its online FAQ section pertaining to the breach, including a feedback mechanism for visitors to rate OPM’s effectiveness in answering questions. How would you rate OPM’s efforts to keep feds informed about the breach?