Old technology, poor governance to blame in OPM breach, report finds
Millions of Americans' personal information is at risk not because the data breaches at the Office of Personnel Management were so sophisticated, but because OPM's systems were so antiquated, a new report finds.
"In terms of advanced persistent threats, the OPM breach was not a sophisticated attack," states a July report (pdf) from the Institute for Critical Infrastructure Technology.
"The failure of [the Homeland Security Department] or OPM systems to detect the breach does not indicate a level of sophistication on behalf of the adversary; rather, it only shows that the breach was sophisticated for 1970's legacy systems that operate on COBOL mainframe applications that have not been updated since the Y2K bug," add report authors who include researchers from Carnegie Mellon, (ISC)2, HP and Securetronix, among others.
OPM's failure to adhere to cybersecurity practices set by the National Institute of Standards and Technology or comply with the Federal Information Security Management Act are additional reasons why a series of attacks on OPM and its contractors between November 2013 and last month left 22.5 million former, current and perspective U.S. employees and their families, friends and known associates at risk, the report states.
For instance, in 2014, only 75 percent of OPM's critical systems had valid authorizations in accordance with FISMA regulations, and in January, an inspector general audit of OPM that deemed the agency's cybersecurity sufficient relied on unverified data simulation, the report adds.
Another hole that might have let the hackers in could have been an unpatched vulnerability in existing or unsecured systems, the report found.
The nature and duration of the breaches suggest that an Advanced Persistent Threat, or APT, was to blame, and although many fingers point to China or a Chinese-sponsored APT group called Deep Panda, the report warns against jumping to conclusions. After all, it states, many groups use the same types of malware.
OPM could have benefited from several cyber defense approaches, the report states:
- Additional encryption.
- A User Behavioral Analytics System, which monitors user activity to create a profile baseline.
- A comprehensive governing policy, including educating users about cyber safety.
- A centralized information technology staff.
Despite media and congressional attention on the OPM breach, "very little focus has been dedicated to learning from this calamitous event and proactively utilizing that information to prevent such occurrences in the future," the report states.
The government should seize on the public awareness following the breaches to shore up its cybersecurity efforts and regain public trust, the report states.
"Post breach education of the information security best practices helps to demonstrate to the American public and the entire world that America will not remain a vulnerable target and that the breach has not caused a chasm of distrust between people and government," it states.
- download the report
- Cybersecurity sprint ends with some agencies reporting successes
- Archuleta resigns in wake of OPM breach
- OPM reveals 21.5M affected in background investigation data breach