Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The OPM breach report: A long time coming

Taylor Armerding | Oct. 14, 2016
The catastrophic breach of the federal Office of Personnel Management, which exposed the personal information of more than 22 million current and former employees, became public in mid-2015. It took another 15 months for Congress to complete a report on it

One of the key findings in the report was that, “OPM failed to heed repeated recommendations from its Inspector General,” which began in 2005.

It said the discovery of who it called “Hacker X1” in March 2014, “should have sounded a high level, multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data.”

Yet, a June 2015 letter from then OPM CIO Donna K. Seymour to the millions of victims of the breach said the OPM, “takes very seriously its responsibility to protect your information,” and offered credit monitoring service and identity fraud insurance as “a courtesy.”

But it followed that with a declaration that the OPM would not take any responsibility for failing to protect it. “Nothing in this letter should be construed as OPM or the US Government accepting liability for any of the matters covered by this letter or for any other purpose,” it said.

Seymour was not fired. She retired this past February, two days before she was scheduled to appear before Congress to talk about the breach. The head of OPM during the intrusion, Kathleen Archuleta was not officially fired either. She resigned under pressure from Congress in July 2015.

All of which raises the question of whether the report itself is more evidence that government is not up to the task of safeguarding what Joel Brenner, former National Security Agency (NSA) senior counsel, called, “crown jewel material.”

If it takes Congress more than a year simply to report on what went wrong, what chance does the bureaucracy have to keep up with ever-evolving cyber threats?

A number of security experts agreed that the report was slow in coming, but pointed out that a report is not the response.

All agreed that OPM had what former Department of Homeland Security (DHS) official Stewart Baker called, “a lousy security culture.

Baker, now a blogger, partner at Steptoe & Johnson and a board member of the Association of Former Intelligence Officers (AFIO), added that, “someone probably should have been fired sooner.”

Someone probably should have been fired sooner.

stewart baker

Stewart Baker, blogger and partner at Steptoe & Johnson

But he and others said politics can put a drag on any report. “It’s a congressional investigation,” he said. “I’m sure the executive branch was cautious in cooperating, so I’m not surprised it took as long as it did.”

John Chirhart, federal technical director at Tenable Network Security, compared it to the way the National Transportation Safety Board (NTSB) works. “One of the cardinal rules of any investigation is not to officially determine the cause or cast blame until the investigation is complete,” he said. “Based on the OPM report, one could argue that OPM took the NTSB approach to investigating the breach.”

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.