The so-called actionable indicators of compromise (IOC) were shared with both private and public sectors, “as soon as the findings cleared the equitable process,” said Ann Barron-DiCamillo, CTO of Strategic Cyber Ventures and the former director of US CERT (Computer Emergency Readiness Team).
Based on the OPM report, one could argue that OPM took the NTSB approach to investigating the breach.
John Chirhart, federal technical director, Tenable Network Security
“This report wasn’t sharing actionable data but provided forensic assessment of the activities and shortcomings leading to the breaches,” she said, adding that investigations like this, “are complicated with many moving parts and stakeholders involved but further exacerbated by being a federal entity with multiple oversight bodies.”
Leo Taddeo, CSO of Cryptzone and former special agent in charge at the FBI’s New York City cybercrimes division, was not surprised at the time it took to complete the report. “Conducting interviews of key personnel can be delayed by the fact that they are in crisis mode trying to remediate the damage,” he said. “There is also significant time required to schedule witnesses and arrange hearings.”
But at least one expert – Kevin Bocek, vice president of security strategy and threat intelligence at Venafi – said he was “disturbed” at how long it took to finish the report.
“Most of the details were leaked to the press and left it to the imagination of professionals trying to defend their organization from possible similar attacks to ascertain fact or fiction,” he said.
Conducting interviews of key personnel can be delayed by the fact that they are in crisis mode trying to remediate the damage.
Leo Taddeo, CSO, Cryptzone, former FBI agent
And Baker, while not surprised at the time it took, agreed that, “the internal reporting could and should have been much faster.”
Whether the report’s blistering findings will change the security culture within the government is uncertain. As noted earlier, those in charge – Archuleta and Seymour – were allowed to resign rather than be fired. The government made it clear that it accepts liability for any damages to the victims.
And while, in the wake of the breach, President Obama, the federal CIO and the Office of Management and Budget directed all federal agencies to use 100 percent encryption and digital certificates on all websites, Bocek said, “they failed to mention any direct preparation to deal with the new threats that arise from using encryption.”
Those include the malicious use of digital certificates. “If encryption is the default, every website will use certificates to make the padlock glow green in your browser and turn on encryption,” Bocek said. “The hackers behind the OPM breach understood this, and when they created the opmsecurity.org website, they used a digital certificate to make users feel safe.”
Sign up for CIO Asia eNewsletters.