This report wasn’t sharing actionable data but provided forensic assessment of the activities and short-comings leading to the breaches.
Ann Barron-DiCamillo, CTO, Strategic Cyber Ventures; former director of US CERT
Also, if everything is encrypted, it is easier for malicious actors to hide. “Security controls like firewalls, IPS/IDS, sandboxes and more all expect to scan traffic,” he said. “Unless they can look inside encrypted traffic, they are blind and useless.”
Incoming traffic can create problems as well, he said. “It means all these security systems will need to have all the keys and certificates from an organization loaded in to them. This is a huge challenge and one that only automation can help solve,” he said.
Taddeo added that the report didn’t go into much detail about how quickly the IOCs were shared with network defenders. Besides IOCs, “the information most important to network defenders includes the hacker tactics, techniques, and procedures (TTPs), IP addresses, virus signatures, URLs or domain names of botnet command and control servers, and MD5 hashes of malware files,” he said. “This type of information should be shared very quickly by investigators and in most cases it is.”
But the report, he noted, “is not clear how long it took to publish the TTPs and IOCs.”
The report does say that the committee, “remains hopeful that OPM, under the new leadership of Acting Director Beth Cobert, is in the process of remedying decades of mismanagement.”
And it offers 13 recommendations for reform, including updated technology, better training, better cyber hygiene and to, “ensure that agency CIOs are empowered, accountable and competent.”
None of it inspires much confidence in Chirhart, who said he is among the breach victims.
If OPM had been a private corporation subject to various state laws, “its response could have led to litigation,” he said. “But the federal government is protected by sovereign immunity, so victims are ‘lucky’ to have received what they did, and have very little, if any, legal recourse for compensation.”
The enormous irony, he noted, is that the stolen data was what the government used to determine whether a person could be trusted to handle sensitive, classified data. “The very same people who determine worthiness for everyone else proved themselves to be the ones incapable of properly handling sensitive information,” he said.
Sign up for CIO Asia eNewsletters.