September 7, 2016

The massive data breach at the U.S. Office of Personnel Management (OPM) that exposed background investigations and fingerprint data on millions of Americans was the result of a cascading series of cybersecurity blunders from the agency’s senior leadership on down to the outdated technology used to secure the sensitive data, according to a lengthy report released today by a key government oversight panel.

OPM offices in Washington, DC. Image: Flickr.

OPM offices in Washington, DC. Image: Flickr.

The 241-page analysis, commissioned by the U.S. House Oversight & Government Reform Committee, blames OPM for jeopardizing U.S. national security for more than a generation.

The report offers perhaps the most exhaustive accounting and timeline of the breach since it was first publicly disclosed in mid-2015. According to the document, the lax state of OPM’s information security left the agency’s information systems exposed for any experienced hacker to infiltrate and compromise.

“The agency’s senior leadership failed to fully comprehend the extent of the compromise, allowing the hackers to remove manuals and other sensitive materials that essentially provided a roadmap to the OPM IT environment and key users for potential compromise,” the report charges.

Probably the most incisive portion of the assessment is the timeline of major events in the breach, which details a series of miscalculations on the part of the OPM leadership. The analysis paints the picture of a chronic — almost willful — underestimation by senior leadership at OPM about the seriousness of the threat facing the agency, until it was too late.

According to the report, the OPM first learned something was amiss on March 20, 2014, when the US-CERT notified the agency of data being exfiltrated from its network. In the ensuing weeks, OPM worked with US-CERT to implement a strategy to monitor the attackers’ movements to gather counterintelligence.

The only problem with this plan, according to the panel, was that the agency erroneously believed it had cornered the intruder. However, the hacker that OPM and US-CERT had eyes on wasn’t alone. While OPM monitored the first hacker [referred to in the report only as Hacker X1] on May 7, 2014 another hacker posed as an employee of an OPM contractor (Keypoint) performing background investigations. That intruder, referred to as Hacker X2, used the contractor’s OPM credentials to log into the OPM system, install malware and create a backdoor to the network.

As the agency monitored Hacker X1’s movements through the network, the committee found, it noticed hacker X1 was getting dangerously close to the security clearance background information. OPM, in conjunction with DHS, quickly developed a plan to kick Hacker X1 out of its system. It termed this remediation “the Big Bang.” At the time, the agency was confident the planned remediation effort on May 27, 2014 eliminated Hacker X1’s foothold on their systems.

The decision to execute the Big Bang plan was made after OPM observed the attacker load keystroke logging malware onto the workstations of several database administrators, the panel found.

“But Hacker X2, who had successfully established a foothold on OPM’s systems and had not been detected due to gaps in OPM’s security posture, remained in OPM’s systems post-Big Bang,” the report notes.

On June 5, malware was successfully installed on a KeyPoint Web server. After that, X2 moved around OPM’s system until July 29, 2014, when the intruders registered opmlearning.org — a domain the attackers used as a command-and-control center to manage their malware operations.

Beginning in July through August 2014, the Hacker X2 exfiltrated the security clearance background investigation files. Then in December 2014, 4.2 million personnel records were exfiltrated.

On March 3, 2015, wdc-news-post[dot]com was registered by the attackers, who used it as a command-and-control network. On March 26, 2015, the intruders begin stealing fingerprint data.

The committee found that had the OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft.

For example, “OPM’s adoption of two-factor authentication for remote logons in early 2015, which had long been required of federal agencies, would have precluded continued access by the intruder into the OPM network,” the panel concluded.

Unfortunately, the exact details on how and when the attackers gained entry and established a persistent presence in OPM’s network are not entirely clear, the committee charges.

“This is in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems,” the report notes. “The data breach by Hacker X1 in 2014 should have sounded a high level, multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data. It wasn’t until April 15, 2015 that the OPM identified the first indicator that its systems were compromised by Hacker X2.”

The information stolen in the breach included detailed files and personal background reports on more than 21.5 million individuals, and fingerprint data on 5.6 million of these individuals. Those security clearance background reports often included extremely sensitive information, such as whether applicants had consulted with a health care professional regarding an emotional or mental health condition; illegally used any drugs or controlled substances; experienced financial problems due to gambling.

The intrusion, widely attributed to hackers working with the Chinese government, likely pointed out which federal employees working for the U.S. State Department were actually spies trained by the U.S. Central Intelligence Agency. That’s because — unlike most federal agencies — the CIA conducted its own background checks on potential employees, and did not manage the process through the OPM.

As The Washington Post pointed out in September 2015, the CIA ended up pulling a number of officers from its embassy in Beijing in the wake of the OPM breach, mainly because the data leaked in the intrusion would have let the Chinese government work out which State Department employees stationed there were not listed in the background check data stolen from the OPM.

As bad and as total as the OPM breach has been, it’s remarkable how few security experts I’ve heard raise the issue of what might be at stake if the OPM plunderers had not simply stolen data, but also manipulated it.

Not long after congressional hearings began on the OPM breach, I heard from a source in the U.S. intelligence community who wondered why nobody was asking this question: If the attackers could steal all of this sensitive data and go undetected for so long, could they not also have granted security clearances to people who not only didn’t actually warrant them, but who might have been recruited in advance to work for the attackers? To this date, I’ve not heard a good answer to this question.

A copy of the 110 mb report is available here (PDF).


83 thoughts on “Congressional Report Slams OPM on Data Breach

  1. columbus_viaLA

    OPM.

    Figures. The bumblers who put the system together must have been on something like that.

  2. Ken Lane

    What is scary is that there still is no accountability for this breach of security.

    I know friends that worked in the Federal Government–and myself as well–and we’re worried that for the rest of our lives, our personal info is out there, and can never be made anonymous, like it was supposed to be in the first place.

    1. Unknown

      Ken, I speak to this exact topic for an organization on the West Coast. My personal information was compromised, listed on an ISIS Kill list on March 21, 2015 along side 99 other Service Members. My name, picture, home address, will all now be on a terror target list for the rest of my life. I publicly speak about the true cost of a security compromise. It’s not the “what if’s” that we all worry about, for me it’s the what now…..Bottom line, you are correct in your line of thought.

  3. DorSec

    At least we get identity theft monitoring for 3 years. That should definitely keep my ass safe for the rest of my life.

  4. Mark

    What I find even more frustrating is nobody will be held accountable. This report is an exercise in futility. Just more of the pot calling the kettle black. I have no faith in this government. None. Zero.

    1. Ed

      These days, accountability is almost gone. Most of the federal government’s IT systems are maintained by contractors, who are not accountable at all. Contractors also ingratiate themselves with the federal managers and those federal managers often ignore any warnings from federal employees may bring to their attention.

      I’m still working at a large federal department and the absence of accountability among the contract support staff is horrible. The lack of accountability is directly caused by management’s failure to allow their federal employees to properly manage IT contracts.

      1. IA Eng

        Its the Federal goverment that selects the contractors through a bidding process. The government makes that choice, since it deems that the government employees are not capable of performing the task at hand.

        before you point fingers and accept low ball bidders, look in the mirror and tell us that accepting the lowest bid will produce excellent talent. It won’t. Your organization selected the poison that there.

        I am sure there were better companies that were candidates, but the selection process throughout the years has been horrid. The government continues to get crappy grades of F and D throughout the years and nobody from the government wanted to change that. There is absolutely no planning or forward thinking from the government, except awaiting retirement.

        The way the government is ran is what the end result will be. If ANY Organization continues to publicly get cyber security grades of F and D, how long will it take before they too are compromised? The government has lead the way – down the WRONG path.

        1. Phisher King

          Yep. You get what you pay for, if you are lucky.
          You DO NOT get what you DID NOT pay for.

      2. Keith Glass

        For that matter, talk to any contractor. More often than not (and certainly in my experience. . . ) recommended security measures are not approved, because of “operational need”, or, because they cost too much or (usually) because they would inconvenience people.

        I have friends who worked on the now-infamous CGI Federal contract for the Obamacare website, who tell tales of constantly being over-ridden, requests denied, even load and security testing cancelled. . .

    2. patti

      I dunno – when I think about the complexity of our current system, it boggles my mind. Even if they fired someone – what would it do? The best we can hope for is for someone to step forward and initiate patching or revamping of the system. Everybody loved Greenspan until the crash and he admitted he was wrong – a classic case of thinking an individual, or a few individuals, can handle things. It’s really all our awarenesses (or lack of) together which result in these problems. Why aren’t public service messages being put on TV about these issues? I’ll bet none of the employees at OPM had any idea that hacking is a growing “tidal wave” in our lives. If they did, it would just be common sense to want better security. So I sort of lay it at the feet of the population or … voters? Problem is we’re all, as a nation, misinformed about key facts (but we know the names and habits of “important” celebrities).

  5. Greg

    Excellent reporting as always, Brian.

    The scope of this breach is truly epic, dwarfed only by the size of the incompetence of the government officials involved. Had they not been so foolish, trying to spy (perform counterintelligence) on the “hackers” instead of protecting vital security information, this entire thing may never have happened.

    This is government bureaucracy, and buffoonery, at its most blatant.

    1. patti

      Yep, great reporting. But, I can’t blame non-linux-users for not abandoning windows/macs for security reasons, so can I blame a government agency – and a population of voters which don’t believe science – to abandon systems which intrinsically are not secure?

        1. Matt

          That’s the way I took it too and that would be entirely false. There’s no such thing as a secure system be it Windows, MacOS, Linux, Unix, etc. They all have security flaws waiting to be found.

  6. sarah

    Painful to read this and relive it all. And no recourse for the victims except to try to mop up the mess that results. And wait for the next shoe to drop. Quite apparent the gummint doesn’t care a rat’s furry * for the current and potential damage this has caused. Just more posturing and theatrics…..

  7. Mike

    Oh please!
    Give me a break!

    Most of these people side with a criminal for our next president. Not just a criminal, but one who is in no small way responsible for much of the ‘lack of’ technological security we see here.

    This is just a result of the inmates running the asylum. No one has any desire to hold anyone accountable for anything.

    1. Patti

      You’re saying it’s just a symptom of a much larger problem, and this particular symptom happens to fall within Krebs’ domain of reporting. This is absolutely true. The technical term I’ve heard used to describe this is “hollow government.”

    2. Chip Douglas

      I agree with you. We have a rogue government where no one is held accountable for anything. The leader is a wannabe golf pro who is so corrupt he never met a law he would not violate if he could lie his way around it. His preferred successor is a crook and a liar who puts personal enrichment above security as well as the country.

  8. Bart

    One thing that puzzles me is the fifth paragraph from the bottom; that begins with “The intrusion”

    The two sentences in the paragraph seem to contradict each other. The first says that the hackers were able to ID State Dept staff that were actually CIA. The second says that the CIA did their own background checks. So why did CIA/State info get in the OPM database? You would think the CIA was aware of OPM’s shortcomings.

    1. Jonathan Marcus

      @Bart, Cia does its own checks, and doesn’t go through OPM. So their files were safe. But the Chinese got 100% of OPM’s files. So it there’s a State Department guy they *don’t* have a file for, they know he’s actually CIA.

      @Mike, Clinton was Secretary of State, an office unrelated to OPM. And she left that office years before this breach. I know Trumpkins like conspiracy theories, so can you connect the dots for me on this one?

      1. IA Eng

        The State Dept had a breach of its own as well. The government had a hell of a time trying to kick out all the intruders there as well. Timelines are unclear.

        With intrusions at any branch of the government as unacceptable, how can a potential leader who has a track record of a dirty trail be a good thing? If you understand risk in any way, shape or form and sit, ponder on it for a while, the end result will be relatively apparent and stick to high heaven.

        1. cac

          Dirty Trail? what does that mean. are you blaming Hillary for the state department breach. There was one after she left too with a hacker in their emails for the past year. (maybe same one as the dnc hack)

          Hillary should just walk around with a t-shirt that says “Hi Haters get my emails yet?” Hillary’s server is the only one there is no evidence of a breach. RNC, DNC, Congress computers even hacked by our own CIA, State Department emails, Whitehouse computers including Obama’s ipad, First ladies emails, CIA Director’s emails. All hacked multiple times by multiple actors including 16 year old kids….even though we always want to blame russia and china. (which is where many criminal hackers for hire reside, or simply proxy from)

          State department emails have been breached multiple times, including while she was there in office. And you expected her to use them? There has been one attacker in state department emails they couldn’t get rid of for the past year, Probably same one that was in DNC computers for as long. Guccifer even had to admit he lied about hacking Hillary’s server to FBI Director Comey. And really it probably just boils down to good email practice by her aides rather then anything super technical set on her server.

          More and more it seems as though there is no such thing as computer security and the only blame should be on people who get socially engineered.

          1. Greg D.

            Where have you been for the past year? The so called haters DO have her emails, and there IS proof that the email server was breached. Part of the convenience in being control of your own evidence in an investigation is you can simply destroy it when the heat gets too close. The amount of denial and bad security practices Hillary and her team demonstrated is well-known and thoroughly documented. It wasn’t the “right wing conspiracy” that set up the email server in her own house.

            As far as the OPM breach goes, I’m not surprised. The government just cannot seem to do anything right and has completely lost the point of its creation – they are supposed to serve us, not the other way around.

            1. Mike S.

              There is no proof or evidence her private email server was breached by hackers. The FBI report clearly states this point, not that you bothered reading it. We have her emails from that server because she gave them to the State Department after she left office at their request. All the information I just stated is clearly verified through AP and Reuters stories. Where have you been the last year besides fake conspiracy sites that just make crap up?

            2. Steve S

              That is not correct. There is ZERO evidence that the Clintons’ server was infiltrated. They have seen evidence of attempts to do so, phishing emails, etc. but that is all. You can find those types of emails in anybody’s junk mail folder, they are relentless and everywhere. Nobody involved in any of the investigations has publicly said there was proof the server was verifiably hacked, just the opposite actually.

              1. Chip Douglas

                You can believe what you want, but after the FBI refused to indict Hillary for obviously intentional violations of security protocols, it is plain the fix is in. Whether the influence is in the form of adding to the Clinton’s body count or some other form of intimidation, Hillary is being taken care of at least until the election. As Trump said, “Where there is smoke, there is fire”.
                Here is some dense smoke from July:

                http://www.thegatewaypundit.com/2016/07/russia-released-hacked-hillary-emails-2013-dnc-fears-will-release-20000-election/

                1. CAC

                  You certainly believe everything you read apparently. And no, nothing was “obviously intentional” which is Comey’s whole point.
                  ..,”

                  You are nuttier then I thought if you think Hillary threatened to kill Comey or that he was “intimidated about adding to her body count”…aaahahahaha What a fantasy world you live in. Remember, those movies you watch are only entertainment….

                  Here is a conspiracy theory for you…. Trump doesn’t want the Presidency, He only wanted the free publicity and to screw up the republican candidates none of which he liked. Now he is trying to lose on purpose so she can win. People voting for him are blinded by their bigotry and being played for suckers. He will probably lose in the biggest landslide for a Presidential election in American history. There is your fix, Get over it.

                  Here is another one, GOP hired hackers to compromise dnc servers, and then DNC hired some to revenge hack GOP servers haha.

              2. CAC

                Exactly Steve, meanwhile there is plenty evidence of everyone hacking congress computers, state department emails while she was in office, including an actor they haven’t been able to get out of state department emails of for the past year (probably same guy who hacked dnc computers) Obama’s ipad was hacked, the first ladies email, Director of the CIA’s Email, members of the Bush family, OPM, etc…

                But yet nobody has any proof Hillary’s server was compromised which is remarkable. IMO, she deserves credit for that, not hate.

            3. cac

              The only emails creepy Asange and pathological lying guccifer have, are those released by Hillary or the State Department themselves, or from the dnc hack. No proof anyone compromised her personal server.

      2. Ind

        CIA does their own “initial” checks, they’ve farmed out the reoccurring (5 years) to OPM – all but the polys.

      3. jdmurray

        It would be interesting to see if Edward Snowden’s SF-86 information was in the OPM. If he was really CIA from the beginning then he shouldn’t be in the OPM. However, “CIA spies” should also have information planted in the OPM to allow them to pass standard Federal/DoD background checks as, say, NSA employees.

    2. Chris

      Power of deduction. Weed out the guys in the State Department who were included in the report and you’re got the CIA operatives. 🙂

      1. Steve S

        Doesn’t the CIA create a cover for those people? I would have thought they were listed in the OPM data with “normal” info.

    3. James Schumaker

      The absence of certain files of Embassy personnel in the OPM system effectively identified those individuals as people who were being vetted elsewhere, i.e., by intelligence agencies.

  9. Govvie

    The problem is as it always has been, cyber security/Information Assurance continues not to be taken seriously across the government. As long as a Commander or SES has the capability to say “I don’t care, hook it up, we need to get going” then the government’s cyber security will always be behind. I just finished an authorization package the other day that the decided not to test the controls on because we needed it done in fy16, and we’ll probably have a CR so won’t have the money to pay”authorized” validators. We have awesome cyber security professionals in the government, but as long as they get over ruled under the “it’s my network, I can accept the risk” then it’ll always be broken. I’ve fought this battle for 20 years!

    1. Govvie

      Oh, and one only has to read the last 5 years of Inspector General report from OPM to see how it went, nearly every deficiency was answered by the OPM leadership as “we don’t concur with that finding”

      1. Govie(2)

        I suggest your readers make time to go find a Department/Agency’s Office of the Inspector General reports on Information Technology.

        Read their FISMA Reports!
        Ask them questions!

        Further, go ask the CIGIE (Council of IG’s) why all of them look different and its next to impossible to correlate findings and recommendations between Dept/Agencies. Not the dirty details, but the general NIST Control Areas…no doubt every agency has similar problems.

        Better yet, the authors of the report Brian’s reporting on have ALL of them…why not turn their findings into OpenData?

        Lastly, read the Dept/Agency OIG “Cybersecurity Act of 2015” reports on “Covered Systems” that contain PII.

        Ask questions. Thank you Brian for continuing to ask, its our turn now.

  10. Ollie Jones

    The third graf of Brian’s story says,

    “The agency’s senior leadership failed to fully comprehend the extent of the compromise, allowing the hackers to remove manuals and other sensitive materials that essentially provided a roadmap to the OPM IT environment and key users for potential compromise,” the report charges.

    In other words… according to a congressional committee, if only the agency had done a better job of security through obscurity, things might be better. Yeah. That’s the ticket.

    The article does describe how thoroughly OPM was pwned. A lot of it seems to be the “mission accomplished” syndrome … a strong desire to declare victory trumping the desire for victory.

    Maybe stuff would be safer in private servers in cabinet members’ home offices. Oh, wait….

  11. IA Eng

    This is absolutely sub standard, BUT, as for most branches of the government, the same crappy security was instilled across the board. For years, if not decades, the government has had this lax approach to any type of network security.

    Look, in any organization where there are tons of people grazing the pasture until they retire is a BAD thing. It literally takes an act of congress to clean house and get a younger more talented crew in there.

    That cleaning includes all the old school approach and any favoritism at interviews. With all the people who work in the environment that cut corners and show others how to beat the system – here are the results of your practice.

    Its simply faster and easier to construct a new building with security built in, and move them over. This way I do not have to listen to them whine about how hard it is for them to do their job that they were hired to do.

    It boils down to several words.

    The government continues to Accept Unacceptable Failure as status quo.

    Threaten their livelihood / and MAYBE they will show SOME reaction. Its simply pathetic. NO motivation or pride what so ever.

    1. James

      That cleaning includes all the old school approach and any favoritism at interviews. With all the people who work in the environment that cut corners and show others how to beat the system – here are the results of your practice.

      You could say exactly the same of the private-sector bankers who crashed the economy in 2008.

    2. Curtis

      You are so right! I’ve seen cronyism/nepotism in the private sector but the waste is multiplied in the government arena where I recently worked. I butted heads with the good-ole-boy crew for 3 years while they sat around surfing the internet, playing with computer phones, and discussing all manner of things for most of the day. Getting the job done was not as important as the appearance of same for the dog-and-pony shows.

    3. Chip Douglas

      “It boils down to several words.
      The government continues to Accept Unacceptable Failure as status quo.”

      That is because the people at the top are the problem. When they say, “do it anyway”, they are the problem, not the solution. The people under them merely want to keep their job so they do as they are told. They have been INTIMIDATED to violate established security procedures by the clueless management who only care about climbing the ladder and feathering their retirement nest. The problem is as much the management as it is people who are charged to do the work.

  12. tracka

    I think those who have commented about the dangers of outsourcing are on the ball.

    1) You outsource and lose key internal skills – even though the theory of outsourcing is to get rid of non-key functions! But then you don’t necessarily know what is “key” tomorrow (or even today). First Loss of Accountability.
    2) Having got rid of those skills you have then lost part of your ability to evaluate bids from outsourcing organisations. Second Loss of Accountability
    3) When you get in a mess, you lack the skills to either evaluate the mess or clear it up. So you have to rely on outsiders! Third Loss of Accountability

    It is not just organisational it is national.
    1) UK lost the ability to negotiate trade deals when it joined the EU (skilled negotiators joined the EU bureaucracy – and I very much doubt they will come back). BO probably very wise to say UK should go to the back of the queue for doing trade deals – they will need time to rebuild. Latest: talk at G20 of asking the Australians to do the negotiation for them!
    2) Which countries have outsourced the guts of computing to China (or anyone else for that matter)? Chip manufacture, firmware etc. If they then have a problem in communications infrastructure, air traffic control, nuclear plant control, even defense systems at a time of “difficulty” with say China, how quickly will they be able to get problems at the chip / firmware level sorted?

    Outsourcing may show a quick return for the next Wall St quarterly report (or Government report to Congress), but it does rather mortgage the future.

  13. Chip Douglas

    The one thing in common with all of these security breeches whether they be government or private, is that hardly anyone ever seems to be held accountable, and by that I mean prosecuted, fired, fined, drawn and quartered, etc. There are a few instances, but for the most part the idiots who allow this to happen are still in charge or are rewarded for their arrogance, incompetence or stupidity. I give you ex-Secretary of State, Hillary Clinton.

    1. cooloutac

      Hillary should just walk around with a t-shirt that says “Hi Haters get my emails yet?” Hillary’s server is the only one there is no evidence of a breach. RNC, DNC, Congress computers even hacked by our own CIA, State Department emails, Whitehouse computers including Obama’s ipad, First ladies emails, CIA Director’s emails. All hacked multiple times by multiple actors including 16 year old kids….even though we always want to blame russia and china. (which is where many criminal hackers for hire reside, or simply proxy from)

      State department emails have been breached multiple times, including while she was there in office. And you expected her to use them? There has been one attacker in state department emails they couldn’t get rid of for the past year, Probably same one that was in DNC computers for as long. Guccifer even had to admit he lied about hacking Hillary’s server to FBI Director Comey. And really it probably just boils down to good email practice by her aides rather then anything super technical set on her server.

      More and more it seems as though there is no such thing as computer security and the only blame should be on people who were socially engineered.

      1. Chip Douglas

        No evidence only means it has not been found or it is not being disclosed for political reasons. The FBI said Hillary used 13 different devices. That is not because she was worried about foreigner actors compromising USGOV security, but to cover her tracks in her pay to play scheme with the Clinton foundation. If nothing else her attitude about security in other areas of Government says all you need to know about how worried she was about USGOV security. It was all about protecting her illegal profits tied to her gig as secretary of state.

        1. CAC

          yet we have evidence of compromise for Congress computers, white house computers, State department computers, OPM, first ladies emails, Director of CIA’s emails, Bush family members emails…etc…

          You really think if Hillary’s server was so badly insecure and compromised some kids wouldn’t have been trying to prove it by now?

          Keep blaming Russia and China for every single hack, when its probably a bunch of 16 yr old anarchist Bernie fans looking for lulz.

          IMO, the reason there is no evidence on Hillary’s personal server is most likely cause her aides used good email practices…period.

  14. where?

    “According to the report, the OPM first learned something was amiss on March 20, 2014, when the US-CERT notified the agency of data being exfiltrated from its network.”

    News Stories from May 2016 indicate that OPM itself detected suspicious activity on its network.

  15. J W

    It took them a while to find my correct address, but I finally got a notice from OPM. My last clearance expired over 20 years ago, so the file retention and storage policies seem to be seriously screwed up.

    If you put all your eggs in one basket, you need to watch it.

    1. Robert.Walter

      Basket needs to be designed to keep eggs from falling out and varmits from getting in… lots of lousy basket designs out there.

    2. Bob

      Even crazier, I have yet to be notified but a relative, who has lived with me for the past 15+ years and thus was listed on my form, has been notified.

  16. Roland

    I’ve been a cyber security contractor for quite some time now, was at a federal client that was also breached in the spring of 2014, and am now at a different client that had also been breached in the same time frame…lots of that going around a couple of years ago, wasn’t there? OPM might be getting a lot of attention but they were far from the only one. I wonder if anyone has put together the larger timeline showing the multiple coordinated attacks that seem to have started around February of 2014 and peaked in late April and early May.

    I’m not sure why so many commenters are blaming contractors for this. Perhaps it’s the natural human tendency to point fingers. In my experience, my federal clients routinely disregard my advice. They typically want to do the bare minimum to pass whatever “check the box” audit cycle they are currently surviving. Worse yet, they don’t let the auditors interview me or my team, fearing we will spill the beans about the real state of affairs.

    1. Robert.Walter

      In my former Fortune xxx automotive supplier company, our audits consisted of a pre announced plan of who would be audited when and for what. The days before the audit were a frantic fire drill to try and get everything IRL to match what had been certified to.

  17. Joseph M Jones

    I love how everyone wants to look at the agencies but not once talks about the dolt ass politicians who provide the budgets for all of this mess with zero oversight.

    It talked about a problem that persisted for over a generation.

    How do you keep cutting checks for system that is so woefully bad and at no point say “maybe we should re-think how we are going about this”?

    Steve Buscemi said it best in Armageddon:

    “You know we’re sitting on four million pounds of fuel, one nuclear weapon and a thing that has 270,000 moving parts built by the lowest bidder.”

    The very concept is kind of insane and bound to blow-up at some point.

  18. Tim to da G

    From first hand experience following the OPM security breach I started getting a lot of contacts via phone and email in phishing attacks. It was unnerving that I was being targeted by these attacks until the letter informing me of the incident came in the mailbox. Then at least I knew how and why I became a target.

    Instead of monitoring my credit reports perhaps they should have put more emphasis on general security training for me and my contacts listed in my security clearance. Come to think about the credit monitoring I feel uneasy that I have a third party monitoring my credit, where and how I am spending my money. Thanks to Brian who convinced me that putting a security freeze on my credit was the better choice.

    1. Curtis

      This is why the security snafus with respect to SecStt Hillary are so infuriating. We contractors and govt employees at the facility I worked at were required to take anti-terrorism, cybersecurity, and other courses evey year. The phishing attempts we received were typically sent to our contractor email addresses. Our contractor then required yearly cybersecurity courses from Kevin Mitnick’s company knowbe4.

  19. Charles James

    In the world of security often those who are unable to see the criticality of such security tend to lean heavily toward convenience over security. Security takes effort and it often places extra requirements when working with sensitive information and most don’t want to take that time or effort to achieve that goal so they tend to dismiss, avoid and circumvent such security measures for extra convenience when performing duties involved in daily work.

    Convenience is a killer of security, the bottom line for profit is also a killer for security and security generally is ignored because it reduces profits rather than increase profit. It isn’t until security is compromised and data/information, etc., is stolen that suddenly the bottom line is adversely effected then causing those in positions of influence to suddenly scream about ‘where is the security’?

    Even in the dark underworld of the Internet where security is taken seriously and from the start there is no true secure system as shown from a recent article where bit-coin services were hacked and robbed with not one iota of a chance those who had those coins can be redeemed. The only true security is to unplug from the Internet and because of the invasiveness of inter-connectedness that is no longer a guarantee.

    The only way I can see that security can even achieve a modicum of protection is by those in charge making security the highest priority in the creation, development and coding of all Enterprise Applications, etc. It is also necessary to provide harsh repercussions when the code is compromised even at the lowest levels. Gratification, convenience and profit must take a back seat to security for if not security breaches of the future will be so costly that no one can make a decent profit except those who are on the receiving end of such predatory thievery.

    For instance, even apps for the phone or that ‘rented cloud based software program’ we use daily, if you are compromised while using it the coders who created it must be harshly fined by their parent company and the parent company must be harshly fined at levels commensurate to their levels of profit – the real profit and not the obvious presented profits. Enforcement shall be harsh enough where actual jail time is possible starting at the highest levels of said parent company.

    Failure to provide adequate security is just plain stupid and irresponsible and that irresponsibility and stupidity shall be harshly dealt with from the highest levels on down to the actual coders. Everyone at every level shall “OWN” the security of their work, write out in long hand their responsibilities and then frame, hang in a position to read daily and then live the acceptance in all they do – security is foremost in their minds and the first thing they work on at the beginning of every days work. This starts with the CIO/CFO and trickles down to the fledgling coder in every software and associated company.

    The actual hand writing of the contact of promise to security shall be televised so that every customer or potential customer can bear witness then the hand written personal contracts are to be stored in original form electronically and displayed prominently on the company web sites and other such ‘company face’ and used to remind the individual they own security in all they do for they control the screens, control the code and control the Internet for good and evil.

    Only when such responsibility and ownership is created, assumed and witnessed can security become secure through diligence, effort and ownership of every person, persons and leadership. Until that is achieved such security breaches as at the OPM recently addressed at Kreb’s on Security can such compromises be, at a minimum, mitigated and prevented.

  20. Patti

    Brian: You once gave a Snort signature for an intrusion as a community service… would a federal law requiring Snort be used (by local, dedicated ID groups) on all government LANs be of utility in cases like these?

    1. JCitizen

      From what I gather about how government agencies like this work, I doubt there were any actual trained IT personnel at any of these offices. Anyone given a networking as a secondary duty there, would doubtfully even know what Snort was, let alone how to use it. If the contractors used it, it wouldn’t matter because the agencies, they worked for, were not interested in ACTUAL information technology security. That’s how I see it anyway – I’ve been there done that too. I’ve seen way better IT knowledge and security working for private sector non-profits, than any government agency – and that is a pretty sorry state of affairs.

    2. timeless

      Snort and friends work against amateurs. If your attacker is a nation state, they’d make sure not to get caught by things like that.

      I’m not saying Snort shouldn’t be used, but it isn’t enough.

      The problem is… I’m not sure what would be enough.

      There are a couple of potential attacks against databases of this size:
      1. Complete exfiltration
      2. Selected exfiltration
      3. Direct queries
      4. Data insertion/manipulation/deletion

      You can try to catch #1 by doing network traffic logging and comparing qualities/destinations to identity outlier patterns. But it’s possible for an attacker to hide under your threshold limit or distribute the extraction destinations to better blend in.

      Catching #2/#3 is probably pretty hard. The bigger and more frequently used your dataset is, the easier it is for someone to hide a couple of transactions in the stream. And the more users, the more likely someone’s credentials are to be compromised. At best, analysis of each user’s queries to identify outlier dataset responses might work.

      Catching #4 is also hard. You basically need extra copies of the database, some process which can safely compare and identify sufficed anomalous changes. Keeping in mind that being able to access the dataset like this would make it easier for someone else to perform #1…

      Normally you might say “just use stored procedures to validate data”, but if the database accepts them, then an attacker could also insert stored procedures.

  21. Coop

    Remember, in the military and government, folks are placed in CHARGE based on RANK; not competence. That drove me nuts for the many, many years I was an enlisted man in the USAF and also when I worked as a contractor… I had to get out of government work for that very reason – MORONS IN CHARGE – Larry Peter probably based the “Peter Principle” on our government and military…

    1. JMAH

      Yep, because there are no MORONS IN CHARGE in the corporate world, no nepotism, no political appointments… it’s all rainbows and unicorns outside of the government sector.

      1. Coop

        I never said that. Unfortunately the public sector seems to have many more than the private sector. It’s just a fact of life IMHO.

  22. Mike

    Page 225 has lessons learned. What about assessing risk within OPM and knowing that one should have been watching the clearances more than the janitor’s computer?

  23. Gromit45

    This report will be used to try to justify a much larger IT budget for OPM and when they get the increase approved the money will still be wasted and the end result will still be a weak security environment.

  24. Daniel

    None of this surprises me. People above are claiming that no one will be help responsible for the breach and of course they won’t. That’s not how Washington works. You allow the breach to happen, take the heat, and then reward everyone with performance bonuses and promotions for cleaning up the mess you just made. Breach prevention has zero utility has far as career advancement is concerned.

    So it wasn’t “almost willful” as the article posits. It was willful.

  25. red

    Regarding clearance issuance by an adversary: it is not quite that simple.

    OPM performs investigations. The sponsoring agency then receives the results of that investigation and provides an adjudicative decision.

    In other words it is the agency that grants a clearance, not OPM.

    The sponsoring agency also requests the clearance, so an attack would need to be more sophisticated.

    1. Gov

      Red,

      That’s not how it works – the agency does not do the adjudicative decision part, that is a group called the “Central Adjudication Facility”, agency initiates, does a preliminary check, local checks, etc…employee fills out SF86 or Eqip online (depending on level of clearance needed) – this gets sent to OPM who assigns a investigator, that investigator conducts the checks, a reviewer or case analysts verifies the information, assigns “values” to the information (based on whether or not there is derogatory information), this is then sent to adjudications. If the agency gets a favorable adjudication back from the CAF, then they’ll proceed with the clearance.

      1. Red

        Gov,

        The Central Adjudication Facility seems to be a DoD construct based on some initial searching. Not sure if only the DoD uses it or if others outside of DoD use it as well. That said, others in the Government do not. For example the DoE does their own adjudication, as their clearances are different. I am not sure on other parts of the government.

        FYIW: I did find this snippet from OPM’s FAQ: “Adjudications officials at the agency requiring the investigation will evaluate your case and communicate their recommendation to the appropriate personnel or security office.” https://www.opm.gov/FAQs/QA.aspx?fid=cb3cafac-1e73-4a6b-bd88-a3adad355390&pid=48d554e3-ecbf-4309-9162-a9b561b53b8c

        All of which is a red herring from my broader point: OPM does not grant clearances. Since there are multiple parties involved, the comment on improperly granted clearances is more difficult to pull off. I could however see how an individual could possibly tampering with an on going investigation. But it is not as simple as updating a field in some web application database (which is how I read the final paragraphs of the article above).

  26. vb

    The primary job of a government manager is the appearance of doing something. IT security funds are spent on door locks, badges, secure server rooms, etc. Things that can be seen.

    The idea of spending department funds on network security software is ridiculous. Nobody sees that stuff.

    If they get more money for IT security after this breach they are probably going to spend it on new locks and upgrades for the server room. I wish I was kidding.

  27. JasonR

    One problem with the OPM hack that some may not be aware of is not only were Federal employees affected, if they had any sort of clearances, that means they had background checks. Background checks mean that their family, spouses, past spouses/relationships, adult children, etc., were also exposed. My brother with clearances told me before the news broke publicly and warned me to watch for identity fraud. Some time after I received a letter from OPM, even though I’ve never been a Federal employee.

    1. T

      This is the problem that not enough people are talking about.

      It’s not even about the individuals who were unwittingly compromised because their information was provided by a clearance-seeker on the SF86, but the fact that the hostile parties now have full data on the familial and close-tie social networks of clearance-seekers, who are typically listed on the SF86 as references or people who know the applicant well.

      In other words, the hostile parties have individual sociograms for every clearance applicant, and a competent network scientist could easily identify missing edges (links) probabilistically. This is a rich data set for mining and could identify plenty of future exploitation avenues for targeting. If you’re playing the long game (which they are), you could likely identify individuals who are likely to be cleared employees *in the future* from this existing network data.

  28. Mork&Mindy

    Governments which buy zero day exploits from companies which get hacked (remember the italian hacking team?), cybercriminals who sell exactly those backdoors which govermnets adopt, isn’t the whole game ridiculous, even almost childish if you hear about the recent G20 incident with the missing red carpet?

  29. J. Tae

    Great report, and completely valid concern. The OPM Breach was a devastating blow to the US Gov on a plethora of levels. On one hand youve got the PR blow which clearly put the OPM process on notice, but the more important side you have the data breach of the century with regard to High Intelligence Value data systems. There are a number of issues that follow me with this situation, like why (like all recent breaches) does the message seem to be – Hire a Credit Data company to control the Identities of those involved, and all will be fine.

    Beyond the depths of insanity that involve the HOW regarding the OPM breach, the remediation efforts (visible and non-visible) have left me at a lost for words. Ive had many friends, and old associates ask the REAL question: How bad is this for me and how much should I be concerned with? My response is like all others, its much worse than one can expect, and you should do everything in your power to obtain the SF-86 you submitted and work to scrub, declassify, change, and alter the validity in any of the information passed.

    There are a number of issues surrounding this breach. But this is coming to light very soon.

Comments are closed.