Early in June it was reported that the Office of Personnel Management (OPM), a civilian-run government agency, experienced a data breach of its computer systems, giving suspected Chinese state-sponsored hackers access to up to four million records of former and current federal employees. The hack was so extensive that the retrieved information stemmed as far back as 1985. However, new reports show that the attack could be more than four times more devastating than initially estimated, and the number of people impacted could increase. In fact, the tally of those affected is now being revealed as the OPM sends out notices to people who are potentially impacted. Even more unnerving is that a 2014 audit uncovered security inadequacies within the OPM system, yet they were not reported until several months after detection.
Unlike previous major cyber attacks we have seen over the last year, the exposed data was not just limited to PII (Personally Identifiable Information) such as Social Security numbers, birthdates, and bank information. During this breach hackers accessed highly confidential employee background checks, containing information on their friends, family and past employment. Even private details such as mental illness treatments, lie detector test results, bankruptcy filings, and run-ins with the law were retrieved. At this point, according to Yo Delmar, vice president, GRC Solutions, MetricStream, we are unaware of the full impact of this breach; but if history is any indicator, it’s highly likely that those responsible for the hack may already be using the stolen information in malicious, and highly illegal, ways.
Following the massive breach, what we must now focus on is what can be done at the federal level to prevent such devastating reoccurrences. According to Delmar, there are several steps that need to be taken in order to address today’s security gaps in government. These include: fully understanding the details of the NIST’s Cyber Security Framework (CSF) and actively putting practices into action; developing and implementing a remediation plan to ensure security standards are being met; closing the gap in response time and maintaining transparency throughout with key stakeholders; recognizing the auditor’s evolved role in cybersecurity; and understanding where federal security investments should be headed.
Addressing Federal Security Gaps
Click through for steps that need to be taken in order to address today’s security gaps in government, as identified by Yo Delmar, vice president, GRC Solutions, MetricStream.
Understand NIST’s Cyber Security Framework
NIST’s Cyber Security Framework (CSF) is an important standard that forms a baseline for government agencies and private organizations operating in critical infrastructure to use to secure assets and sensitive information. The CSF leverages existing standards that are constantly being revised and improved to address emerging cyber threats.
For background, version 1.0 of the CSF was issued in February 2014. It was developed in response to President Obama’s Executive Order, “Improving Critical Infrastructure Cybersecurity” that was released in 2013. The CSF was initially intended for companies that are part of the nation’s critical infrastructure, defined as “Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
However, NIST urges all organizations, from Fortune 1000 enterprises to small businesses, to consider applying the Framework in order to manage cybersecurity risks. It is being widely adopted across a range of industries, especially within financial services. This is a step in the right direction, as it means organizations of all shapes and sizes can use the same concepts and language when discussing the essential elements of a cybersecurity program. As a result, security professionals can begin to compare apples to apples across different domains. That said, all government agencies must practice what they preach and rigorously apply the CSF. Every federal organization should be assessed and be scrupulously held to these standards, as private companies are. In the case of the OPM, the Federal government is not “leading by example” – this needs to change in order to lessen and ultimately prevent repeated attacks.
Develop a Remediation Plan
As previously noted, an audit in 2014 revealed significant flaws within the OPM’s security program. Not only were this civilian-run agency’s investments in security woefully inadequate, its lax attitude towards security has been known for quite some time. In fact, the audit report on the OPM’s cited “material weakness” in 2013 was escalated to “significant deficiency” in 2014. After the initial audit in 2013, the OPM should have put a remediation plan in place within 30 days, yet the organization did nothing, and unfortunately, its negligence backfired.
Further, the OPM had difficulties meeting some of the basic “101s” of its security, including authorization, controls testing, and security program planning. Since thorough assessments and control testing were not adequately carried out, the OPM was unaware where the security gaps were and therefore was unable to put an effective remediation plan in place.
As a first step in security remediation planning, organizations must ensure that they fully understand the threat landscape, prioritize a true risk profile, and stay attuned to emerging risks that may threaten the organization’s operational integrity, reputation and risks. Next, the plan needs to be fully supported in the organization from the top down to ensure its effective and timely adoption. Finally, should the plan not be implemented, authorities need to be in a position to deliver severe consequences when standards are not met.
Close Response Time Gap and Maintain Transparency
Reports say the attack was discovered in April yet was not disclosed until May, raising the question, “Why did the news take so long to come out?” This is crucial because had victims been alerted earlier, they could have taken measures sooner to protect themselves from identity theft, fraud, and other damaging effects commonly associated with data breaches.
Again, because hackers obtained information beyond standard PII, they have become privy to a rich fabric of information about the families and friends of current and former government staff. The more worrisome reality is that they now have access to such a deep profile that the potential for blackmail — something that we have yet to see receive attention related to breaches and hacks — significantly increases. While best practices exist that victims can take to protect themselves, these individuals will forever need to be on high alert for potential fraud.
Recognize the Auditor’s Role in Cybersecurity
With security becoming an increasingly grave concern within the public sector, government agencies need to take steps to conduct not only rigorous internal audits, but extend them with external audits that provide objective perspectives. Specifically, auditors need to apply a risk-based approach in their assessments in order to more effectively anticipate and mitigate threats to critical assets and systems that contain sensitive or regulated information. Auditors need to hold all agencies to the highest best practice standards and frameworks like the CSF and be able to explain deficiencies, as well as recommend remediation strategies in each of the CSF’s core functions: identify, protect, detect, respond and recover.
Additionally, auditors need to become more acquainted with cyber-risk models in order to understand an increasingly complex set of attack vectors that vary based on a threat actors’ motivation, skill level and access. As cyber exploits move into mobile technology, cloud computing, and social media, auditors need to stay current with how exploits are evolving, and be diligent and explicit on how organizations can strengthen their defense-in-depth strategies.
Understand Where Federal Security Investments Should Be Headed
The government’s current security investments are focused on continuous monitoring, where the main goal is to proactively protect and detect. While this is an effective approach, it cannot be the only safeguard used to protect private entities and the sensitive information they contain.
One area that is gaining attention in the public sector — yet is very expensive to implement — is data encryption. Sensitive, unencrypted information is rampant in government organizations, and is moving around complex, antiquated federal systems. Faced with the threat of unlimited, persistent online vulnerabilities and cyber terrorism, data encryption is one of the key ways to ensure that the data itself is protected if it gets into the hands of our enemies.
In summary, federal security investments should go to 1) bringing security systems up to CSF standards, 2) making sure that continuous monitoring is in place using the most appropriate technology systems, 3) ensuring that sensitive data is appropriately encrypted at rest and in transit and 4) retiring legacy systems and old technologies riddled with vulnerabilities.
These are just a few of the necessary actions that the U.S. government needs to take in order to ensure that cyber attacks like the one on OPM can be averted. While no plan is foolproof, it is essential for government entities to be proactive and transparent, as well as tightly abide by the guidelines established by the NIST CSF so that if attacks do occur, they are much smaller in scale and impact.