There is no disputing the 2015 Office of Personnel Management data breach was a disastrous event. The implications are catastrophic and will reverberate for generations.
Foreign attackers stole personally identifiable information (PII) and security clearance background investigation information of 22.1 million individuals, capturing fingerprint data of 5.6 million of those individuals.
This didn’t have to happen. The arrival of sophisticated threat actors shouldn’t have come as a surprise. Federal agencies must quickly and radically alter their approach to cybersecurity to avoid a breach of this kind again.
Pivoting toward zero trust, prioritizing security, practicing basic cyber hygiene, modernizing assets and retaining competent talent must take center stage throughout the federal government.
Most of those affected by the OPM breach are current or former federal employees and contractors. The loss of their PII is inexcusable. Citizens serving this country deserve better.
The damage done from stolen personnel records, background investigation information, and fingerprint data is staggering. Adversaries are now in possession of highly personal details about those entrusted with our country’s national security secrets and intelligence.
Make no mistake, the stolen data will be used against us.
As former CIA Director Michael Hayden noted, “OPM data remains a treasure trove of information that is available to the Chinese until the people represented by the information age off. There’s no fixing it.”
This should serve as a wake-up call to all in government on how to best secure federal IT and data.
A shift toward zero trust is one way to improve federal IT security.
Federal agencies’ current focus on perimeter-based security offers insufficient protection against the advanced persistent cyber threats targeting us today. The OPM data breach taught us the hard way that once an intruder is discovered in the system, it’s already too late.
In a perimeter-based defense, anyone inside the network is trusted. For OPM, once the attackers were inside, they could move freely around the network, gaining more and more access to data.
Conversely, zero trust centers on the belief that users inside a network are no more trustworthy than users outside a network. Zero trust assumes all traffic traveling over an organization’s network is threat traffic and therefore helps restrict sensitive information to only those authorized to access each piece of discrete information.
Zero trust would have profoundly limited the attacker’s ability to move within OPM’s network and access such sensitive data.
The Office of Management and Budget (OMB) should develop guidelines for executive departments and agency heads to effectively implement zero trust along with measures to visualize and log all network traffic.
At the same time, agencies must prioritize security and practice basic cyber hygiene. Had OPM implemented basic, required security controls and more quickly deployed cutting-edge security tools in March 2014 after learning of a significant data breach, the 2015 theft could have been mitigated or even prevented.
Competent, empowered and accountable chief information officers (CIO) are also critical. The Government Accountability Office reports the average tenure for an agency CIO is two years. That’s too short to make an impact. Greater priority should be placed on retaining effective CIOs for at least five years.
Modernizing assets is an obvious solution for improved IT security. According to GAO, federal agencies spend more than $89 billion annually on IT with over 75 percent of the spending directed toward operations and maintenance of outdated legacy systems. Reliance on legacy IT results in significant security vulnerabilities as aging infrastructure is difficult and costly to secure.
Congress should explore options to incentivize this transition.
Collectively, these efforts can usher in a new culture of security at federal agencies.
As a result of the OPM data breach, tens of millions of current and former federal employees and their families are paying the price for a mismanaged agency with lax and outdated security protocols.
A breach of this significance in terms of both data and of public trust can never happen again. Agencies can and must do better. Adopting a zero trust model is the first step in restoring confidence and security in federal information technology.