Interior IT flaws didn't lead to hack, says CIO

Shutterstock image (by adirekjob): magnifying glass resting over a missing puzzle piece.

Personal data on 4.2 million federal employees housed in an Interior Department data center fell prey to hackers believed to be from China, as part of the larger breach of Office of Personnel Management Data that affected more than 22 million people and compromised highly sensitive security clearance data. OPM was a shared services customer at Interior.

Interior CIO Sylvia Burns told Congress that security weaknesses at her department weren't to blame in a July 15 hearing of the IT Subcommittee of the House Government Oversight and Reform Committee.

"The breach did not happen because of a vulnerability at the DOI data center. It happened because of compromised credentials of a privileged user on the OPM side who then moved into DOI's environment through a trusted connection," Burns said.

Nonetheless, a report initiated by the Office of the Inspector General at Interior in response to the breach found more than 3,000 "critical and high-risk vulnerabilities in publicly accessible computers" operated by three bureaus at DOI, said Deputy IG Mary Kendall.

The report, which was shared with Congress in draft form in the wake of the OPM hack, found that three bureaus at Interior had not implemented overlapping security controls to prevent IT assets from being compromised in attacks.

"If exploited, these vulnerabilities would allow a remote attacker to take control of publicly accessible computers or render them unavailable. More troubling, we found that a remote attacker could then use a compromised computer to attack the department's internal or nonpublic computer networks," Kendall said.

The affected DOI bureaus have been aware of the problem "for some time," Kendall said.

Former Interior CIO Bernard Mazer, who now consults with the OIG on technology issues, told the committee that there were plans to delve deeper into potential vulnerabilities. That includes making sure mobile devices on DOI networks are properly managed, monitoring interconnections between DOI and users of shared services and implementing two-factor authentication.

According to Burns, Interior has accepted the recommendations of the IG report and is working to implement fixes. As part of the government-wide cybersecurity "sprint," DOI has moved 75 percent of employees to multi-factor authentication for access to agency systems. Burns also said that she learned from the Department of Homeland Security that intruders were no longer resident in DOI systems and had not accessed other data.

Part of the problem, Burns and Kendall agreed, was the lack of central authority over IT systems at Interior. Although the agency had given the department CIO enhanced authority under a secretarial order, there are still separate operating environments for IT and separate budgets for large agency components.

"I think [the Federal IT Acquisition Reform Act] is pivotal legislation that helps us to drive consolidation and centralization of the things we're talking about today," Burns said.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.