OPM records the 'Holy Grail' of counter-intelligence

“This problem is not going to go away,” President Barack Obama said June 8. “It's going to accelerate.”

Speaking at a press conference in Germany, the commander in chief was one of many bemoaning the exposure of some 4 million feds’ records in the latest, massive Office of Personnel Management breach revealed last week – and seeking answers to the security conundrum.

OPM’s files weren’t encrypted, and vaunted perimeter defenses failed to keep hackers out of troves of incredibly sensitive information.

“We have known for a long time that there are significant vulnerabilities and that these vulnerabilities are going to accelerate as times go by, both in systems within government and within the private sector,” Obama said. “[W]e have to be nimble, as aggressive and as well-resourced as those who are trying to break into these systems.”

But how?

SSNs, paystubs and dirty laundry exposed

The personnel records of 4.1 million current and former feds were exposed, with types of information exposed varying person to person, an OPM official said. The deeply personal, thorough paperwork that accompanies security clearance investigations was likely among the exposed info. Affected feds should soon receive emails from opmcio@csid.com or letters in the mail with specific details.

Experts have speculated that the breach is part of a broader effort to assemble a database on federal workers for future exploitation.

On the XX Committee blog, cyber security veteran John Schindler posited that the breach was a massive counter intelligence win for (presumably) China.

“Whoever now holds OPM’s records possesses something like the Holy Grail from a [counter intelligence] perspective,” Schindler wrote. “They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork.” He linked to an OPM national security questionnaire form as an example of the all-encompassing personal depth of the exposed records.

Aging systems and too much focus on the perimeter

How was all of this exposed?

“Part of the problem is we’ve got very old systems,” Obama said. “What we are doing is going agency-by-agency and figuring out what can we fix with better practices and better computer hygiene by personnel, and where do we need new systems and new infrastructure in order to protect information.”

Part of the government’s fix: Rolling out better perimeter defenses. The White House announced June 5 that the largest 52 federal agencies would be outfitted with the latest iteration of the Homeland Security Department’s perimeter defense system, Einstein 3A, by the end of 2016 – two years ahead of schedule. (A DHS spokesman told FCW that the decision to accelerate Einstein 3A’s rollout predated news of the latest OPM breach.)

But Einstein seems to be part of the problem – the initial breach occurred in December 2014, but the system failed to detect it until April. Another DHS program, continuous diagnostics and mitigation, offers more defense-in-depth, but to truly protect sensitive data, safeguards are necessary at every level – and in the case of the OPM breach, they weren’t. Exposed files were not individually encrypted, with OPM CIO Donna Seymour telling Politico that encryption and data protection techniques “are new capabilities that we’re building into our databases.”

What next?

Individual feds should keep an eye on their credit reports, consider the free credit monitoring OPM is offering and be alert for spear-phishing attacks in the wake of the breach. For agencies, the struggle is wide-ranging.

“You need to live under the assumption that somebody’s already inside your network,” said Dave Gibson, VP at data protection firm Varonis.

Encrypting files is a good start, but the technique has “limits,” Gibson noted, because eventually those files need to be decrypted, so managing user access to systems becomes critically important. Varonis is keen on user behavior analytics, a defensive mechanism enabled by file access logs that tracks who’s doing what with sensitive files. “It’s important to see what data is out there, to see who has access,” Gibson said, noting that a “catastrophic” number of organizations public and private don’t even have data on file access. By tracking file use, Gibson argued, organizations can better detect anomalous situations like the OPM breach.

At DHS, Secretary Jeh Johnson issued a binding operational directive on May 21 directing civilian agencies to mitigate their most critical vulnerabilities within 30 days, and on Capitol Hill, a chorus of lawmakers has called for increased attention to cyber security.

“We’re going to have to be much more aggressive than we have been,” Obama concluded.