Interior IT flaws didn't lead to hack, says CIO

Personal data on 4.2 million federal employees housed in an Interior Department data center fell prey to hackers believed to be from China, as part of the larger breach of Office of Personnel Management Data that affected more than 22 million people and compromised highly sensitive security clearance data. OPM was a shared services customer at Interior.

Interior CIO Sylvia Burns told Congress that security weaknesses at her department weren't to blame in a July 15 hearing of the IT Subcommittee of the House Government Oversight and Reform Committee.

"The breach did not happen because of a vulnerability at the DOI data center. It happened because of compromised credentials of a privileged user on the OPM side who then moved into DOI's environment through a trusted connection," Burns said.

Nonetheless, a report initiated by the Office of the Inspector General at Interior in response to the breach found more than 3,000 "critical and high-risk vulnerabilities in publicly accessible computers" operated by three bureaus at DOI, said Deputy IG Mary Kendall.

The report, which was shared with Congress in draft form in the wake of the OPM hack, found that three bureaus at Interior had not implemented overlapping security controls to prevent IT assets from being compromised in attacks.

"If exploited, these vulnerabilities would allow a remote attacker to take control of publicly accessible computers or render them unavailable. More troubling, we found that a remote attacker could then use a compromised computer to attack the department's internal or nonpublic computer networks," Kendall said.

The affected DOI bureaus have been aware of the problem "for some time," Kendall said.

Former Interior CIO Bernard Mazer, who now consults with the OIG on technology issues, told the committee that there were plans to delve deeper into potential vulnerabilities. That includes making sure mobile devices on DOI networks are properly managed, monitoring interconnections between DOI and users of shared services and implementing two-factor authentication.

According to Burns, Interior has accepted the recommendations of the IG report and is working to implement fixes. As part of the government-wide cybersecurity "sprint," DOI has moved 75 percent of employees to multi-factor authentication for access to agency systems. Burns also said that she learned from the Department of Homeland Security that intruders were no longer resident in DOI systems and had not accessed other data.

Part of the problem, Burns and Kendall agreed, was the lack of central authority over IT systems at Interior. Although the agency had given the department CIO enhanced authority under a secretarial order, there are still separate operating environments for IT and separate budgets for large agency components.

"I think [the Federal IT Acquisition Reform Act] is pivotal legislation that helps us to drive consolidation and centralization of the things we're talking about today," Burns said.