What the military learned from OPM

In the wake of the mammoth Office of Personnel Management breach, the Defense Department joined the rest of the federal government in some serious cybersecurity introspection and improvement.

In a Sept. 16 discussion hosted by the American Security Project, two leaders within the military shared some of the lessons they’d taken from the OPM debacle.

They should have checked things out

The feds had advance warning of the OPM breach: Over the course of 2014, contractors that worked closely with OPM revealed that they had suffered breaches.

OPM officials would later testify that compromised contractor credentials allowed hackers to breach OPM’s networks.

Lt. Col. Scott Applegate, chief of defensive cyberspace operations at Army Cyber Command, said OPM should have gotten close scrutiny immediately after those revelations. As it was, hackers got a few extra months to exfiltrate data as OPM assured everyone things were OK.

“What probably should have happened is, and 20-20 hindsight is always a good thing, we’ve been standing up our cyber national mission forces across the DoD,” Applegate said. “That’s the type of event where you mobilize one of those cyber protection teams to go out and actually go look at that network and do a clear and secure operation, and survey the network and see what’s actually on there, because it has an indication [of compromise] and because it is a high-priority [repository].”

There ought to be rules

When it comes to cyber espionage, the rules of engagement haven’t really been hashed out. Is cyber snooping just an extension of normal espionage? Is cyber war even “war” in the first place?

“There are not rules that we have agreed upon” for international cyber battles, noted Rear Adm. Danelle Barrett, deputy director of current operations at U.S. Cyber Command. Without those rules, it’s tough for the U.S. to hold the OPM breach culprit, likely China, to account.

Barrett also noted the absence of any kind of world regulatory body for the Internet.

Attribution, threat detection, mitigation – it’s all stuff the U.S. government has to muddle through alone in an increasingly complicated, anonymized landscape.

 “Never assume away an enemy capability,” Barrett advised.

Officials had made the mistake of thinking that OPM’s ancient systems would avoid the notice of adversaries, Barrett and Applegate noted. Instead of complacency, agencies will need to exercise caution and ramp up governance, especially over privileged access to systems, as any system or piece of hardware (even commercial routers) could be a viable target.

Threats are only increasing

While several representatives of the private sector argued that progressively more complex defensive tools would price individual hackers out of the game, leaving hacking as a nation-on-nation engagement, Applegate disagreed.

“I think the day-to-day clutter of attacks is just going to increase, because our surface area is increasing,” Applegate said.

With the Internet of Things exploding, we’re connecting everything from cars to refrigerators to clothes to the Internet, he noted.

“Complexity breeds vulnerability,” he said, noting we’re creating “millions of lines of code and thousands of lines of code interacting in ways the creator never had in mind.”

“The cost of entry to disrupt … is so low and so ubiquitous,” Barrett added. “It costs [adversaries] nothing.”

She contrasted the billion-dollar price tags of U.S. military equipment with the cost of training a hacker to break those systems. “$100?” she postulated. “$200?”

Change will come slowly

The summertime cyber sprint strengthened the federal government’s cybersecurity position a great deal, Applegate said, but the feds still aren’t at 100 percent strong authentication for privileged users.

It’s all part of the bigger problem: In a fast-paced threat landscape, the federal government moves slowly. 

“It’s just a huge bureaucratic beast and it takes time to do anything,” said Applegate. “The speed at which we can implement things is very slow and limiting.”