According to a report by the Republicans on the U.S. House Oversight & Government Reform Committee, the hack of the Office of Personnel Management (OPM) was the direct result of the agency’s long-standing failure to properly “prioritize cybersecurity and adequately secure high value data.”
The breach, which has been attributed to at least two Chinese government operatives, resulted in the exfiltration of personnel files of 4.2 former and current government employees, security clearance background investigation on 21.5 million individuals, and fingerprint data on 5.6 million people. The background checks, which “are designed to identify the type of information that could be used to coerce an individual to betray their country,” included information on applicants’ work histories, home addresses, financial information, and the names of relatives. Among the extremely sensitive information included in security clearance background checks was treatment information for mental or emotional health conditions, information on alcohol abuse or illegal drug use, and financial information relating to applicant gambling habits.
In addition to making multiple findings regarding the cause of the breach, the 241-page report also provided a detailed chronology of the attack. Beginning in November 2013, one of the two attackers (“Hacker X1”) began engaging in adversarial activity on OPM’s network. On March 20, 2014, US-CERT (Computer Emergency Readiness Team) alerted OPM that Hacker X1 was exfiltrating data (including manuals and IT system architecture information) from OPM’s network. The two agencies developed a strategy to monitor Hacker X1’s movements in order to gather counterintelligence. However, on May 7, 2014, a second attacker (“Hacker X2”) succeeded in gaining a foothold to OPM’s network by posing as a background investigations contractor, using OPM credentials to remotely access OPM’s network and install malware to create a network backdoor. The report notes that “OPM did not identify [Hacker X2]’s May 7 foothold despite the fact that OPM was monitoring and removing [Hacker X1]” from the network.
On May 27, 2014, after OPM observed Hacker X1 load a keylogger onto several database administrators’ workstations with access to the PIPs system (holding background investigation data), OPM executed its “Big Bang” plan, shutting down its compromised systems in order to remove Hacker X1 from the network. However, undetected Hacker X2 continued to move freely through the OPM network, installing malware on a KeyPoint web server, registering opmlearning.org as its command-and-control center for malware operations, and conducting an RDP (remote desktop protocol) session in June 2014. By July 2014, OPM thought that it had fully resolved the breach, disclosing to the New York Times that an exfiltration had occurred in March 2014 but stating that no PII (personally identifiable information) had been lost and without disclosing the exfiltration of the IT manuals. During this same time, Hacker X2 began exfiltrating the background investigation data from the OPM environment in the Department of Interior’s (DOI) data center. By December 2014, 4.2 million personnel records had been exfiltrated from OPM network and DOI’s databases. As of March 26, 2015, Hacker X2 began downloading the stored fingerprint data as well. On or about April 18, 2015, a vendor’s deployment of an endpoint detection tool resulted in the discovery of widespread malicious activities in the OPM network. By April 23, 2015, OPM had concluded that there had been a “major incident” involving the exfiltration of personnel records, pursuant to which it notified Congress on April 30, 2015. On June 4, 2015, OPM briefed the media and issued a press release disclosing the release of 4.2 million records on current and former federal employees, which resulted in the filing of multiple lawsuits that have since been consolidated as a multidistrict litigation in D.C.’s federal circuit.
The report’s ire was focused squarely on OPM’s lax security protocols dating back to at least 2005. It notes that the OPM Inspector General had been warning the agency since at least 2005 that its vast treasure trove of valuable information was vulnerable to hackers. According to the report, “OPM consistently reported spending less than other federal agencies on cybersecurity.” It was not until US-CERT notified OPM of the breach in March 2014 that OPM sought additional funds for network security. In addition, OPM failed to implement the Office of Management and Budget’s (OMB) longstanding requirement of multi-factor authentication for employees and contractors with access to the network. Overall, the Committee found that had OPM implemented basic cybersecurity protocols and deployed more advanced security tools when it became clear that attackers were targeting critical data, the extent and severity of the breach could have been prevented or at least substantially mitigated. According to the report, “[t]he data breach by Hacker X1 should have sounded a high level multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data … Swifter action by OPM to harden the defenses of its IT architecture could have prevented or mitigated the damage that OPM’s systems incurred.”
The report also acknowledged that OPM’s cybersecurity maturity has improved since the breach was initially disclosed. In June 2016, OPM reported to the Committee that it had “taken significant steps to enhance its cybersecurity posture, protect individuals who had their data stolen in the incidents last summer, and reestablish confidence in its ability to deliver on OPM’s core missions.” Those steps included complete deployment of two-factor authentication for all users, implementation of a continuous monitoring program for all IT systems, hiring of a cybersecurity advisor that reports to OPM Acting Director Beth Cobert, modifying the OPM network to limit remote access exclusively to government-owned computers, and deployment of a Data Loss Prevention System to automatically prevent sensitive information from leaving the network without proper authorization. They also established a new agency-wide centralized IT security workforce under a newly hired CISO and provided enhanced security awareness training relating to phishing and social engineering attacks.
However, the report also made broader recommendations for the federal government as a whole, including strategies to retain qualified Chief Information Officers (CIOs) for longer terms, reduction in the use of social security numbers by federal agencies, utilization of “critical position pay” to recruit and retain IT security specialists, and elimination of bureaucratic roadblocks to swift implementation of IT security policies and cyber tools. The Committee also recommended that federal agencies promote a “zero trust IT security model,” under which users inside the network are not deemed any more trustworthy than users outside the network. This model would require agencies to strictly enforce authentication, user access controls, and closely monitor all network traffic. The report noted that, because OPM was unable to visualize and log its network traffic, it was also unable to determine exactly how much data had been actually exfiltrated by its attackers.
While the attack on OPM could be discounted as the targeting of a government agency by foreign government operatives, there remains a broader lesson for all organizations. In OPM’s case, they were in possession of vast stores of valuable data, whose value to attackers they apparently failed to appreciate. As a result, they neglected to expend the resources necessary to adequately protect that data, ignoring the recommendations of industry experts and even standards adopted by other similarly-situated agencies. When they became aware that they were under attack, they still failed to take the steps necessary to discover the full extent to which their network had been breached. The consequences of OPM’s inaction will be borne not only by the current and former federal employees who trusted their data to their government and are now vulnerable to identity theft and extortion; this breach has also resulted in breaches of valuable intelligence data (the CIA was forced to pull several officers from its embassy in Beijing) and expenditure of substantial government resources to discover the full extent of the data exfiltrated. Hopefully this incident was the wake-up call needed to improve systems throughout the federal government and prevent (or mitigate) similar future attacks.