The Office of Personnel Management (OPM) is in many ways the filing cabinet of U.S. government employees. But in 2015, that filing cabinet was hacked — twice — solidifying OPM's place in U.S. data breach history.
In July 2015, the personally identifiable information (PII), including social security numbers, of 21.5 million "current, former and prospective federal employees and contractors" was compromised, according to OPM. Of those individuals, 19.7 million had a background investigation application, potentially jeopardizing the entire identities of those individuals from passwords to fingerprints.
Earlier in the year, the PII of 4.2 million individuals was also breached. But the steps taken since the breach impacted more than the agency itself.
This breach was particularly devastating because OPM is a "target-rich environment" and it is "essentially the human resources services for the federal government," said Antwanye Ford, CEO of Enlightened Inc., a contractor of OPM, in an interview with CIO Dive.
In the last two years since the breach, the U.S. Government Accountability Office (GAO) has checked in with OPM to follow-up on the security recommendations made by the U.S. Computer Emergency Readiness Team (US-CERT).
Ultimately, the breach was "facilitated by credentials that were compromised at one of OPM's vendors and contractors," Gregory Wilshusen, director of information and security issues at GAO, told CIO Dive.
The only solution for weak access protection is multifactor authentication. This ideally consists of a government-administered identification card and either a pin or pass phrase coupled with the card to grant network access.
However, rehashing the "what-ifs" of the hack is not what will prevent another one.
"After the data breach was discovered, OPM had the Department of Homeland Security come in and conduct a review," said Wilshusen. "DHS issued a report and it identified 19 recommendations that OPM should implement to bolster their information security and it was those recommendations that we reviewed."
In the GAO's August 2017 report, the government watchdog found that of the 19 recommendations set by US-CERT, OPM completed 11.
The GAO gave OPM credit for its progress, but there were still shortcomings including "key security controls on selected contractor-operated systems have not always been comprehensively tested," according to the report.
What happened to OPM's contractors?
The third parties OPM partnered with had to reexamine their own practices to remain with the agency.
"Post breach, the OPM cleaned house and instituted several basic hygiene practices, including better software patch management, implementing the principle of least privilege to reduce administrative access," Bill Ho, CEO of Biscom, a provider for secure document sharing, told CIO Dive.
But the breach had a ripple effect among all agencies and the third parties they associate with.
Before the breach, OPM was tasked with performing backgrounds on personnel requiring a security clearance and that process is daunting. For example, part of the process includes federal personnel to "talk to the people that I have provided as people that authenticate that I am who I say that I am," said Ford, who holds a clearance.
And that is what made the breach so impactful — entire identities were at risk.
Contractors like Enlightened had to respond to Senate investigation following the breach to essentially answer the question, "could you have negatively impacted the breach?" according to Ford. Ultimately, Enlightened's work is done in the "development environment," which is then migrated to the production environment and therefore could not have contributed to any vulnerabilities.
All contractors hired by OPM were thereafter tasked with strengthening the security measures within their services. Prior to the breach, "no one was really building with hacks in mind because you assumed your network was the fence around your house and you thought your fence was high enough so that you could leave your front door open," said Ford.
The question then comes, if hackers get over the "fence," is the house still secure?
Since the breach, OPM has had two CIOs and three acting CIOs — including the current acting CIO, Rob Leahy. That subsequent turnover could "have an effect in the agency and [on] setting the appropriate priorities on what the staff should be doing," according to Wilshusen.
Leadership turnover also disrupts the contracts put in place by previous leadership, according to Ford. Typically, contractors must re-defend their purpose and benefits for the agency.
What happens next?
"OPM hasn't been sitting still," Wilshusen said and, if anything, the hack shed light on the fragility of the government's computer systems.
The breach also resulted in the creation of an assisting organization, National Background Investigations Bureau (NBIB). In October of 2016, OPM gave NBIB the responsibility of background investigations and "entered into a memorandum of agreement with the Department of Defense to develop and operate information systems supporting the bureau," according to the GAO report.
OPM will continue to maintain its existing background investigation system for another three years or until its new system, supported by NBIB, is independently running. But "will NBIB eventually take over OPM's legacy data and all the work we're doing? Probably, over the next number of years," said Ford.
It remains largely unknown how the compromised data was used and therefore begs the question whether the public and private sectors should finally collaborate on best security practices.
"There's too much good information on both sides to not share this for the common good," said Ho. However, he doesn't see universal regulation and "even if it were possible, I don't think it should happen."