The hack of the U.S. Office of Personnel Management didn’t surprise me. All significant organizations are regularly attacked, and every major federal agency is a big target.
The outrage that followed this potentially preventable attack didn’t surprise me either. But the most likely reason it wasn’t prevented is that few people realize the value of standard personnel records, and they receive little to know protection, until they are compromised.
Unfortunately, the outrage will die away and with it will go the keen awareness that such records are in great need of protection. I hope I’m wrong, but I believe the likelihood of that is almost nonexistent.
Here are six reasons why I believe that incidents like the OPM hack will not only continue, but also quite possibly increase in scope.
1. We always hit the snooze button
The pattern of all recent attacks has been for little to change afterwards, with the requisite outrage dissipating quickly. Although the IRS hack of earlier this year resulted in $50 million in theft, it is already out of the news. The congressional hearing that it inspired may lead to some improved processes, but little of real value has been done.
Just since 2014, government agencies that have been hacked have included the Government Accountability Office, the Government Printing Office, the U.S. Postal Service, the State Department, the White House, the IRS, the OPM and the U.S. Army. The fact that one government agency after another has fallen prey to hackers shows how little is learned from each incident.
Outside of government, consider the hack of health insurer Anthem. It reported that more than 70 million people’s records had been compromised. That is nearly 25% of the U.S. population. But there’s a good chance that all of us have had our records compromised, since 91% of all healthcare providers have reported a data breach at some point. As big and recent as the Anthem data breach was, few people now mention it, other than to note that it now appears that Anthem and the OPM were hit by the same hackers.
2. We fail to learn from past hacks
Sure, I’m overstating the case. But while there definitely are some astute organizations with strong security programs, most organizations are not incorporating threat intelligence into their security programs, or at least not constantly updating their systems to ward off new types of attack.
Most tellingly, the White House only a couple of weeks ago ordered all federal agencies to implement basic security measures. The fact that this had to be directed in 2015, after decades of hacks into government agencies, is outrageous. How many hacks has it taken for the government to do the very least that should be done? And having to play catch-up at this late date means that the most up-to-date countermeasures will have to wait. How many more hacks will we see before then?
My message to anyone responsible for security at an enterprise or government agency: When you hear about a major breach, don’t just say, “Glad that wasn’t us.” Take a close look at what Target and Sony and the OPM could have done to stop the hackers, and then start doing those things yourself.
3. We underestimate the true value of information
Evidently few people ever considered the OPM as a storehouse of sensitive information. The information was not deemed valuable, and apparently the OPM just found cheap storage available from the Department of the Interior that was not designed to protect sensitive information. In government circles, if information isn’t classified, it isn’t seen as important. But personnel records actually can tell you a lot. You can not only learn the names of government workers; you can probably use them to figure out which ones are undercover operatives. And of course you can steal identities, fuel future social engineering attacks, launch credit card fraud and practice employment fraud.
When you’re charged with safekeeping such records, what is important is not the value your bosses place on the information, but the value that your adversaries give it.
4. We don't give security adequate funding
Bad judgment often comes into play as well, but the fact is that most breaches have the potential to be avoided if more security resources are deployed.
This is particularly a problem for government agencies. Congress has cut funding for many of them to the point that they can’t fulfill their core missions. Just look at the Department of Veterans Affairs, the target of much abuse because veterans have had to wait ridiculous amounts of time to see a doctor. There’s a really simple solution: Hire more doctors and build more facilities. It’s the agency’s budget that puts that simple solution out of reach. The bottom line is that if agencies are not able to fund their root missions, they are not going to be able to properly fund supporting activities such as cybersecurity.
This is why it’s a bit rich to see members of Congress fulminating about government-agency breaches and holding hearings to look into the matter. The truth is that, as the holders of the purse strings, Congress is a big part of the problem.
5. We get suckered into low-bid contracts
Even when cybersecurity has sufficient funding, cost can remain a major component of consideration when contracts are out to bid. The problem is that cost can override compelling security concerns. It has been reported that at the OPM, a low-bid contract resulted in Chinese nationals having access to the personnel files that the OPM stores. Did the OPM’s managers think there was no danger in that arrangement, or were their hands tied because they had accepted that low bid?
Contracts can also limit versatility. The CIO of a major federal agency wanted my company to assess how to make his agency’s security awareness program better. But his contracts team informed him that the agency could not use us for an inexpensive assessment of the program because we were not part of the team that won the agency’s IT support contract.
6. We suffer from detection deficit disorder
“Detection deficit disorder” is a term coined by Araceli Treu Gomes that applies to organizations that might or might not have insufficient protection capabilities, but also poor detection capabilities. For example, the OPM hack was only detected when a vendor was demonstrating its tools at the OPM. The attack had been going on for months. The IRS failed to detect a breach until after 200,000 breach attempts.
Cases of long-term breaches without detection are rampant throughout government and industry. It is impossible for all attacks to be thwarted, but proper detection is critical to any sufficient security program.
There are more reasons
There are of course many other reasons for the failures that keep occurring. These include poor security awareness programs, the offshoring of job functions, poor training and improper hires. This article would never end if I went into each possible reason why government agencies will continue to suffer major breaches. But I think I can predict with complete certainty that there will be many more OPM-type hacks of federal agencies, as well as commercial organizations.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.