It's been called a watershed event, a wakeup call, a punch in the gut, and the highest risk to national security since the 9/11 terrorist attacks.
No matter what the label, back to back data breaches at the Office of Personnel Management (OPM), first noticed by the agency in early 2015, were both bad news and an eye-opener, exposing personal data of current, former and prospective federal workers and their families, including Social Security numbers (SSNs), fingerprint data, addresses and even prior drug and alcohol use. The incursions – the first of which compromised data on 4.2 million current and former employees and the second laying bare the SSNs of 21.5 million individuals – thrust cybersecurity into the limelight like no other event in U.S. history and invited closer scrutiny of the way federal agencies are structured and what they need to do to bolster security.
The one-two punch exposed what some experts have been saying for years: the IT landscape at some federal agencies is riddled with holes and vulnerabilities that could be exploited by determined threat actors.
“The thing about it is guys like me have been talking about it [cybersecurity] for years,” General Gregory Touhill, deputy assistant secretary for cybersecurity operations and programs at the Department of Homeland Security (DHS), said in an interview with SC Magazine. “Unfortunately, we have event that have crossed the threshold for risk appetite for folks and now, in fact, it's on everybody's agenda.”
OUR EXPERTS: Government action
Rep. Ted Lieu (D-Calif.)
Kevin Newmeyer, fellow, National Cybersecurity Institute, Excelsior College
Andrew Rubin, founder and CEO, Illumio
General Gregory Touhill, deputy assistant secretary for cybersecurity operations and programs, U.S. Department of Homeland Security
Rep. Lynn Westmoreland (R-Ga.), chairman, Subcommittee on the National Security Agency and Cybersecurity
Whether due to budget restrictions, aging technology and applications, weak or unenforced security polices, purchasing mandates that have varied from administration to administration, or a little of each, the IT layout in many federal agencies more closely resembles a patchwork quilt stitched furiously by a squinty seamstress than a well-drawn blueprint with a ten-year plan attached. In the aftermath of the OPM two-fer, agencies, lawmakers and even the White House scrambled to fast-track changes that would bolster agency security.
What happened next, nearly simultaneously, was a flurry of committee hearings, particularly within the United States Committee on Oversight and Government Reform, a government-wide “cybersecurity sprint,” and the resignation of Katherine Archuleta, OPM's director. As a consequence, the CIA even pulled officers out of Beijing because their covers were blown.
Perhaps most vocal in the charge to get to the heart of the government's “insecurity” has been the Oversight Committee, whose OPM hearings often prompted live virtual streamers to tweet that they'd popped popcorn to enjoy the lively back and forth. Ultimately, after berating Archuleta and OPM's CIO Donna Seymour about their efforts to stave off cyberattacks, the committee members demanded answers to questions the broader public also wanted to know, such as: Why did these massive breaches occur and how can they be thwarted in the future?
The answers don't come easy. True, identifying the source of OPM's breaches was the simple part: third-party contractors and stolen credentials. But recognizing the systemic overhaul needed to fix a lagging cybersecurity structure and then implementing it doesn't happen quickly. The experts, politicians and agency personnel who spoke with SC Magazine, all readily admit the answers currently lie outside their grasp. But all also expressed a willingness to roll up their shirt sleeves and get down to the gritty business of determining what the future of government cybersecurity should look like and just how the country will bring that vision to reality.
Two members of the Oversight Committee – Rep. William Hurd (R-Texas), who chairs the Information Technology Subcommittee, and Rep. Ted Lieu (D-Calif.) who majored in computer science in college –acknowledge the unique challenges the government faces with cybersecurity, particularly the monumental task of bringing network systems up to modern standards. While acknowledging there is a good deal of catching up to do, both agree that taking actionable steps will require the coordination of multiple government parties.
Most top of mind for both men was instituting proper cyber hygiene, or procedures that should always be done but often fall by the wayside.
“The overall take is that the agencies within the federal government can be doing a better job to follow the best practices of good digital hygiene,” Hurd says. “The OPM breaches and the aftermath, and especially Archuleta stepping down, has made all the agency heads and agency CIOs dig into their Inspector General reports and GAO [U.S. Government Accountability Office] reports and start making those changes. We've got a long way to go to having a digital infrastructure that's reflective of the world's biggest power.”
Obtaining upgraded systems requires more than their inclusion on a “to-buy” list, however. Agencies need money to make the buys. But with a Congress willing to reject a budgetary bill and shut down the government over Planned Parenthood funding or affordable healthcare, getting lawmakers to let loose with more cash for cybersecurity could prove a challenge, though it's one that Lieu says needs to be overcome.
“There absolutely needs to be more budget allotted for cybersecurity,” Lieu says, explaining that agencies equipped with systems written in COBOL, a programming language developed in the 1950s and 1960s. “They were never designed for a world like today with constant hacking attempts,” he says.
It's not just savvy members of Congress who recognize that funding for digital upkeep is seriously lacking; private industry experts are taking note, as well. “OPM and most breaches brought out that most basic hygiene is not being done,” says Andrew Rubin, founder and CEO of cybersecurity company Illumio, a Sunnyvale, Calif.-based cloud computing security. While he's received information security training, and knows to not click links from unknown senders or approve mysterious wire requests, that fundamental awareness often is missing in the government sector, he says.
“I've heard enough of these stories of people clicking on the attachment,” Rubin says. “The hygiene issue is an individual level of hygiene and an organizational level of hygiene that is being missed so often. What it [would] mean is the bar for being attacked would go up, and that is very much what we're trying to do.”
This summer's “30-Day Cybersecurity Sprint,” initiated by U.S. CIO Tony Scott, aimed to take care of some of those most basic procedures. Agencies were told to patch critical vulnerabilities, review and limit their number of privileged users, and increase authentication measures.
By the government's measures, at least, the initiative worked. Authentication for privileged users increased more than 40 percent and 13 agencies implemented authentication for nearly 95 percent of privileged users, Scott reported after the 30 days were up. One Federal News Radio survey of 33 federal CIOs found that 71 percent thought the event was effective in getting their agency to focus on longstanding cyberchallenges. That being said, others did criticize the Sprint, saying that it only put Band-Aids on things, as opposed to fixing “real problems.”
Scott conceded that while the Sprint was successful, the government still has “work to do,” and any effort to address cyber risk “is never done” completely. He also listed budget as a primary area where concrete steps could be made. Notably, however, he also pointed to Congress to pass some sort of cybersecurity legislation that could help refocus priorities.
The legislative bodies are still debating the Cyber Information Sharing Act (CISA), as well as a national data breach law, among other bills meant to protect computer users.
With those potentials laws and budget in flux, Touhill explained the broader work that his agency does to address cybersecurity.
“DHS works with the departments and agencies to strengthen the cybersecurity posture to best maintain risk,” Touhill says.
But, he clarifies that for his agency, it comes down to risk mitigation through information sharing, as opposed to technology.
DHS responded to the OPM breaches with a “Binding Operational Directive,” which required all agencies to fix their most critical vulnerabilities in internet-facing systems within 30 days. Otherwise, DHS would have to step in to help. This strategy, Touhill says, was an immense success and refocused agency heads on reducing their risk of exposure.
At the national level, cybersecurity hasn't always been an “agenda level” issue, he says, and didn't “permeate organizations.” Ultimately, though, directives and high-profile breaches made it nearly everyone's top priority.
Rep. Lynn Westmoreland (R-Ga.), who serves as chairman of the Subcommittee of the National Security Agency (NSA) and Cybersecurity, also said the topic doesn't always drum up conversation. “Cybersecurity has not been the number one topic around people's kitchen tables,” he says. “Really, in any area that you sit down and talk politics, you hardly hear cybersecurity even mentioned. Then of course, the OPM breaches happened and everybody started talking about it.”
Hurd says now, in addition to fielding questions about Iran, he always gets asked about cybersecurity when meeting with constituents.
Maybe it was the attention grabber the country needed, especially in conjunction with a slew of big-time retailer and health care breaches. Let others worry about the budget issues and how to pass legislation. As far as Touhill is concerned, DHS can only offer its professional input and give agency heads the information they might need to do their jobs best.
“I don't think CIOs or CISOs are ignorant of best practices,” Touhill says. “However, there's always a cost and value proposition. You have to recapitalize on a regular basis and have new operating systems in place. And yet, when I got here [to DHS] there was a big push to retire Windows XP and Windows 2003. Because of business imperatives and business constraints, some of those folks have elected to accept risk and avoid some of those best practices.”
Although its stated goals are admirable and certainly could be effective, without controlling the budgets at other agencies, DHS is limited in its scope, says Kevin Newmeyer, a fellow with the National Cybersecurity Institute at Excelsior College. “They can put out best practices and recommendations and guides, but without some kind of hammer to hold over other agencies, there's not much they can do.”
But, if fully implemented and maintained, best practices could go a long way to ensuring the government remains secure. It's the maintenance part that's difficult.
“At any large organization, best practices change what you're doing,” Newmeyer says. Without somebody implementing and driving best practices and keeping accountability practices, it doesn't happen, he adds.
Plus, if no policies are put in place to maintain the new frameworks, they'll slip over time.
“There are such simple things at the baseline to improve security, but to remain secure, it's a constant practice,” he says.
“It's the same thing you see in every place in the government,” says Rep. Mike Pompeo (R-Kan.), at left, who serves on the same cybersecurity subcommittee as Westmoreland. “You see enormous bureaucracy, vested interests, and siding that takes place, which all prevent the government from acting with the speed and force that cyberthreat actors have in place.”
Compared with the physical world, taking one's time in the digital environment can produce grave repercussions. “Being slow in the cyberworld means you lose,” Pompeo says.
For example, during this past year, one Ponemon Research and HP study found that it took an average of 46 days to remediate cyberthreats across all sectors. The perpetrators behind the OPM hacks had access to the agency's systems for months.
Yet, Touhill isn't deterred by government's slow crawl. DHS, he says, arms agencies with what they need – even while Congress waffles on CISA and its budget. All worries aside, he knows what he wants to see going forward.
“I'd like to see executives at all levels keeping cybersecurity on the agenda,” he says. “I hope that folks will not become enamored with the technology and focus on risk. They should be looking for solutions that will be effective, efficient and secure because cybersecurity is all about risk. It's not all about the technology.”
It's a puzzle where all the pieces need to come together, Hurd adds. “With the GAO, Congress and Office of Management and Budget, I think we can get there.”