It's been called a watershed event, a wakeup call, a punch in the gut, and the highest risk to national security since the 9/11 terrorist attacks.
No matter what the label, back to back data breaches at the Office of Personnel Management (OPM), first noticed by the agency in early 2015, were both bad news and an eye-opener, exposing personal data of current, former and prospective federal workers and their families, including Social Security numbers (SSNs), fingerprint data, addresses and even prior drug and alcohol use. The incursions – the first of which compromised data on 4.2 million current and former employees and the second laying bare the SSNs of 21.5 million individuals – thrust cybersecurity into the limelight like no other event in U.S. history and invited closer scrutiny of the way federal agencies are structured and what they need to do to bolster security.
The one-two punch exposed what some experts have been saying for years: the IT landscape at some federal agencies is riddled with holes and vulnerabilities that could be exploited by determined threat actors.
“The thing about it is guys like me have been talking about it [cybersecurity] for years,” General Gregory Touhill, deputy assistant secretary for cybersecurity operations and programs at the Department of Homeland Security (DHS), said in an interview with SC Magazine. “Unfortunately, we had an event that crossed the threshold for risk appetite for folks and now, in fact, it's on everybody's agenda.”
OUR EXPERTS: Government action
Rep. Ted Lieu (D-Calif.)
Kevin Newmeyer, fellow, National Cybersecurity Institute, Excelsior College
Andrew Rubin, founder and CEO, Illumio
General Gregory Touhill, deputy assistant secretary for cybersecurity operations and programs, U.S. Department of Homeland Security
Rep. Lynn Westmoreland (R-Ga.), chairman, Subcommittee on the National Security Agency and Cybersecurity
Whether due to budget restrictions, aging technology and applications, weak or unenforced security polices, purchasing mandates that have varied from administration to administration, or a little of each, the IT layout in many federal agencies more closely resembles a patchwork quilt stitched furiously by a squinty seamstress than a well-drawn blueprint with a ten-year plan attached. In the aftermath of the OPM two-fer, agencies, lawmakers and even the White House scrambled to fast-track changes that would bolster agency security.
What happened next, nearly simultaneously, was a flurry of committee hearings, particularly within the United States Committee on Oversight and Government Reform, a government-wide “cybersecurity sprint,” and the resignation of Katherine Archuleta, OPM's director. As a consequence, the CIA even pulled officers out of Beijing because their covers were blown.
Perhaps most vocal in the charge to get to the heart of the government's “insecurity” has been the Oversight Committee, whose OPM hearings often prompted live virtual streamers to tweet that they'd popped popcorn to enjoy the lively back and forth. Ultimately, after berating Archuleta and OPM's CIO Donna Seymour about their efforts to stave off cyberattacks, the committee members demanded answers to questions the broader public also wanted to know, such as: Why did these massive breaches occur and how can they be thwarted in the future?
The answers don't come easy. True, identifying the source of OPM's breaches was the simple part: third-party contractors and stolen credentials. But recognizing the systemic overhaul needed to fix a lagging cybersecurity structure and then implementing it doesn't happen quickly. The experts, politicians and agency personnel who spoke with SC Magazine, all readily admit the answers currently lie outside their grasp. But all also expressed a willingness to roll up their shirt sleeves and get down to the gritty business of determining what the future of government cybersecurity should look like and just how the country will bring that vision to reality.
Two members of the Oversight Committee – Rep. William Hurd (R-Texas), who chairs the Information Technology Subcommittee, and Rep. Ted Lieu (D-Calif.) who majored in computer science in college –acknowledge the unique challenges the government faces with cybersecurity, particularly the monumental task of bringing network systems up to modern standards. While acknowledging there is a good deal of catching up to do, both agree that taking actionable steps will require the coordination of multiple government parties.