Friday, June 26, 2015

OPM Data Breach Symptomatic of US Cyber Weaknesses

James D. McFarlin

The list of recent breaches of U.S. government agencies is long and includes organizations such as the Department of Defense, US Army, Securities Exchange Commission, Postal Service, IRS, even the White House.

Reported reasons for the success of these breaches vary but follow repeatable patterns which include unheeded warnings. antiquated legacy software, management denial, lack of accountability and lax cybersecurity operating procedures.

Protecting critical data such as taxpayer records should be a primary priority. Yet in the IRS - which recently had more than 100,000 personal tax returns stolen - employees have been allowed to follow weak security practices, including using passwords such as "password."

Einstein, the Department of Homeland Security cyber defense system, over a decade and $529 million in the making, has been ineffective in stopping breaches and is already considered outdated technology according to former DHS lawyer Gus Colebella.

The government agency cybersecurity failures are widespread. According to Sen. John Boozman (R., Ark.) at a recent hearing, "Office of Personnel Management is just the most recent example of the government's systemic failure to protect itself."

The OPM breach, in which at least 18 million personnel records of former and current government employees, including their security clearance applications, were stolen is a prime example of cyber security gone missing.

According to the New York Times, the OPM inspector general has issued warnings to the agency since 2010 over its lax cybersecurity, even describing the organization's computer security as a "Chinese hacker's dream."

But in a stunning display of bravado, OPM director Katherine Archuleta declined to take any responsibility for the breaches, instead laying the blame totally on China. In spite of calls by congressional committee members for her dismissal, Obama stood behind her, making it clear her job was secure no matter what.

Retired Gen. Michael Hayden, who served both as director of the CIA and of the National Security Agency, knows a thing or two about cybersecurity. Hayden recently said this about the OPM breach: "This is not shame on China. This is shame on us for not protecting that kind of information. This is a tremendously big deal. And my deepest emotion is embarrassment."

In a typical 'lead from behind' response, on June 12th the White House directed all federal agencies to take a series of swift measures to "lock down" government systems against cyberattack. U.S. chief information officer Tony Scott even launched what he is calling a "30-day cybersecurity sprint."

To comply with this directive, agencies will reportedly be undertaking steps that many - including OPM chief Archuleta - have said have not been possible over even a period of years. Such efforts, besides being ludicrous at their very core are merely more administration window dressing and doomed to failure.

Until cybersecurity is taken seriously by this administration, the embarrassment expressed by Gen. Hayden will continue for us all. Except those in the White House, of course, where deniability and lack of accountability reign supreme.