After Historic Hack, OPM Chief's 15-Point Plan May Be Too Little, Too Late

A cyber strategy announced last week by the head of the agency that hackers robbed of sensitive dossiers on federal employees has potential to deter future attacks, say private investigators who probe computer espionage campaigns. 

During multiple Capitol Hill appearances, Katherine Archuleta, director of the Office of Personnel Management, referenced 15 actions OPM will take to safeguard and upgrade the agency’s information technology systems. (See the below list for specifics.)

Richard Bejtlich, chief security strategist at threat intelligence firm FireEye, has criticized the status quo security stance of the whole government, which he says prioritizes "locking doors and windows while there are intruders in the house." On his personal blog TaoSecurity, Bejtlich advocated first chasing down and booting out the bad guys. (More details at the bottom.)

FireEye specializes in "advanced persistent threats" -- like the OPM hack -- that invisibly infiltrate a network, get a lay of the land, and return to exfiltrate targeted data. The company told The New York Times the same Chinese group that recently breached major health care insurers is behind the OPM breach.

Regarding Archuleta's overhaul, Bejtlich, tells Nextgov he hopes some of the steps that mention consultations with outsiders indicate a willingness to adopt approaches like his.

"I would like to see OPM emphasize the need to hunt for adversaries now, and institutionalize detection and response for the intrusions that will happen in the future," said Bejtlich, who also serves as a nonresident senior fellow at the Brookings Institution.

Other investigators praised the plan's premise that attackers are never completely gone from a system.

The agency prefaces its agenda by stating that, "simply because there is no evidence that this particular threat remains active does not mean that we can decrease our vigilance.”

Malcolm Harkins, global chief information security officer at cyber forensics firm Cylance, said all organizations must embrace the same philosophy.

"We are on a journey with no finish line when it comes to information security and ensuring the privacy our employees and customers," he said.

Archuleta's steps are broken up into four sections. The first three -- security improvements, consultations with outside experts, and system upgrades -- are necessary but insufficient to confront growing risks, Harkins said. However, the fourth section -- which involves accountability -- adds the missing piece, he said. 

"Within almost any organization, there is a tendency for structure to drive behavior and for execution toward goals to be the ones that are measured by management," Harkins said. "By publicly demonstrating the leadership of accountability," OPM will surely "be able to stay on top of future risks because they will have the structure to drive prevention of issues and learn from incidents that may occur."

Cylance late last year published an analysis labeling Iran a rising power in cyberspace, comparable to China, and specifically cited a campaign dubbed Operation Cleaver. On Friday, The Hill reported the group behind that series of attacks provided WikiLeaks with about 70,000 confidential cables from Saudi Arabia’s Foreign Ministry. 

While OPM's tactics might work, bureaucracy has a way of impeding good intentions, some information security researchers say.

"Lots of strategies. The question is whether they get implemented," said James Lewis, a cybersecurity analyst at the Center for Strategic and International Studies.

House Republicans seem unconvinced that Archuleta and OPM Chief Information Officer Donna Seymour are capable of following through on any security operations.

On Friday, Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, R-Utah, who heard testimony from Archuleta twice over the past two weeks, and other GOP lawmakers wrote President Barack Obama a letter requesting their removal. 

"We have lost confidence in Director Archuleta’s ability to secure OPM’s networks and protect the data of millions of Americans," they said in that letter. "We have also lost confidence in OPM CIO Donna Seymour’s ability to do the same. This country’s hard-working federal employees deserve better, and Americans with security clearances whose lives may now be at risk deserve better."

Archuleta’s Plan to Thwart Future Cyber Theft

1. Finish activating two-step ID checks -- All users will be required to login with a password and a smartcard by Aug. 1 (The OPM attackers busted through the agency's network using password data stolen from a contractor, according to officials.)

2. Expanding continuous monitoring -- There is a governmentwide mandate to deploy a regime of sensors, security analysts and other technology that can monitor network controls in near-real-time. OPM does not have a robust continuous monitoring operation, according to the agency's inspector general. OPM intends to speed rollout and order contractors to do the same, where feasible.

3. Ensuring permission to probe contractor systems -- OPM will write language into prospective contracts spelling out that the agency is allowed access to a contractor’s systems in the event of a cyber incident. (OPM claims background check provider USIS obstructed a federal inspection of the company's networks after a data breach was detected last year.)

4. Reviewing encryption of databases -- Wherever possible, the agency will render database records indecipherable to intruders. A review to determine which currently unencrypted databases can be converted will be completed by July 15. (Encryption would not have foiled the hackers, in this case, because they used the contractor's authorized credential to unlock the data copied.)

Tapping Outside Expertise

5. Hiring a cybersecurity adviser -- A private sector cyber expert will join the agency by Aug. 1. 

6. Consulting private sector technology and cyber experts --Archuleta is inviting industry chief information security officers who "experience their own significant cybersecurity challenges" to a workshop in the coming weeks to discuss future steps. 

7. Seeking more counsel from the inspector general -- Archuleta will meet with the inspector bi-weekly to obtain advice. (The two officials have been at odds over whether OPM’s systems comply with government security statutes.)

Upgrading Systems

8. Transitioning to a new IT setup -- OPM is overhauling the agency's IT environment to make it easier to apply the latest security controls. Once a new operating infrastructure has been developed, existing IT systems will be transitioned. Some OPM technology dates back to the 1980s and runs off esoteric programming language. 

9. Finalizing the budget and scope of the overhaul by the end of the fiscal year. 

10. Evaluating all contracting options -- Going forward, "OPM will conduct a thorough analysis on the most reasonable and appropriate course of action, and explore all available contracting avenues to determine the best option for the health of its modernization project and for the taxpayer." (A contractor hired, without an open competition, to help secure OPM’s systems was accused by a government watchdog this year of possibly misusing $135 million of taxpayer money after videos appeared to show its employees high on drugs and alcohol while working on a U.S. Army contract in Afghanistan, according to The Washington Post.)

11. Requesting additional congressional funding -- OPM will provide lawmakers with a list of IT enhancements that require more appropriations. 

Accountability

12. Assessing IT project performance -- Every month, Archuleta will meet with Seymour and the new cyber adviser to review IT efforts "to ensure continued progress and accountability."

13. Holding regular cyber awareness education sessions -- All employees and contractors handling sensitive information will undergo a refresher on cyber hygiene on a bi-annual basis.

14. Establishing protocols on incident response -- OPM will document standard operating procedures for partnering with other agencies in the event of a future incident. 

15. Complying with federal computer security laws -- OPM will hold system owners responsible for following the Federal Information Security Management Act. (The agency has had a history of struggling to comply with FISMA and has been running systems not authorized to operate, according to the IG.)

The Bejtlich Detect and Respond Approach

Phase 1: Compromise Assessment: Dispatch teams across government networks to hunt for intruders and, if possible, remove them. "I suspect the 'remove' part will be more than these teams can handle, given the scope of what I expect they will find," Bejtlich writes in a blog post. 

Phase 2: Improve Network Visibility: 

1. Fast-track the activation of EINSTEIN 3A, the latest version of a governmentwide intrusion detection and prevention system.Agencies are required to convert next year, according to the White House. "Waiting until the end of 2016 is not acceptable," Bejtlich says. "Equivalent technology should have been deployed in the late 1990s." 

2. Ensure the Department of Homeland Security has authority to centrally monitor all EINSTEIN sensors deployed governmentwide.Agencies should be given access to their own data, and there should be a dialogue among agencies and Homeland Security on who should be responsible for acting on EINSTEIN's findings. 

3. Hire enough DHS staff to analyze and act on EINSTEIN discoveries.

4. Make hunting and squashing malicious operations a coordinated, routine practice.

5. Collect metrics on the effectiveness of defensive operations and tailor future countermeasures based on lessons learned. 

Phase 3. Deploy continuous monitoring and reduce the number of access points to the public Internet