Katherine Archuleta director, Office of Personnel Management, testifies before a House Oversight and Government Reform Committee hearing on Capitol Hill in Washington, Tuesday, June 16, 2015.

Katherine Archuleta director, Office of Personnel Management, testifies before a House Oversight and Government Reform Committee hearing on Capitol Hill in Washington, Tuesday, June 16, 2015. Cliff Owen/AP

After Historic Hack, OPM Chief's 15-Point Plan May Be Too Little, Too Late

In the wake of a major hack, agency director Katherine Archuleta outlined a series of steps to counter future breaches.

A cyber strategy announced last week by the head of the agency that hackers robbed of sensitive dossiers on federal employees has potential to deter future attacks, say private investigators who probe computer espionage campaigns. 

During multiple Capitol Hill appearances, Katherine Archuleta, director of the Office of Personnel Management, referenced 15 actions OPM will take to safeguard and upgrade the agency’s information technology systems. (See the below list for specifics.)

Richard Bejtlich, chief security strategist at threat intelligence firm FireEye, has criticized the status quo security stance of the whole government, which he says prioritizes "locking doors and windows while there are intruders in the house." On his personal blog TaoSecurity, Bejtlich advocated first chasing down and booting out the bad guys. (More details at the bottom.)

FireEye specializes in "advanced persistent threats" -- like the OPM hack -- that invisibly infiltrate a network, get a lay of the land, and return to exfiltrate targeted data. The company told The New York Times the same Chinese group that recently breached major health care insurers is behind the OPM breach.

Regarding Archuleta's overhaul, Bejtlich, tells Nextgov he hopes some of the steps that mention consultations with outsiders indicate a willingness to adopt approaches like his.

"I would like to see OPM emphasize the need to hunt for adversaries now, and institutionalize detection and response for the intrusions that will happen in the future," said Bejtlich, who also serves as a nonresident senior fellow at the Brookings Institution.

Other investigators praised the plan's premise that attackers are never completely gone from a system.

The agency prefaces its agenda by stating that, "simply because there is no evidence that this particular threat remains active does not mean that we can decrease our vigilance.”

Malcolm Harkins, global chief information security officer at cyber forensics firm Cylance, said all organizations must embrace the same philosophy.

"We are on a journey with no finish line when it comes to information security and ensuring the privacy our employees and customers," he said.

Archuleta's steps are broken up into four sections. The first three -- security improvements, consultations with outside experts, and system upgrades -- are necessary but insufficient to confront growing risks, Harkins said. However, the fourth section -- which involves accountability -- adds the missing piece, he said. 

"Within almost any organization, there is a tendency for structure to drive behavior and for execution toward goals to be the ones that are measured by management," Harkins said. "By publicly demonstrating the leadership of accountability," OPM will surely "be able to stay on top of future risks because they will have the structure to drive prevention of issues and learn from incidents that may occur."

Cylance late last year published an analysis labeling Iran a rising power in cyberspace, comparable to China, and specifically cited a campaign dubbed Operation Cleaver. On Friday, The Hill reported the group behind that series of attacks provided WikiLeaks with about 70,000 confidential cables from Saudi Arabia’s Foreign Ministry. 

While OPM's tactics might work, bureaucracy has a way of impeding good intentions, some information security researchers say.

"Lots of strategies. The question is whether they get implemented," said James Lewis, a cybersecurity analyst at the Center for Strategic and International Studies.

House Republicans seem unconvinced that Archuleta and OPM Chief Information Officer Donna Seymour are capable of following through on any security operations.

On Friday, Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, R-Utah, who heard testimony from Archuleta twice over the past two weeks, and other GOP lawmakers wrote President Barack Obama a letter requesting their removal. 

"We have lost confidence in Director Archuleta’s ability to secure OPM’s networks and protect the data of millions of Americans," they said in that letter. "We have also lost confidence in OPM CIO Donna Seymour’s ability to do the same. This country’s hard-working federal employees deserve better, and Americans with security clearances whose lives may now be at risk deserve better."

Archuleta’s Plan to Thwart Future Cyber Theft

1. Finish activating two-step ID checks -- All users will be required to login with a password and a smartcard by Aug. 1 (The OPM attackers busted through the agency's network using password data stolen from a contractor, according to officials.)

2. Expanding continuous monitoring -- There is a governmentwide mandate to deploy a regime of sensors, security analysts and other technology that can monitor network controls in near-real-time. OPM does not have a robust continuous monitoring operation, according to the agency's inspector general. OPM intends to speed rollout and order contractors to do the same, where feasible.

3. Ensuring permission to probe contractor systems -- OPM will write language into prospective contracts spelling out that the agency is allowed access to a contractor’s systems in the event of a cyber incident. (OPM claims background check provider USIS obstructed a federal inspection of the company's networks after a data breach was detected last year.)

4. Reviewing encryption of databases -- Wherever possible, the agency will render database records indecipherable to intruders. A review to determine which currently unencrypted databases can be converted will be completed by July 15. (Encryption would not have foiled the hackers, in this case, because they used the contractor's authorized credential to unlock the data copied.)

Tapping Outside Expertise

5. Hiring a cybersecurity adviser -- A private sector cyber expert will join the agency by Aug. 1. 

6. Consulting private sector technology and cyber experts --Archuleta is inviting industry chief information security officers who "experience their own significant cybersecurity challenges" to a workshop in the coming weeks to discuss future steps. 

7. Seeking more counsel from the inspector general -- Archuleta will meet with the inspector bi-weekly to obtain advice. (The two officials have been at odds over whether OPM’s systems comply with government security statutes.)

Upgrading Systems

8. Transitioning to a new IT setup -- OPM is overhauling the agency's IT environment to make it easier to apply the latest security controls. Once a new operating infrastructure has been developed, existing IT systems will be transitioned. Some OPM technology dates back to the 1980s and runs off esoteric programming language. 

9. Finalizing the budget and scope of the overhaul by the end of the fiscal year. 

10. Evaluating all contracting options -- Going forward, "OPM will conduct a thorough analysis on the most reasonable and appropriate course of action, and explore all available contracting avenues to determine the best option for the health of its modernization project and for the taxpayer." (A contractor hired, without an open competition, to help secure OPM’s systems was accused by a government watchdog this year of possibly misusing $135 million of taxpayer money after videos appeared to show its employees high on drugs and alcohol while working on a U.S. Army contract in Afghanistan, according to The Washington Post.)

11. Requesting additional congressional funding -- OPM will provide lawmakers with a list of IT enhancements that require more appropriations. 

Accountability

12. Assessing IT project performance -- Every month, Archuleta will meet with Seymour and the new cyber adviser to review IT efforts "to ensure continued progress and accountability."

13. Holding regular cyber awareness education sessions -- All employees and contractors handling sensitive information will undergo a refresher on cyber hygiene on a bi-annual basis.

14. Establishing protocols on incident response -- OPM will document standard operating procedures for partnering with other agencies in the event of a future incident. 

15. Complying with federal computer security laws -- OPM will hold system owners responsible for following the Federal Information Security Management Act. (The agency has had a history of struggling to comply with FISMA and has been running systems not authorized to operate, according to the IG.)

The Bejtlich Detect and Respond Approach

Phase 1: Compromise Assessment: Dispatch teams across government networks to hunt for intruders and, if possible, remove them. "I suspect the 'remove' part will be more than these teams can handle, given the scope of what I expect they will find," Bejtlich writes in a blog post. 

Phase 2: Improve Network Visibility: 

1. Fast-track the activation of EINSTEIN 3A, the latest version of a governmentwide intrusion detection and prevention system.Agencies are required to convert next year, according to the White House. "Waiting until the end of 2016 is not acceptable," Bejtlich says. "Equivalent technology should have been deployed in the late 1990s." 

2. Ensure the Department of Homeland Security has authority to centrally monitor all EINSTEIN sensors deployed governmentwide.Agencies should be given access to their own data, and there should be a dialogue among agencies and Homeland Security on who should be responsible for acting on EINSTEIN's findings. 

3. Hire enough DHS staff to analyze and act on EINSTEIN discoveries.

4. Make hunting and squashing malicious operations a coordinated, routine practice.

5. Collect metrics on the effectiveness of defensive operations and tailor future countermeasures based on lessons learned. 

Phase 3. Deploy continuous monitoring and reduce the number of access points to the public Internet

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.