recommended reading

Private Investigators Say Hacked and Bankrupt USIS Didn’t Shirk Security

the USIS building in Falls Church, Va. A cyber-attack similar to previous hacker intrusions from China penetrated computer networks for months at USIS, the government’s leading security clearance contractor.

the USIS building in Falls Church, Va. A cyber-attack similar to previous hacker intrusions from China penetrated computer networks for months at USIS, the government’s leading security clearance contractor. // J. Scott Applewhite/AP

A hacked background checker assailed for undercutting protections to boost its bottom line received high security marks from the government, even while the breach was ongoing, according to private forensics investigators retained by the company.

Contrary to assertions by the Office of Personnel Management and a top lawmaker, documents from security experts obtained by Nextgov indicate the firm, USIS, deployed appropriate defenses and was cooperative with government probes.

"USIS’ information security systems met or exceeded the requirements imposed by government customers, with OPM having specifically authorized the use of attacked systems and having reviewed and approved the USIS system security controls for those systems numerous times, most recently in May 2014, the month before USIS detected intruder activity," Bret Padres, managing director at computer forensics firm Stroz Friedberg, said in a September 2014 letter to USIS' attorneys.

USIS, which lost key government contracts after the incident, detected the hack itself June 5, 2014.

Before the cyber assault came to light, USIS had already been under suspicion for negligence. An ongoing $1 billion Justice Department lawsuit alleges the company defrauded the government by conducting incomplete background investigations.

At a House Oversight and Government Reform Committee hearing Wednesday, Rep. Elijah Cummings, D-Md., the committee’s ranking Democrat, prodded an OPM official to speculate on security expenses USIS might have been skirting.

Cummings also argued that USIS has still has not answered written questions about the breach he submitted last November.

But a letter from the company's lawyers -- sent the following month -- does address some of his inquiries. Others were left unanswered, including an estimate of the total number of records compromised. Government investigators put 27,000 as a floor number, rather than a ceiling.  

There is a dispute over whether the government or USIS cut short a Department of Homeland Security scan of the company’s networks.

OPM contends USIS only let the DHS U.S. Computer Emergency Readiness Team inspect two subnetworks that were breached, not the entire network. The attorneys say the company "invited" DHS to review its systems.

“That review was, as US-CERT itself admitted, abbreviated and incomplete in scope," lawyers at Ropes & Gray LLP said in the letter to Cummings obtained by Nextgov. The letter does not explain why the audit was not finished.

Homeland Security officials declined to comment.

USIS officials referred to the two letters in response to questions.

USIS, whose parent company filed for bankruptcy in February, had been the government's largest private supplier of personnel background check services.

Could USIS Have Been Alerted Earlier?

USIS and OPM, one of its customers, were attacked by hackers around the same time in March 2014. A nation state, perhaps China, was believed to have been scouting for the personal files of security clearance holders in OPM’s systems, The New York Times revealed in July 2014.

OPM never informed USIS its own background investigation systems had been attacked, despite an OPM-USIS contract requirement to share cyber warnings, company attorneys say.  

Network protections shielded employee information at OPM. Hackers made greater headway at USIS -- exposing tens of thousands of sensitive records.

Both organizations were the victims of an "advanced persistent threat," or APT, cyber-speak for a nation-state sponsored attack that inches into a specific target's network over time and lingers until obtaining sought-after secrets.

USIS representatives say the company notified OPM on the day its hack was discovered and has continued to be more forthcoming than the government.

“Critical cyberattack defense information only flowed in one direction: from USIS to the government,” lawyers at Ropes & Gray LLP said in the letter. “Though the government had ample opportunity to reciprocate both before and after USIS self-detected the attack on systems supporting important government work, the company to this day has not received any meaningful assistance from the government in detecting, responding to or remediating the attack.”

Part of the reason USIS fell victim while OPM was able to thwart the attackers partly "comes down to culture and leadership,” OPM Chief Information Officer Donna Seymour said at Wednesday's hearing. “One of the things that we were able to do immediately at OPM was to recognize the problem. We were able to react to it by partnering with DHS and their partnering agencies to be able to put mitigations in place to better protect the information.”

However, Stroz investigators voiced similar praise for USIS' handling of the crisis last year.

"The USIS remediation efforts and re-doubled culture of security, are compelling and extraordinary," Padres wrote. "USIS has created a culture and infrastructure designed for the rapid detection, scope determination and remediation/mitigation of an APT or other means of cyberattack.”

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.