Private Investigators Say Hacked and Bankrupt USIS Didn’t Shirk Security

A hacked background checker assailed for undercutting protections to boost its bottom line received high security marks from the government, even while the breach was ongoing, according to private forensics investigators retained by the company.

Contrary to assertions by the Office of Personnel Management and a top lawmaker, documents from security experts obtained by Nextgov indicate the firm, USIS, deployed appropriate defenses and was cooperative with government probes.

"USIS’ information security systems met or exceeded the requirements imposed by government customers, with OPM having specifically authorized the use of attacked systems and having reviewed and approved the USIS system security controls for those systems numerous times, most recently in May 2014, the month before USIS detected intruder activity," Bret Padres, managing director at computer forensics firm Stroz Friedberg, said in a September 2014 letter to USIS' attorneys.

USIS, which lost key government contracts after the incident, detected the hack itself June 5, 2014.

Before the cyber assault came to light, USIS had already been under suspicion for negligence. An ongoing $1 billion Justice Department lawsuit alleges the company defrauded the government by conducting incomplete background investigations.

At a House Oversight and Government Reform Committee hearing Wednesday, Rep. Elijah Cummings, D-Md., the committee’s ranking Democrat, prodded an OPM official to speculate on security expenses USIS might have been skirting.

Cummings also argued that USIS has still has not answered written questions about the breach he submitted last November.

But a letter from the company's lawyers -- sent the following month -- does address some of his inquiries. Others were left unanswered, including an estimate of the total number of records compromised. Government investigators put 27,000 as a floor number, rather than a ceiling.  

There is a dispute over whether the government or USIS cut short a Department of Homeland Security scan of the company’s networks.

OPM contends USIS only let the DHS U.S. Computer Emergency Readiness Team inspect two subnetworks that were breached, not the entire network. The attorneys say the company "invited" DHS to review its systems.

“That review was, as US-CERT itself admitted, abbreviated and incomplete in scope," lawyers at Ropes & Gray LLP said in the letter to Cummings obtained by Nextgov. The letter does not explain why the audit was not finished.

Homeland Security officials declined to comment.

USIS officials referred to the two letters in response to questions.

USIS, whose parent company filed for bankruptcy in February, had been the government's largest private supplier of personnel background check services.

Could USIS Have Been Alerted Earlier?

USIS and OPM, one of its customers, were attacked by hackers around the same time in March 2014. A nation state, perhaps China, was believed to have been scouting for the personal files of security clearance holders in OPM’s systems, The New York Times revealed in July 2014.

OPM never informed USIS its own background investigation systems had been attacked, despite an OPM-USIS contract requirement to share cyber warnings, company attorneys say.  

Network protections shielded employee information at OPM. Hackers made greater headway at USIS -- exposing tens of thousands of sensitive records.

Both organizations were the victims of an "advanced persistent threat," or APT, cyber-speak for a nation-state sponsored attack that inches into a specific target's network over time and lingers until obtaining sought-after secrets.

USIS representatives say the company notified OPM on the day its hack was discovered and has continued to be more forthcoming than the government.

“Critical cyberattack defense information only flowed in one direction: from USIS to the government,” lawyers at Ropes & Gray LLP said in the letter. “Though the government had ample opportunity to reciprocate both before and after USIS self-detected the attack on systems supporting important government work, the company to this day has not received any meaningful assistance from the government in detecting, responding to or remediating the attack.”

Part of the reason USIS fell victim while OPM was able to thwart the attackers partly "comes down to culture and leadership,” OPM Chief Information Officer Donna Seymour said at Wednesday's hearing. “One of the things that we were able to do immediately at OPM was to recognize the problem. We were able to react to it by partnering with DHS and their partnering agencies to be able to put mitigations in place to better protect the information.”

However, Stroz investigators voiced similar praise for USIS' handling of the crisis last year.

"The USIS remediation efforts and re-doubled culture of security, are compelling and extraordinary," Padres wrote. "USIS has created a culture and infrastructure designed for the rapid detection, scope determination and remediation/mitigation of an APT or other means of cyberattack.”