A system separated from the Internet, like those that safeguard classified military data, is not practical for security clearance data, an Office of Personnel Management official said Thursday.
"Air-gapped" computers are used by defense organizations, nuclear power plants and other environments that require the tightest security.
But a federal human resources department mandated to share information inside and outside government cannot isolate databases from the Internet, says Jeff Wagner, director of security operations, at OPM, the agency responsible for the hacked records.
Nextgov caught up with Wagner at an 1105 Media cybersecurity event in Washington on Thursday.
"There's no way" to cut off the systems from the Internet, he said. "OPM is the HR for the federal government, so everything I do, I have to send to the Social Security Administration, I have to send to IRS."
OPM serves as the central hub for coordinating background checks on would-be clearance holders.
After the theft of 21.5 million records on security clearance applicants and their families, some lawmakers have raised questions about the agency’s suitability for that role.
Wagner said, “even clearance data” must be online, because the only other option is to shuffle paper folders. That move could grind to a halt payroll, as well as a backlog of applicants for security clearances to handle classified material.
"Congress would be livid if they found out that I had been paying somebody that'd been dead for 15 years," Wagner said.
To reach OPM’s sensitive data, Internet users now must bypass multiple identity checks and segmented systems, Wagner said.
"Databases connect to application servers, application servers connect to proxy servers, proxy servers connect to the Internet, so no data connects to the Internet," he said. But "is data available to public users? Yeah, I have to give you your data."
Like Macy’s Banning Customers to Keep out Shoplifters
If OPM is offline, “now I have to mail paper records all over the country or world,” Wagner said. The agency actually did have to revert to paper recently. The system for submitting background forms, e-QIP, was unplugged for nearly a month, to patch a security vulnerability.
During a presentation at Thursday’s event, Wagner compared disconnecting his agency’s systems to keep out hackers, to closing a retail shop to keep out thieves.
"To put the complexity of the OPM situation in perspective: To prevent everything from happening would be like Macy's saying, 'In order to get rid of shoplifting, we stop inviting shoppers into the store,'" he said. "The federal government is a public entity."
The OPM hackers allegedly stole a background check contractor's password to enter the agency's network. By fall 2017, all federal ID holders will need to use two-factor authentication -- requiring a password and a smartcard – for logging on to OPM systems.
The Department of Homeland Security's top cyber incident responder, at a Nextgov summit last month, said air gapping carries the danger of disrupting agency operations.
"There's always the risk decision of, how do I enable the business functionality of the system" and find a way to "protect those high-value assets," said Ann Barron-DiCamillo, director of the DHS U.S. Computer Emergency Readiness Team. The "most stringent" option is to take it offline, while another option would be to allow access on certain machines that never touch the Internet or email.
‘Air Gapping’ Not Hacker Proof
Even nuke plants are not all air gapped.
Today, many off-site vendors need access to monitor systems, while remote equipment manufactures want to troubleshoot devices for problems. The use of air gaps "is declining at nuclear facilities, which opens up new vulnerabilities for cyberattack," warns Chatham House researcher Caroline Baylon, lead author of an Oct. 5 report on cybersecurity in civilian nuke environments. Plant operators "find it too slow and cumbersome to download the data onto a USB drive which is then sent to those who need it."
Air-gapped systems are not hacker proof, either, as proved by the Stuxnet worm. Malicious code injected through a flash drive allegedly commandeered the industrial control system running an Iranian plant's centrifuges to sabotage the machinery.
Separately, in a demonstration by Ben Gurion University researchers, a command from one computer to an adjacent air-gapped machine hijacked a missile-launch toy that was under the air-gapped system's control. Via what attack vector? Heat, of course.
"The technique works a bit like Morse code, with the transmitting system using controlled increases of heat to communicate with the receiving system, which uses its built-in thermal sensors to then detect the temperature changes and translate them into a binary '1' or '0,'" Wired explains.