OPM: A Year After the Big Breach

Earlier this year, red-team hackers at the Homeland Security Department, tasked with purposefully probing weak spots in agency security, ran into an unexpected problem at the Office of Personnel Management.

The security of the notoriously hacked agency was actually too strong.

The DHS team had set out to infiltrate OPM’s networks to execute a phishing attempt -- that is, to entice employees into clicking on insecure links or downloading bogus attachments.

"They really were having a problem doing phishing attacks on us," said Clifton Triplett, OPM’s senior cybersecurity adviser and one of the new hires the agency brought on board last year to deal with the fallout of the massive security clearance hack. "They couldn't get in the door.”

That’s a far cry from a year ago when OPM announced hackers had surreptitiously broken into the agency’s networks going back years, and copied massive amounts of data, including sensitive background information on national security workers -- all unbeknownst to OPM IT officials.

The hack, which exposed personal information on more than 21.5 million federal employees, retirees and contractors, initiated a “major cultural change” at the agency, Triplett said today during a presentation at a Washington, D.C., event on cybersecurity sponsored by FCW.

Triplett used OPM’s upcoming “unfortunate anniversary” to discuss the agency’s security posture in the year since the big breach was announced.  

For example, after OPM and DHS negotiated how to get the penetration testers inside OPM’s network, fewer employees actually clicked on them, thanks to increased employee training, Triplett said.

"We had raised the cultural awareness of cybersecurity," he said. DHS didn't provide OPM with specific test results, Triplett said. "But I can guarantee we're top decile on our phishing performance.” He predicted at least an 80 percent performance improvement over the last phishing test six months ago.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Among the other steps OPM has taken, according to Triplett:

• Reducing the number of privileged users on its network
• Mandating the use of personal identity verification cards to access agency networks for 100 percent of users. (The agency is now working on implementing two-factor authentication for accessing applications.)
• Initiating a new rapid-action plan for responding to cyberincidents.

Congress last year provided the agency with an extra $21 million to make emergency IT security upgrades to its IT network. OPM is seeking a total of $37 million in next year’s budget to make continued improvements to its technology infrastructure.

"We're a wonderful poster child of how bad it can be if you don't do the right thing,” Triplett said, adding that many agencies are now asking themselves, “Do you want to be the next OPM?"

A key part of OPM’s long-term response is the Continuous Diagnostics and Mitigation program, a contracting vehicle managed by DHS that offers agencies a full suite of tools and sensors to scan for and respond to threats on their networks.

The government has begun purchasing tools under the second phase of the program, which aims to provide more secure login and authentication procedures.

In the wake of the OPM hack, DHS announced it would accelerate deployment of the second phase, aiming to provide the full suite of new capabilities by the end of fiscal 2016.

Triplett said OPM itself would beat the deadline for deploying phase 2 capabilities within the agency by a couple of months.

In the year since the breach first came to light, the agency has also been rocked by personnel changes. Last summer, then-OPM Director Katherine Archuleta resigned after fierce criticism on Capitol Hill over her handling of the hack. Several months later, the agency’s former chief information officer, Donna Seymour, stepped down amid mounting pressure from Republican lawmakers.

Triplett’s message to IT officials at other agencies?

"This is now a well-known problem, and we should be addressing it,” he said. “We don't have the excuse that we didn't know there was a threat out there or that this has happened. A year has passed since our breach ... The good times are over. You can't use that as an excuse, and neither can your management team."