Post-Megabreaches, Feds Should Focus on Third Party Risk

Jacob Olcott, former legal adviser to the Senate Commerce Committee, counsel to the House of Representatives Homeland Security Committee, is currently vice president of business development for BitSight.

Since the recent breach of the Office of Personnel Management, there has been a lot of confusion about how and why the breach occurred. Years of independent reports suggested a large breach was inevitable; OPM’s infrastructure has been criticized for being antiquated and vulnerable; and best practices like two-factor authentication and encryption were not routinely used.  

While all of these critiques may be warranted, a critical factor in last month’s breach is the insecurity of the OPM supply chain. Months -- and even years before the breach -- organizations deeply embedded in OPM’s cyber ecosystem were vulnerable and experienced significant data breaches that should have sounded alarms.

USIS

In July 2014, OPM investigated a breach discovered on its networks. A month later, USIS, a background provider for the government, was breached through a vulnerability exploited in an ERP software package. Shortly thereafter, OPM suspended work with USIS. While an OPM spokesman did not say this suspension was a result of the USIS breach, many believe the two events are directly correlated.

What is most concerning is that in May 2014, OPM IT staff conducted a review of USIS security and found its systems “met or exceeded” government requirements given to other government customers.

While this review may be have been accurate at the time, it was conducted one month before the USIS breach. In an age where new threats emerge every single day, a month is a great amount of time for an adversary to compromise networks. Since USIS was the biggest provider of background checks at the time, greater scrutiny should have been given.

KeyPoint Government Solutions

OPM Director Katherine Archuleta recently disclosed that in the latest breach, KeyPoint credentials were used to compromise the OPM’s database. KeyPoint suffered its own breach in December 2014, shortly after it replaced USIS as the largest provider of background checks for OPM. Roughly 48,000 records on DHS employees were stolen as a result of this breach.

As a result of the latest breach, KeyPoint is now being accused of negligence in a lawsuit filed by the American Federation of Government Employees. Guilty or not, OPM continued using KeyPoint services for well over a year despite the comapny’s widely known vulnerabilities.

Interior Department

Much of the data stolen from the breach was hosted on Interior Department servers. While malicious activity was first detected in April 2015, these networks were reportedly first compromised in October 2014. What measures were in place for OPM to monitor its data located on third-party servers? What assurances did OPM have that DOI was implementing strong security practices on its infrastructure? Had OPM been frequently monitoring this data center (or DOI networks for that matter), it is possible this incident could have been identified and addressed much earlier in the process.

Moving Forward

Following the June 2015 breach of the OPM, federal Chief Information Officer Tony Scott launched a “30-day Cybersecurity Sprint.” This initiative instructs federal agencies to take a number of steps, including: immediate action to patch vulnerabilities scanned by the DHS each week, tightened policies for privileged users, and greater use of multifactor authentication.

However, the sprint makes no mention about expanding these initiatives for third parties or vendors.

Some departments and agencies within the government have started focusing some efforts on enhancing third-party risk management. NIST recently published Supply Chain Risk Management guidance for federal agencies; DHS and DOD have announced changes in contractual language requiring contractors to notify the departments of security incidents affecting government data. But given the critical risk third parties pose to the government, greater focus and attention is clearly required.

As departments and agencies update their IT infrastructure, use third-party business associates (like contractors, vendors and other third parties), and strengthen IT security management, they will also need to enhance their vendor risk management initiatives. Focusing on continuous monitoring of third parties, and reducing reliance on paper-based risk assessment and onsite visits to vendors, is essential. These efforts will help address some of the root causes for the megabreaches the government has recently experienced.

(Image via Eugene Sergeev/ Shutterstock.com)