Whose Job Is On the Line After the OPM Hack?


With no single agency responsible for incident response, it's hard to hold anyone accountable for security lapses, former feds say.

With no one agency coordinating the response to a network assault at the Office of Personnel Management, there are questions about who is liable for security lapses that ultimately laid bare private details on current and past federal employees.

The lack of a point person also complicates public outreach and crisis control, former government officials say. 

The response to the OPM breach is an interagency effort, according to officials at the Department of Homeland Security, the FBI and the White House National Security Council. 

John Dickson, a principal at cyber consulting firm Denim Group and a former Air Force intelligence officer, said, "When I hear, 'It’s an interagency problem,' I suspect there is distributed responsibility, and hence, no one accountable.”

There is not a policy yet that specifies who takes charge when a significant government data breach is detected, even as reports of agency hacks mount.

In the past year alone, there have been breaches at the White House, Postal Service and State Department, as well as an earlier March 2014 intrusion at OPM. 

It is unclear whether any senior official has been removed from a position as a result of one of these incidents.

The latest OPM break-in is believed to be the handicraft of Chinese hackers. Foreign intelligence agents holding records on more than 4 million civilian agency and military personnel can piece together, among other things, dossiers on potential assets or targets, security experts say.

"Should there be a formalized interagency process for these sorts of investigations?" questioned Frank Cilluffo, director of the George Washington University Center for Cyber and Homeland Security. “That is something that is worth examining, because we do have different entities that would oversee counterterrorism, both foreign and domestic, and maybe there is something similar needed in the cyber domain." 

Agencies Vie for Control Over Securing US Networks

There are many agencies vying for control over the defense of critical U.S. infrastructure networks, including DHS, FBI, and the Pentagon's U.S. Cyber Command, which also encompasses the National Security Agency. Even the Treasury Department has a role, under an April executive order that empowers the department to levy financial sanctions against hackers. 

SY Lee, a spokesman for DHS, which supervises the U.S. Computer Emergency Readiness Team, said in a statement that, "Working with the affected agency and other interagency partners, US-CERT cyber incident response teams were deployed to identify the scope of the potential intrusion and mitigate any risks identified," after malware was found in April. A sales team with Virginia-based CyTech Services reportedly found the poisonous code during a product pitch, while demonstrating to OPM a tool that diagnoses suspicious activity on networks.

FBI spokesman Josh Campbell said in an email the bureau "is working in concert with our interagency partners to investigate this matter," adding that the FBI response "includes unified mitigation and remediation efforts in order to protect system infrastructure, as well as a criminal investigation” to identify and bring to justice the perpetrator.

The Defense Department has its own separate chain of command for probing malicious behavior on military networks. 

Piecemeal mandates for cyber investigative tasks are found in laws such as the Federal Information Security Management Act, which deputizes DHS and department chief information officers. 

In reality, the FBI likely is the lead on this case because of its foreign counterintelligence and criminal investigation duties, said Cilluffo, who served as special assistant to the president for homeland security during the George W. Bush administration. 

The fragmented response interferes with decision-making during an emergency, Dickson said. 

"When you experience a breach, or any crisis for that matter, you have to quickly consolidate decision-making authority given the need to move quickly and in order to respond to external events or media," he said. "This is where top-down decision-making actually works, and is preferred, preventing a vacuum from occurring and always being on the media defensive."

Lee, the DHS spokesman, said that generally, though not in this instance, Homeland Security takes control over "coordinating the national response to significant cybersecurity incidents and providing incident response assistance to impacted agencies."

The FBI's Campbell said the bureau "will continue to work in close cooperation using a whole of government approach to secure our nation’s infrastructure and disrupt the efforts of cybercriminals." 

Experts: White House Likely Calling Shots

The Pentagon is expected to play a supporting role in addressing federal agency hacks, security experts say. 

“Because hacking and data theft, even if it amounts to espionage by a nation-state, is generally not considered a use of force under international law, it is unlikely that this would be something for which CYBERCOM or any other military organization would take the lead," said retired Air Force Maj. Gen. Charles Dunlap, executive director of Duke University's Center on Law, Ethics and National Security.

Still, assistance from across the government, including the Pentagon, will likely be pulled in, he said.  

Why does no one know who is in charge?  

"Lots of agencies [are] saying ,'this is our sandbox,'" said Herb Lin, senior researcher on cyber policy at Stanford University. "It would be good to have a clear and public mechanism that specifies the process through which the [U.S. government] intends to respond to such events. But I haven’t seen a comprehensive policy articulated yet."

Some officials anticipate each agency involved in the process will be reporting back to the White House National Security Council. 

"This is not a garden-variety incident, so the White House is going to want to be kept up to date," said Alan Raul, head of Sidley Austin's privacy, data security and information law practice and a former White House Office of Management and Budget general counsel. 

NSC officials referred to the FBI and DHS statements when asked about their role in the response. 

(Image via wk1003mike/ Shutterstock.com)