Whose Job Is On the Line After the OPM Hack?

wk1003mike/Shutterstock.com

With no single agency responsible for incident response, it's hard to hold anyone accountable for security lapses, former feds say.

With no one agency coordinating the response to a network assault at the Office of Personnel Management, there are questions about who is liable for security lapses that ultimately laid bare private details on current and past federal employees.

The lack of a point person also complicates public outreach and crisis control, former government officials say. 

The response to the OPM breach is an interagency effort, according to officials at the Department of Homeland Security, the FBI and the White House National Security Council. 

John Dickson, a principal at cyber consulting firm Denim Group and a former Air Force intelligence officer, said, "When I hear, 'It’s an interagency problem,' I suspect there is distributed responsibility, and hence, no one accountable.”

There is not a policy yet that specifies who takes charge when a significant government data breach is detected, even as reports of agency hacks mount.

In the past year alone, there have been breaches at the White House, Postal Service and State Department, as well as an earlier March 2014 intrusion at OPM. 

It is unclear whether any senior official has been removed from a position as a result of one of these incidents.

The latest OPM break-in is believed to be the handicraft of Chinese hackers. Foreign intelligence agents holding records on more than 4 million civilian agency and military personnel can piece together, among other things, dossiers on potential assets or targets, security experts say.

"Should there be a formalized interagency process for these sorts of investigations?" questioned Frank Cilluffo, director of the George Washington University Center for Cyber and Homeland Security. “That is something that is worth examining, because we do have different entities that would oversee counterterrorism, both foreign and domestic, and maybe there is something similar needed in the cyber domain." 

Agencies Vie for Control Over Securing US Networks

There are many agencies vying for control over the defense of critical U.S. infrastructure networks, including DHS, FBI, and the Pentagon's U.S. Cyber Command, which also encompasses the National Security Agency. Even the Treasury Department has a role, under an April executive order that empowers the department to levy financial sanctions against hackers. 

SY Lee, a spokesman for DHS, which supervises the U.S. Computer Emergency Readiness Team, said in a statement that, "Working with the affected agency and other interagency partners, US-CERT cyber incident response teams were deployed to identify the scope of the potential intrusion and mitigate any risks identified," after malware was found in April. A sales team with Virginia-based CyTech Services reportedly found the poisonous code during a product pitch, while demonstrating to OPM a tool that diagnoses suspicious activity on networks.

FBI spokesman Josh Campbell said in an email the bureau "is working in concert with our interagency partners to investigate this matter," adding that the FBI response "includes unified mitigation and remediation efforts in order to protect system infrastructure, as well as a criminal investigation” to identify and bring to justice the perpetrator.

The Defense Department has its own separate chain of command for probing malicious behavior on military networks. 

Piecemeal mandates for cyber investigative tasks are found in laws such as the Federal Information Security Management Act, which deputizes DHS and department chief information officers. 

In reality, the FBI likely is the lead on this case because of its foreign counterintelligence and criminal investigation duties, said Cilluffo, who served as special assistant to the president for homeland security during the George W. Bush administration. 

The fragmented response interferes with decision-making during an emergency, Dickson said. 

"When you experience a breach, or any crisis for that matter, you have to quickly consolidate decision-making authority given the need to move quickly and in order to respond to external events or media," he said. "This is where top-down decision-making actually works, and is preferred, preventing a vacuum from occurring and always being on the media defensive."

Lee, the DHS spokesman, said that generally, though not in this instance, Homeland Security takes control over "coordinating the national response to significant cybersecurity incidents and providing incident response assistance to impacted agencies."

The FBI's Campbell said the bureau "will continue to work in close cooperation using a whole of government approach to secure our nation’s infrastructure and disrupt the efforts of cybercriminals." 

Experts: White House Likely Calling Shots

The Pentagon is expected to play a supporting role in addressing federal agency hacks, security experts say. 

“Because hacking and data theft, even if it amounts to espionage by a nation-state, is generally not considered a use of force under international law, it is unlikely that this would be something for which CYBERCOM or any other military organization would take the lead," said retired Air Force Maj. Gen. Charles Dunlap, executive director of Duke University's Center on Law, Ethics and National Security.

Still, assistance from across the government, including the Pentagon, will likely be pulled in, he said.  

Why does no one know who is in charge?  

"Lots of agencies [are] saying ,'this is our sandbox,'" said Herb Lin, senior researcher on cyber policy at Stanford University. "It would be good to have a clear and public mechanism that specifies the process through which the [U.S. government] intends to respond to such events. But I haven’t seen a comprehensive policy articulated yet."

Some officials anticipate each agency involved in the process will be reporting back to the White House National Security Council. 

"This is not a garden-variety incident, so the White House is going to want to be kept up to date," said Alan Raul, head of Sidley Austin's privacy, data security and information law practice and a former White House Office of Management and Budget general counsel. 

NSC officials referred to the FBI and DHS statements when asked about their role in the response. 

(Image via wk1003mike/ Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.