A “comprehensive governing policy”for cybersecurity at the agency would have proactively controlled system access and mandated regular patches and upgrades.
Before falling victim to the massive breach of federal employee records announced last month, the Office of Personnel Management’s inspector general had repeatedly raised red flags about the agency’s outdated security practices. OPM stored most of its data on uncertified systems and failed to implement multifactor authentication on any of its systems, which would have made it more difficult for hackers access sensitive data.
But the “greatest failure” at OPM? That would be the lack of a “comprehensive governing policy” for cybersecurity at the agency that would have proactively controlled system access and mandated regular patches and upgrades.
That’s according to the Institute for Critical Infrastructure Technology, which published an analysis last week of the OPM hack. Members of the nonprofit say they plan to circulate the 29-page brief, titled “Handing Over the Keys to the Castle: OPM Demonstrated that Antiquated Security Practices Harm National Security,” on Capitol Hill and among federal chief information officers.
The OPM breach has been the subject of extensive media coverage, painstakingly describing every detail of the agency’s inadequacies, proposing mitigation options and attempting to pin down responsibility, according to the brief.
However, "very little focus has been dedicated to learning from this calamitous event and proactively utilizing that information to prevent such occurrences in the future,” the study stated.
OPM is far from the only agency that has struggled to remediate well-known cybersecurity gaps called out by auditors, according to the report. For example, the Department of Veterans Affairs has 6,000 outstanding security risks, and the Transportation Department doesn’t have sufficient system level controls.
“The single most significant recommendation that agencies like OPM could heed is to actually listen to the advice of the inspector general and do everything within their power to meet or exceed regulatory measures,” the report stated.
Another key takeaway?
Cyberthreats are advancing far faster than the aging security model -- known as defense-in-depth -- agencies rely on.
So-called advanced persistent threats increasingly tailor sophisticated intrusions to specific victims or organizations.
“Novel malware can bypass detection, avoid run-time analysis and prevent post-incident traces in a number of ways undetectable to current defense-in-depth norms,” the report stated.
The report added, “it is as effective as trying to stop a laser pointer with a chain link fence."
Relying only on antiquated cyber defense systems, such as firewalls and antivirus programs, should be replaced by more innovative programs that can adapt and respond to the specific situation at hand.
The brief recommended agency cyber personnel institute a user behavioral analytics system, which creates a baseline profile of a user and detects and reports anomalous behavior.
Some of the measures agencies need to take now are not all that high tech.
“Training remains the easiest and best strategy to mitigate adverse effects of the OPM breach such as insider threats, spear phishing emails, social engineering or future breaches,” the report stated.
Although President Barack Obama recently called for a 30-day sprint to improve governmentwide cybersecurity performance, it seems unlikely agencies can solve in a month a problem that’s been festering below the radar for years.
“Without a sudden, significant influx of funding, most agencies cannot accomplish much within this time constraint,” the report stated.
(Image via lolloj/ Shutterstock.com)