After suffering one of the biggest hacks in federal history, the U.S. government is sprinting to require a wide range of cybersecurity improvement across agencies in order to better secure troves of sensitive government data against constant cyberattacks.
The added security measures include two-factor authentication and encryption. The calls for change comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to ban strong encryption—the best defense against data breaches—for use by civilians even as American companies and individuals are targets in vast and numerous cyberattacks all the time.
Comey wants to add backdoors to encryption that independent experts say would fundamentally weaken it and open the encryption to attack by hackers who would enter through that same backdoor.
The FBI’s ideas on encryption would “weaken our infrastructure,” Matthew Blaze, a professor of information science at the University of Pennsylvania, said in a hearing earlier this year. “The ultimate beneficiaries are criminals and rival nation states.”
Politicians pushed agencies across the federal government to use encryption for all sensitive data during a hearing on Tuesday by the House Committee on Oversight and Government Reform. This basic security measure was not implemented by the Office of Personnel Management (OPM) when it suffered a recent cyberattack exposing the personal information of millions of federal employees.
The OPM hack “may have been the most devastating cyberattack in our nation’s history,” House Oversight Chairman Jason Chaffetz (R-Utah) said during the hearing.
“Why wasn’t the information encrypted?” Rep. Elijah Cummings (D-Md.) asked. “Data masking, redaction, encryption must become the norm rather than the exception.”
Encryption is not a new topic for the the committee. Earlier this year, the same committee slammed the FBI’s plan to weaken encryption as “stupid.”
Katherine Archuleta, who has served as director of the OPM for 18 months, said that the agency “promotes encryption,” but she added that encryption is “not feasible” for old systems and noted that attackers could potentially decrypt data if they found the keys.
Last year, the agency’s inspector general recommended OPM’s entire network should be shut down because it was so profoundly insecure. Archuleta declined to shut the network down.
OPM announced that it had been hacked on June 4, affecting 4.2 million federal employees whose personal information had been compromised. The breach was first discovered in April when CyTech, a Virginia security firm, was giving a sales pitch to OPM and detected the months-old malware. Since then, the scope of the attack has only grown.
Weeks after the first announcement and months since the first infection, it’s clear that the full extent of the attack is still unknown to the OPM. It could ultimately affect over 14 million people.
“We’re about the hear, ‘Hey, we’re doing a great job!’ You’re not. It’s failing,” said Chaffetz. “For any agency to disregard its data security for so long is grossly negligent.”
Chaffetz to OPM director on protecting employee data: "You have completely and utterly failed if that was your mission."
— Dennis (@DennisF) June 16, 2015
Archuleta responded to that criticism by insisting that the agency “has undertaken an aggressive effort to update its cybersecurity posture” over the last year to combat the over “10 million confirmed intrusion attempts targeting our network every month. The agency’s 2016 budget request includes an additional $21 million to upgrade OPM’s IT infrastructure.
It was exactly this “aggressive effort” to upgrade the agency’s security that found the data breach in question, according to Archuleta. Since then, additional security measures are being implemented, such as stronger encryption of sensitive data.
The hearing was often tense, with committee members regularly raising their voices in frustration. Chaffetz was unimpressed from the outset.
“This has been going on for years, and it’s inexcusable,” he argued. “According to the last eight years of inspector general reports, OPM’s security posture was akin to leaving all the doors and windows open in your house and expecting no one would come in. How wrong they were.”
Chaffetz read back nearly a decade of official reports criticizing OPM’s cybersecurity that called out a “material weakness” in the agency’s security program every single year. Issues included fundamentals, like the lack of maintaining an inventory of servers and data, as well as the lack of required two-factor authentication despite federal memorandums.
“They didn’t even know what they had!” Chaffetz said.
#OPMhack – The answers to every interesting question are getting deferred to the classified briefing.
— Sandy Clark (@sa3nder) June 16, 2015
OPM boasts a “long history of systemic failures,” according to Michael Esser, the assistant inspector general at OPM. The inspector general directed eight years of criticism in official reports at OPM for profound security weaknesses.
You can read Esser’s full testimony here.
“For example, we were told in an interview that OPM performs monthly vulnerability scans on all computer servers using its automated scanning tools,” Esser said. “While we confirmed that OPM does indeed own these tools and that regular scan activity was occurring, our audit also determined that some of the scans were not working correctly because some of the tools did not have proper credentials, and that some servers were not scanned at all.”
The bleak past of OPM and other federal agencies may soon make way for a brighter, more secure future.
The U.S. Department of Homeland Security (DHS) is rolling out new versions of the federal government’s banner cybersecurity software known as Einstein. By the end of the year, version 3.0 will cover 97 percent of federal agencies, Andy Ozment, the DHS assistant secretary of cybersecurity and communications, told lawmakers.
The government is now paying for underinvestment in security for the past 20 years, Ozment said.
Tony Scott, the chief information officer from the U.S. Office of Management and Budget, launched a “30-day cybersecurity sprint” last week to patch critical vulnerabilities, plan new defenses around the federal government, tighten existing security policies for privileged users, and “dramatically accelerate implementation of multi-factor authentication.”
Photo via kileencody/Flickr (CC BY ND 2.0)