The Office of Personnel Management (OPM) data breach takes cyberattacks against the United States to a new level. The motivation of the cybercriminals responsible for the OPM breach was not financial or hacktivism, but purely intelligence gathering. For context, the OPM is responsible for conducting security clearance investigations for many federal agencies and this data, commonly submitted on a SF-86 form, was part of the data obtained in the breach.
As someone who has completed an SF-86 a few times and will most likely be a victim of this breach, I understand the implications of the data stolen. Employees which conduct some of the government’s most sensitive work were among those targeted in this attack, putting the government, the employees, and their families at risk. Identity theft, although a significant concern, may be the least of the problems resulting from this cyberattack. Imagine the type of database our adversaries can create with data like this and the type of link-analysis that can be completed. They could potentially create a roadmap for federal employees and contractors with security clearances, where they work, where they live, what they do, who they are related to, and more.
Every minor detail of a person’s life is documented in a SF-86. For those employees who have worked for the government for years, the amount of personal information and damage increases exponentially. A Top Secret security clearance must be reinvestigated every 5 years and a Secret clearance every 10 years. These investigations include financial reports, criminal history, family history, previous employment, interviews, and even polygraph results.
Like so many other federal agencies, OPM lacked the necessary security controls to prevent and quickly detect a breach of this nature. Relying on old technology, not patching known vulnerabilities, a lack of multi-factor authentication, and focusing more on signature based tools rather than behavioral analysis are just some of the failures that the Inspector General (IG) warned of in the years worth of failed audits.
As someone who works in federal cybersecurity space, I understand that an audit conducted by the IG or another external party does not always add much value. With that said, the audit reports I have seen so far were mostly focused on basic IT and security measures that should have been implemented. Even without a huge security budget, many tools and procedures can be put in place to significantly improve the security posture of an organization.
After watching the entire OPM testimony to the House Oversight Committee, I created a small clip that shows the director of OPM getting grilled by the committee chair. Clearly this was not an enjoyable experience for the chair. Anyone who is in a position of authority over IT or Cyber or has budget input into these organizations should watch the below clip:
For the full testimony see the video here: