by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : October and November 2016
WHEN THE DATA BREACHES at the Office of Personnel Management were revealed in 2015, it took some time for people to come to terms with the damage that had been wrought. In the end, more than 20 million government employee and contractor records were compromised, and OPM executives lost their jobs. A report released Sept. 7 by the Republican majority staff of the House Oversight and Government Reform Committee claims that the loss of background inves- tigation information and fingerprint data “will harm counterintelligence efforts for at least a generation to come.” That’s unlikely to be the last word. The Democrats on the committee have al- ready rejected at least some parts of the report, claim- ing factual deficiencies and insufficient blame attached to federal contractors. OPM asserts the report doesn’t reflect how much progress it has made on security since the breaches were discovered. Nevertheless, the report is the most comprehensive official account to date of what happened at OPM, and it presents what could turn out to be a model forwhatnottodoanda template for how to design security to prevent future breaches. As far back as 2005, OPM’s inspector general warned that agency data was vulnerable to hackers. The risk was upgraded to a “significant deficiency” in 2014. Even as recently as November 2015, months af- ter the breach was revealed, the IG was still complaining that OPM was not meeting the requirements of the Federal Information Secu- rity Management Act. Furthermore, OPM used multifactor authentication for only a small fraction of its staff, despite a policy from the Office of Manage- ment and Budget issued several years before the breach. OPM also allowed key IT systems to operate without a security assess- ment and a valid authority to operate. The U.S. Computer Emergency Readiness Team notified OPM as early as March 2014 that someone was snatching data from its network. OPM then moni- tored the hacker for two months to get a better idea of the threat. Fair enough, except that by focusing on the first hacker, OPM missed another who, posing as a contractor, installed malware and created a backdoor. The agency even- tually tackled the threat posed by the first hacker, but the second hacker went unnoticed and remained in the system — and success- fully stole data. The agency used tools from Cylance but only after the breach caused by the second hacker was identi- fied — despite the fact that OPM’s security director had recommended using the Cylance tools way back in March 2014, after the dis- covery of the first hack. OPM, to its credit, seems to have hustled to repair both its security and its reputation. Acting Director Beth Cobert has listed a se- ries of steps the agency has taken, including imposing multifactor authentication for anyone accessing the agency’s network, shoring up the web-based systems used to gather information for employee background investigations, implement- ing the government’s continuous monitoring program and working with the Defense Department to construct a new IT infra- structure for background checks. Notably, OPM has also brought on a senior cybersecurity adviser who reports to OPM’s direc- tor and has centralized cybersecurity resources and responsibilities under a new chief information security officer. Those moves are as important as any security technology. As the House reports notes, the breaches at OPM represent “a failure of culture and leadership, not technology.” The secu- rity tools that could have prevented the breaches were available, but OPM officials failed to recognize their importance. The publication of the House report and its damn- ing details should lead to major reforms in how agen- cies tackle cybersecurity. If those reforms don’t come about after what is widely considered one of the big- gest security failures ever, then you have to wonder what it will take. • The final word on the OPM breach? BY BRIAN ROBINSON CYBEREYE A House report on the massive data breaches at OPM should lead to major reforms in how agencies tackle cybersecurity. 8 GCN OCTOBER/NOVEMBER 2016 • GCN.COM 1116gcn_008.indd 8 10/5/16 9:51 AM
August and September 2016
January and February 2017