It is shocking enough that the federal Office of Personnel Management has failed annual audits of the security of its computer systems since at least 2011. But the recent news that Chinese hackers have stolen the personal histories of millions of present and former federal employees and contractors has rightly raised bipartisan anger on Capitol Hill. The breach raises ongoing national security questions.
But even more shocking is that OPM’s failures weren’t critical to the cyber breach because the hackers gained access to the files with a password for access they had stolen, probably from an OPM employee or others authorized to access the files.
The OPM, astonishingly, did not consider the agency’s files important enough to require multiple passwords.
That was the testimony of the Department of Homeland Security’s top cyber security expert on Tuesday before the House Oversight and Government Reform Committee. Dr. Andy Ozment, assistant DHS secretary for Cyber Security, said encryption would “not have helped in this case” because the attackers had acquired user credentials to the systems.
Nevertheless, the sloppy nature of the OPM security controls apparently prevented the agency from discovering the intrusion for months. It was identified, according to reports, by a vendor of computer security systems while demonstrating his company’s product.
Dr. Ozment told the committee that DHS has studied the new type of malware planted on the OPM’s computers and has added it to its government-wide cyber security system, which is rather pretentiously named Einstein. There is an Einstein Version 1, 2 and, the latest, 3, has been upgraded to reflect the OPM breach, he said.
Meanwhile OPM’s director and chief information officer told Congress that many of its computer systems are 20 years old and cannot be encrypted. Members of Congress were rightly incredulous.
“You failed utterly and totally,” committee Chairman Jason Chaffetz, R-Utah, told the officials, calling on both to resign. “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”
More broadly speaking, that appears to be true of federal cyber security in general, particularly for agencies outside the national security and intelligence community. Having an Einstein program to check for malware on government computers sounds fine, but it will typically lag behind inventive hackers.
The only answer is that cyber security must be taken far more seriously. The government must make it much harder to gain access to even the most routine files and communications. Government computer systems must be kept up to date and use the latest anti-theft technology. Government employees must be drilled in the importance of keeping access passwords as confidential as top secrets.
It should not be possible to get into files containing personal or corporate information of any kind without multiple access codes.
These common-sense recommendations should have been instituted the first time a government computer system was compromised. Now the nation’s entire personnel security system has been compromised. The Obama administration has often talked about how it is taking the cyber threat seriously, but its actual performance to date rates an F. The feds have to get up to speed to halt a security menace of vast proportions.