Biggest OPM Hack Compromising Federal Employees Data Was Avoidable
A recent report has stated that the attack on OPM was avoidable. The agency knew that it was being targeted and yet failed to secure the millions of federal employees data. The report also says that the agency failed to notice that it was dealing with a sophisticated enemy who probably found it simple to steal vital employee information. It has been confirmed that the attack originated in another country.
The Report on the Biggest Cyber Attacks on Federal Employees Data
The report on one of the biggest cyber attacks on federal employees data was released by House Committee on Oversight and Government Reform recently. It states that OPM had been warned that it was a target and yet the agency failed to take correct preventive actions. This ensured that it was more vulnerable to the attack.
An Interview Statement
In an interview with CNN, the Chairman of the House Committee on Oversight and Government Reform, Jason Chaffetz stated that in the report it is clearly mentioned that once the OPM knew that an attack was in progress, it didn’t take the right steps.
The Overseas Attack
The Republican representative from Utah did not confirm whether that attack came from China, which is being rumored for several months now. He does admit that it was an overseas attack. He didn’t reveal much by pointing out that the name of the country where the attack originated was classified information.
Reason Behind the Attack
Chaffetz said that the attack was organized and executed because the information garnered through it was very valuable to other countries. The data that was hacked revealed which federal employees had security clearances and who was dealing with the most classified information. It also exposed the vulnerabilities and fingerprints of those who were in charge of the classified data.
Underestimating the Enemy
The report also stated that OPM underestimated its enemy by not realizing that the enemy had sophisticated weapons and was very persistent. It also says that OPM had been warned consistently for years before the attacks that it was a target. It failed to recognize the importance and genuineness of being a target. If the agency had taken the threats seriously and implemented some basic security controls, the attacks would not have made the information of federal employees so easily accessible.
Federal Employees Say Agencies are Using Big Data Analytics for Cyber-Security
A recent report has highlighted that the federal employees opine that their agencies are using big data to ensure better cyber security. Many agencies still have to deal with cyber attacks as they are unable to analyze full data. Some agencies are also overwhelmed by the volume of cyber security data.
Federal Employees Spill the Beans of Cyber Security in Agencies
The report was generated by MeriTalk and it was sponsored by Cloudera. The report states that about 81 percent of federal employees admitted to the fact that their agency is using big data in some capacity analytics for attaining better cyber security. The reports also stated that 59 percent of the respondents feel that the agency they work for deals with one cyber breach a month on an average as the agencies are unable to fully analyze data.
Mapping the Increase in Use of Big Data
The survey report stated that there has been a lot of increase in the usage of big data by the agencies to ensure cyber security from 2013 to 2016. This information was shared by a subject matter expert working at Cloudera, Rocky DeStefano who added that the adoption of big data in such a short time was a big surprise and it indicates that there is proof of real life production success of such programs.
About 90 percent of respondents also accepted that the use of big data has reduced the number of breaches while 84 percent respondents said that agencies were able to beat a cyber attack due to the latest cyber-security analytic tools. DeStefano says that it clearly shows that the agencies are finding value at the earlier stages of deployment.
The Challenge
The survey also pointed out that 88 percent of respondents believe that they face challenges in taking out cyber intelligence from data and that their top challenge was the sheer volume of data. They also confessed that over 40 percent of data goes unanalyzed thanks to this problem.
Lack of Cyber Security Information
It was also highlighted by the federal employees that about 33 percent of the agencies don’t even have a system in place that could gather cyber-security information they need. This information is vital to control and prevent the cyber attacks in the future. About half still think that the volume of the cyber-security data is overwhelming.
DHS to Make Federal Employees’ Electronic Devices more Secure
The Department of Homeland Security is focused on making the mobiles and other electronic devices of the federal employees safer and secure. The department is doing so after getting a mandate from the lawmakers a few months back. The department is currently gathering data from the experts and aims to use it to identify and deal with potential threats.
Why DHS is working to Make Federal Employees’ Electronic Devices
Secure
DHS is working so hard to make the mobiles and other electronic devices safer because of the Omnibus bill that was passed by the congress in December 2015. The bill included section 401 of the Cyber security Act of 2015 which made it mandatory for DHS to carry out a study of the current mobile security methods and reveal whether these are enough to deal with the mobile security challenges.
The Aim
The aim of the study being conducted by the DHS is to identify all the threats to cyber security of federal networks and information. After the identification, the organization would develop recommendations on addressing the threats. The recommendations would be as per the industry best practices and industry standards. The organization is also supposed to create a plan that assures accelerated adoption of highly secure mobile device technology.
It is pertinent to add here that the study excludes the Department of Defense and other agencies that fall under the category of the intelligence community.
The Input
As the DHS is following the orders, it is getting assistance from experts of the Wi-Fi and cellular industries as well as the academic experts by initiating a request for information (RFI). The information needed by the DHS includes information on services, products, technologies and capabilities. The deadline for the responses is August 22, 2016. The information collected would not lead to any instant action or issuing of new contracts. The information is being gathered just for planning and market research purposes. In the RFI, the respondents are asked to identify considerations and constraints that affect the mobile and other technologies. They are also asked to give recommendations about how the situation can be improved.
The Scope
The scope of the information collected by the DHS includes not only the smartphones and tablets used by the federal employees. It also includes operating systems, mobile apps and other embedded components of mobiles like enterprise mobile services and infrastructure, baseband radios and wireless networks.
OPM Creates Strategies to Retain Cyber Security Federal Employees
As OPM and other federal agencies are facing some problems in hiring and retaining federal employees who are experts in cyber security, OPM has created the Federal Cybersecurity Workforce Strategy to deal with the problem. The strategy aims to increase the number of cyber security personnel, not only at the government, but also at overall U.S. workforce.
The Aim of Strategy to Hire Cyber Security Federal employees
OPM Director, Beth Cobert recently announced that the strategy was created to ensure that more federal cyber experts are hired and retained as they can strengthen the security of federal systems, networks, and assets. She also added that cyber security is a shared responsibility of the leadership, employees, private industry, contractors as well as the American people.
OPM has outlined four core strategies to increase the cyber workforce at all levels. The strategies are mentioned below.
Education and Training
The first strategy includes offering a CyberCorps Scholarship for Service program and communicating with the universities regarding their resource and teaching needs. This strategy also proposed funds of $62 million to enhance cyber security education.
Better Hiring
OPM is also focused on hiring the best talent by streamlining the existing hiring processes, focusing on diversity outreach and searching for opportunities to build a cyber security team as a part of the Presidential Management Fellows program.
Retaining the Employees
OPM aims to enhance the retention of cyber talent by creating transparent career paths and developing a government-wide cyber orientation program that promotes sharing of information.
Seeking the Workforce Needs
The cyber security workforce needs of every agency would be identified by making use of the National Cybersecurity Workforce Framework that points out identifies 31 discrete specialty areas within cyber security workforce. The framework was created by National Initiative for Cybersecurity Education (NICE) partner agencies.
The Success Factors
Cobert also stated that these changes would be implemented over time and the long-term success of these strategies would depend on attention, resources, and innovation from all levels of government. She also added that the initiatives mentioned in the strategy would play a key role in establishing, growing and strengthening a pipeline of cyber security into the future. It is being hoped that this time OPM would succeed in hiring and retaining the best federal employees who specialize in cyber security and have the caliber to protect government from advanced cyber attacks.
OPM Offers Cyber Security Tips to Federal Employees
OPM is still correcting the mistakes it made that led to two massive cyber security breaches last year. The agency recently directed all the federal employees to take some measures to ensure their cyber security remains intact like changing their passwords often. OPM is also increasing the length and coverage of those people who were impacted by the breach and whose accounts were hacked. More details on the extension of the period would be shared later this year.
OPM Asks Federal Employees to Stay Vigilant
The Acting Director of OPM, Beth Cobert recently wrote a letter and urged the federal employees to become more vigilant towards the cyber hygiene. She stated that the current electronic environment is very complex and so there is a need to be on guard against malicious people as well to protect the security of the technology people use on a daily basis. She suggested that feds should constantly update their passwords and stay aware of all the phishing email scams. She says these sorts of actions would prevent any cyber intrusions.
Seeking Identity Protection
About 2.7 people who were impacted by the cyber attacks that impacted more than 21 million people have signed up for free identity protection services that are being offered by ID Experts. This was revealed in the data shared by the agency.
More Insurance Coverage for the Victims
In the letter, Cobert also highlighted that the agency is implementing the fiscal 2016 Consolidated Appropriations Act. This act would increase the length as well as the amount of insurance coverage offered to people who were victims of the cyber hacks.
Cobert said that the agency has already increased the amount of identity theft insurance from $1 million to $5 million. This change came into effect on June 1, 2016. She added that the agency is putting in a lot of efforts towards extending identity protection services and credit monitoring services to the people who were impacted by the attacks. The extension would ensure that these people are offered these services for at least 10 years. Cobert concluded that the details of the extension would be shared later this year.
It seems that the agency and its personnel are doing their best to ensure that the victims of the cyber attacks, current and former federal employees, feel better and such an attack never happens again.
New Updates on Chicago’s Retirement Benefits Accounts Breach
A few days back we reported how investigators were keen on finding the culprit of retirement benefits accounts. The retirement benefits accounts of the municipal workers were infringed and some money was stolen. Earlier, the investigation was leaning towards hacking but as per the new reports, the data was stolen not hacked.
The Money Stolen from Chicago’s Retirement Benefits Accounts Breach
As per the latest reports the city employees in Chicago lost about $2.6 million when their retirement benefits accounts were infringed. Though nationwide, the private firm managing the accounts deposited the money stolen from the accounts within 5 days time, the investigators are still working hard to find the source of the breach and it seems that they have got an idea of how it was done.
The Infringement
Earlier the investigators were suspecting that some professional hacker or a group of hackers were responsible for the stealing but now the reports are different. The investigators now believe that the bad guys had access to personal information of municipal employees and they used that information to set up online profiles with the city’s deferred compensation plan. After creating the accounts, they took out the loans and the city lost the money.
The Statement
In a recent statement given by the Nationwide spokesperson, the company admitted that they believed that the accounts were not hacked but someone stole the information. It is pertinent to add here that the company is playing a major role in investigating the fraud along with the teams of city officials and some federal officers.
Hushed Up Details
When the spokesperson was asked whether it was an inside job, the person refused to offer a comment and stated that no more information would be divulged as the investigation was still ongoing.
Chicago’s Comptroller Opinion
A spokeswoman representing the Chicago’s Comptroller also shared some update. She stated that the fraud was conducted by an individual or group who succeeded in accessing the personal information and created a web profile. Then the profile was used to take out a loan from the retirement account.
The Corrective Measures
Nationwide had started taking corrective measures soon after the breach. It returned the money to all 58 accounts that were infringed within 5 days. The company is now offering two years of free credit monitoring to all the customers who were affected by the retirement benefits accounts breach.
Investigators Keen on Finding the Culprit of Retirement Benefits Accounts
The retirement benefits accounts of several municipal employees were breached recently. The breach was detected by the company managing the accounts. Some money was stolen from the accounts and the company returned it soon. The company has also intimated the account holders and federal authorities of the breach and an investigation has begun to pinpoint the source of the fraud.
The Breach of Retirement Benefits Accounts
The breach came to light when the employees working for Nationwide Retirement Solutions, the company that currently administers the accounts on behalf of the city noticed some suspicious activity. The suspicious activity was noticed at about 457 deferred compensation accounts that are meant for municipal employees. It is pertinent to add here that these accounts are very like the 401k accounts.
The suspicious activities were noticed on June 1, 2016, and when the matter was investigated, it was found that the accounts of 91 people were breached. Some money was withdrawn from around 58 of the breached accounts while 33 accounts remained as it is.
The Culprit
The culprit of the breach is unknown as of now. It is being believed that the culprit was a person or a group that apparently created a web profile to take a loan from a retirement account and accessed personal information by using illegal means. These points were highlighted by the officials involved in the investigation.
The Investigation
The investigation into the serious matter began when Nationwide learned of the breach and notified the federal authorities. The account holders were also intimated of the breach. Ryan Ankrom, who is serving as a spokesperson for Nationwide Retirement Solutions recently stated that the company is working in conjunction with the federal authorities and city officials in order to pinpoint the source of the breach. He also added that they think it’s a fraud at this point.
The Money
The total amount of money stolen from the accounts is not clear yet. Ankrom said that the company has returned the stolen amounts to each of the account holders within 5 days of the breach.
The Future Plan
Erin Keane who is serving as the acting city comptroller has also made a statement. He said that the company and the city are working together right now to ensure that the security of the deferred compensation accounts that are like the retirement benefits accounts is maintained.
OPM Cyber Security Breach Source Still Not Found
The federal government has still not found the source of the major OPM breach that revealed the data of over 20 million federal workers last year. The officials have hinted that the attack might have originated from China but have failed to prove that. The officials are still not sure on whether the highly sensitive case would be closed anytime soon as they have failed to provide a specific timeline.
Why the Source of OPM Breach is still not Pin Pointed?
When Sen. David Perdue (R-Ga.) spoke of the matter during a Senate Foreign Relations Committee hearing on U.S.-China relations, the officials were unclear on the points made by them. Antony Blinken, who serves as the Deputy Secretary of State stated that the source of OPM breach hasn’t been identified yet because finding the exact source of the intrusion is an on-going effort.
Is China the Source of the Breach?
Many media sources have pointed out that the government officials have privately admitted that China was behind the attack. They even hinted the same in the public but have offered no proof of any of it so far.
The Pending Acknowledgement
Senator Perdue also wanted to find out whether the attacks were acknowledged by the Chinese government as a part of the cyber deal that was concluded last September. The deal was signed by President Obama and his Chinese counterpart Xi Jinping.
The deal was done to ensure that there was a complete eradication of digital espionage for commercial gain. It also aimed at ensuring that the two countries cooperate in a better manner on the cyber issues because cyber issues have been an irritant between China and the U.S. relations in the last few years.
Blinken responded that he is not recalling anything that resembles an acknowledgement of the attack in the deal. He added that the U.S. made it clear that some major cyber actions like the breach on the OPM would not be ignored by the country.
The Report
When Perdue asked Blinken about a timeline by which a definitive report on what happened with the OPM would be submitted, the federal representative was unable to provide any specific timeline. It seems that the federal government still has a long way to go before they actually find the source of the attack and punish the ones responsible for the one of the major cyber attacks that happened in the U.S.
Federal Government Cyber Security Still the Worst: Report
The federal government, state governments and even the local governments, still have the worst cyber security protocols when compared to the major private industries. The report also highlighted which agencies and sectors were the best performers and which were the poorest performers.
Federal Government Agencies’ Performance
Many federal agencies were among the poor performers as they got a low score on software patching flaws and malware, as well as, network security. NASA was most vulnerable to malware intrusions and email scams. It ranked last place in the performance chart.
The Report
The report was generated by SecurityScorecard, which is a venture-backed security risk monitoring startup. The report was prepared after measuring the current cyber security of government and private industries such as retail, healthcare, transportation, etc. The performance was measured by variables such as exposure rates of passwords, susceptibility to social engineering and defenselessness against malware infections. The report included low-performing government agencies and surprisingly, The U.S. State Department was on that list.
Worst Industries and Regions
The three industries that have the worst cyber security include pharmaceutical sector, telecommunications, and the education sector. The worst performing regions were Washington, Connecticut, Maricopa County, Arizona and Pennsylvania.
This new report has once again highlighted the government’s inability to keep its cyber security up to the mark. The government faced a lot of criticism last year when OPM was hacked and data of nearly 22 million Americans was leaked due to poor cyber security.
Best Performers
Though there seems to be major loopholes in the government cyber security initiatives, there are some government agencies that performed well on the security scores. The Hennepin County Library in Minnesota and the U.S. Bureau of Reclamation were among the top performers. The regions that have good cyber security are Nevada and Clack County.
The Measures
The federal government has taken some measures to deal with the cyber security issues. The foremost have been the Obama government’s decision to seek $19 billion towards cyber security for the fiscal year 2017. The amount if approved would include $3.1 billion to be spent on technology modernization of several federal agencies.
OPM Urges Agencies to Close Skill Gap
OPM Director, Beth Cobert is determined to close the skill gap across all government jobs. The agency has enlisted the assistance of Chief Human Capital Officers (CHCOs) in this regard. They are to create reports on how to close the skill gap in the short term as well as the long term. The agency is aiming to close all the skill gaps within a decade.
The Instructions of OPM
OPM has instructed the CHCOs to find out why any occupation becomes at risk in their own agency and in other agencies as well. The focus needs to be on mission critical jobs too. Then they need to develop strategies that can help solve this problem. The strategies they develop are supposed to be government-wide so that all the federal government agencies can benefit from them.
The CHCOs are also bound to submit quarterly and annual reports with regard to this problem. All these instructions were given through a letter written by OPM acting Director Beth Cobert. She wrote the letter on April 15th to the federal HR community.
The Mission-Critical Jobs
OPM has created a list of mission critical jobs. The list is given below.
- Auditor
- Economist
- Contract Specialist
- Cyber Security
- Human Resource Specialist
- STEM which denotes science, technology, engineering and mathematics occupations
The Strategies
The agency is directing the CHCOs to create a short-term strategy for four years and a long-term strategy for ten years that would assist in closing the key skill gaps in mission-critical jobs. Again, the strategies must be created with regard to not only in their own agencies but in all the agencies related to the government.
Taking Assistance
The CHCOs can take the assistance of the quarterly reviews offered by a data program called HRStat. The HRStat is a program that identifies the mission-critical occupations in which the agencies have a bit of trouble in recruiting as well as retaining skilled employees. The program was developed a few years back and provides useful data even now.
The Guidance
The CHCOs would get all the guidance with regard to creating the strategies. OPM will be sending guidance with regard to not only developing the said strategies but also the reporting procedure to reduce any scope of error. The guidance would be shared with all the federal government agencies soon, according to Cobert.
TSP Board May Need More Funding
The Thrift Savings Plan, or TSP Board may need more funding for the fiscal year 2016. The main reasons behind it are the cyber security upgrades and the external audits. Another reason is due to the increasing membership. The board is not sure about the extra money needed for the budget, but plans to lay it out soon.
TSPTSP Board Budget Data
The Federal Retirement Thrift Investment Board (FRTIB) was assigned $220 million in 2016. The board is predicting that it could spend $151 million even before the beginning of third quarter. The main reason behind such spending is the need to have resources that help in cyber security upgrades and external audits.
The Announcement
The announcement regarding the need for more funding was made by the FRTIB executive director, Greg Long. He made this announcement during the monthly meeting of the board that was held on April 25. He said that though the agency needs to do a bit of work regarding the budget allocation, it seems almost certain that they will need more money from the board. The estimate regarding the amount of extra money required would be clarified next month.
The Cost of Cyber Security
The main reason behind the agency running ahead of schedule on the budget is that it is putting a lot of money in to boost its cyber security. The agency is working with external auditors to finish a study of best practices with regard to cyber security in the private sector firms.
More Data and Better Service
The agency is also focused on using more data to take better decisions and offering better communication and services to the TSP participants. The TSP enrollment is higher than it has been before, and it is expected to continue to grow until 2018.
About 89% of people who have opted for Federal Employment Retirement System (FERS) have enrolled in TSP. The number of active duty military members who are enrolled in the TSP is about 44%.
Call Centre Service
In order to provide better service to the growing TSP members, the agency is aiming to create a better consolidated call service center as a part of the Expanding Participant Retirement Engagement Services and Solutions (ExPRESS) contract. The draft related to the RFP of ExPRESS participant call center services is scheduled to be released during the first week of May according to the board.
OPM Data Leak May Damage Census Response Rate
Commerce Chief Information Security Officer, Mr. Rod Turk recently stated that the OPM data breach of last year may severely affect the 2020 census. He also added that people may not participate in the census at all. The need for a census procedure is probably the highest at the moment.
The Question Posed by OPM Attack
The OPM attack that occurred in June 2015 and compromised the data of nearly 22 million former and current employees is predicted to harm public’s trust in the government. It can also make the people think that if the government cannot keep the data secure why should they add more through the census?
The Past
In 2010, about 6 percent citizens showed reluctance to participating in the census. 2 percent of them even followed through the threat. Though 2 percent is not a high number, it is certainly noteworthy. If this number increases a bit, it could seriously hamper the conclusions of the census.
The Consequences
If the conclusions of the census are not ideal, it would affect federal spending on programs, private sector decisions on investment, representation in presidential elections and congress, compliance with civil rights laws and many other vital processes.
Public Trust in Government is Deteriorating
Pew Research has earlier reported that only 19 percent of people trust the government to do the right thing most of the time or just about always. Mr. Turk admits that public trust is vital for any census. The trust being near the all time low is not a good thing.
The low faith in government may have been boosted by the OPM cyber security hacks, but it was not too positive before then either. The Census Board has decided to change or remove the offensive questions before that too. The questions that were termed offensive in 2010 census were removed or changed.
Learning the Lesson
Mr. Turk admitted that The Census Board is putting many efforts into ensuring that the census data remains safe. The organization is focused on ensuring that the cyber risks are constantly diagnosed or mitigated, phishing campaigns are effectively blocked, and the Personal Identity Verification cards system is strengthened so that only the employees can gain access to the most sensitive assets.
It seems that the cyber security culture of the Census Board might be successful in not repeating the same vulnerabilities as the OPM showed last year.
Private sector studied by the TSP board for insight in cybersecurity
The office of Enterprise Risk Management of the Federal Retirement Thrift Investment Board has been in operation for around 3 years now and they have been really busy since their inception. Currently, they have decided to study the private sector in a bid to collect insight in cyber security.
PRIVATE SECTOR TO BE STUDIED BY THE TSP BOARD:
The office has been doing a great job, as indicated by Jay Ahuja who is the FRTIB’s chief risk officer. He admits though that there is still a long way to go and that their job is far from being finished just yet. Ahuja said on March 29th that they have been working on risk assessment and management for quite some time now and have been setting up infrastructure for it too but still there is room for improvement just like there was at the start.
In their bid to fight cyber terror, the office of enterprise risk management has decided to study the private sector to be astutely able to know how to tackle cyber security and risk management related issues. Ahuja says that there is a strict timeline being followed by the organization and that he expects them to wrap things up by the mid of May so that the board can go ahead and contemplate how to move forward. FRTIB has had a hard time tackling cybersecurity as well. Around 123 thousand participants’ information was compromised through one of the board’s contractors in 2012. Since then they have been receiving heavy criticism about the security issues that they are having.
While the study is still yet to take place, it’s expected that it’s going to not only help in creating awareness but will also provide the organization with some valuable insight on how to tackle cyber threats and ensure cybersecurity.
INTRODUCING MR. CYBER SECURITY by Dianna Tafazoli
Clifton Triplett is the Cyber Advisor in the Office of Personnel Management. Mr. Triplett comes from SteelePointe Partners, a global management consulting company. In the wake of the cyber security attacks and the fingerprint theft of millions of federal workers and their families, including retirees and contractors, security is not only sensitive but a key determinant as to the tenure of the OPM Director and the Cyber Advisor.
Mr. Triplett has over 30 years of experience under his belt with military experience as well. Mr. Triplett is a graduate of the U.S. Naval Academy and seems to have the knowledge and discipline needed to form partnerships and put strategies in place that just might protect the safety and security of federal workers going forward. When a candidate has military experience on their resume it somehow just reads better and tells another story. Military personnel are trained first and foremost to be leaders and take on responsibilities through a collaborative effort. Who knows better than military personnel how to work in a team?
Mr. Triplett certainly has his work cut out for him but with his work experience in some of the major Fortune 200 companies he just might have what it takes to prevent another breach of security for federal workers.
P. S. Always Remember to Share What You Know.
Dianna Tafazoli
