Ars Technica has a detailed look into the epic cyber security failure at OPM and how the hackers tapped into a treasure trove of espionage data (emphasis added):
OPM is not alone in neglecting basic security guidelines spelled out for them by both federal regulations and executive orders for much of the past decade. Even those agencies that have implemented systems to comply with the letter of FISMA (Federal Information and Security Management Act) and other regulations have had problems keeping on point because of the constantly changing nature of information security threats. And the complex plaque of information systems that agencies have built up often defies any sort of security management because the vendors who built many of the systems have long since disappeared.
By and large, government agencies in the last 20 years have become increasingly dependent on outside contractors to provide the most basic of information technology services—especially smaller agencies like OPM. The result has been a patchwork IT systems and security, and the Office of the CIO at OPM has a direct hand in fewer and fewer projects. Of the 47 major IT systems at OPM, 22 of them are currently run by contractors. OPM’s security team has limited visibility into these outside projects, but even the internally operated systems were found to be lacking in terms of basic security measures.
In the year two-thousand fifteen, government agencies need to take cyber security seriously rather than pushing it aside. Sadly, cyber security is neglected more often than not because leadership in the US government does not understand it. By and large, cyber security remains more geeky than standard IT, which is easily mapped to existing business needs.
Cyber, on the other hand, is more akin to a form of insurance. It is an investment today that pays dividends later. In many cases those dividends are materialized in the form of not having to expend additional capital to mitigate a security incident like the OPM breach. Organizations should expect to spend a couple million dollars on cyber security today rather than expending tens-of-millions later on down the line for things like incident response, shareholder lawsuits, credit monitoring, and more.
While OPM instituted continuous monitoring of some systems using security information and event management (SIEM) tools, those tools covered only 80 percent of OPM’s systems according to a fiscal year 2014 audit by OPM’s Internal Office of the Inspector General (OIG) audit team. And as of October 2014, monitoring didn’t yet include contractor-operated systems, according to the same organizational oversight.
“The OCIO (Office of Chief Information Officer) achieved the FY 2014 milestones outlined in the roadmap which included quarterly reporting for high impact systems,” the OPM OIG reported in its audit. “The next stage in the OCIO’s plan involves requiring continuous monitoring by contractor-operated systems and implementation of the DHS Continuous Diagnostic and Mitigation program.” In other words, OPM had no idea what was going on inside contractor-provided networks and only a limited grasp on what was going on within its own network.
There were significant gaps in OPM’s security testing as well. Seven major systems out of 25 had inadequate documentation of security testing—four of which were systems directly maintained by the OPM’s internal IT department. Three out of the 22 contractor-operated systems had not been tested in the last year; the remainder had only been tested once a year.
Our adversaries are much better at identifying our very own gaps in cyber security and exploiting them for their own needs. If only the US government was just as committed to finding and then subsequently closing those gaps then OPM-like breaches would not occur.