Years of Security Lapses Left Government Personnel Agency Open to Hacks

by Paul Davies, June 19, 2015

Capitol Hill came under scrutiny yet again this week when it became apparent how the lack of fundamental online protection at the Offices of Personnel management led to the 2014 hack that left millions of Government employees exposed.

In a hearing held in front of the House of Oversight and Government this week, witnesses have testified how years of security oversights and weaknesses across the OPM network allowed hackers to steal personal and private details on a substantial proportion of Government employees while the world could only sit back and watch.

The Case on Capitol Hill

The breaches at the OPM first came to light back in June 2014 when it was discovered that hackers traced to China had used stolen credentials to access the networks of the OPM, holders of key personnel data on nearly all US Government employees.

Initially, it was suggested that no personal data had been accessed during the event and that the breach was limited. However over the following months further and further revelations provide that the attack was far deeper. It is currently estimated that more than 4.2 million government personnel past and present have had their private details stolen. However the true number could be closer to 14 million with records as far back as 1985 being accessed by the perpetrators. All down to a lack of suitable online protection at the OPM.

Data disclosed within this breach included social security numbers, addresses, job roles and other online details of individuals across the US Government, many of whom have high level security clearance. This breach has not only involved permanent staff but temporary staff and contractors have also seen their data being affected. It has also been revealed that the data held by the OPM also includes details of relatives and close friends of Government employees, meaning their privacy could also be in jeopardy from this attack. Even employees who do not hold their personal records at the OPM who have submitted service history records to the department could be vulnerable. And how this data will be used has yet to be seen.

There is also the risk that key personnel data covering covert offers and those working undercover may also have been accessed. And this week it has been disclosed that key congressional staff and their associates have also had their details stolen.

Following this entry, hackers were also able to gain access to the systems of KeyPoint and USIS, two federal contractors working with the agency. Proving that the full extent of the attack will still take some time to uncover.

Who Is To Blame

Both Democrats and Republicans have come together to very much point the finger at the decision makers within the Office of Personnel Management. Headed up by Director of the Office of Personnel Management, Katherine Archuleta, it has been identified that lack of security controls within the networks have been fundamental in allowing this event to take place. Even the Committee’s chairman stated to the perpetrators ‘You failed utterly and totally’.

Federal Cybersecurity Standards

The main criticism of the team behind this scandal is just how long they have been able to breach the standards set by their own institution. The Federal Cybersecurity Standards were initially implemented as a code of good practice for all government and large corporate agencies to follow. In recent years, these standards have been established as a set of guidelines for Government agencies to follow to ensure such invasions cannot take place. However in the case of the Office of Personnel Management, key decision makers failed to follow the guiding principles and the consequences have been catastrophic.

Lack of Expertise

The assistant inspector within the agency, Michael Esser, has stated that he believes the lack of security was due to the fact that the people leading the OPM had very little expertise in the area of data protection. Key personnel data was held on networks without any type of encryptions and such violations had been occurring over a considerable period of time.

It was stated during the hearing that in November 2014 a general audit of the security status of the data held by the OPM considered it’s networks to be ‘vulnerable’ and had recommended that the department be shut down. Yet the agency remained open and, unbeknown to them, the Hackers were in.

Finding the Way Forward

While finding out who is responsible for this aberration is key to moving forward, the clean-up operation required to limit the damage caused by such a breach is also going to take years. It is yet to come to light just how the data will be used, and what consequences it could have for national security. As the House of Oversight and Government Reform Committee’s chairman stated. This could be ‘the most devastating cyberattack’ in American history. And how far it will spread, only time will tell.

In the initial phase, a full investigation into the security of the networks within OPM will influence the decision as to whether the organisation itself is allowed to remain in operation and under whose governance. So far, the likes of Archuleta, and her team seem far keener to point the blame on recent predecessors for the lack of action taken, rather than taken any of the blame themselves. What will be done to stop a repeat of this situation in the future, has also yet to be confirmed.

Protect Yourself First

As Chair Jason Chaffetz stated. Using a network without the appropriate online security is like leaving your doors and windows unlocked and expecting not to be burgled. And the same can be said for every corporation and individual user who chooses to go online. As a basic level of protection, ensure your online activity is secure. Keep your antivirus up to date and use a VPN service like EasyHide-VPN to keep your online activity separated from your personal data. Such a facility will hide IP addresses that you use online and ensure your activity cannot be traced back to your physical identity.

The way to fight against online crime is to ensure that you are doing everything you can to keep yourself safe. And unlike the OPM, you won’t have to worry about anyone coming in through your back door.