After the Breach: How Government Reacted to OPM

The recent data breach at the Office of Personnel Management not only exposed the personal ­information of more than 20 million past and present government employees, but also showed some cracks in federal security efforts.

Shortly after the breach was announced, Tony Scott, just four months into his tenure as federal CIO, announced a sweeping, 30-day “cybersecurity sprint” — an all-hands-on-deck program to help agencies shore up their security postures.

“Cybersecurity risks pose some of the most serious economic and national security challenges of the 21st century,” Scott said when unveiling the program.

Intended to quickly fix a number of lingering security issues, the sprint focused on improving situational awareness, standardizing processes and shrinking attack surfaces. It also called for agencies to dramatically accelerate implementation of multifactor authentication.

Calling for a governmentwide sprint was a bold move, but given the complexities of cybersecurity, could it really help prevent a widespread breach like the OPM incident? Now, a few months removed from the effort, the answer is clearly “yes.”

“The sprint encouraged us to hyper-focus on a few key areas,” says Tim Ruland, the Census Bureau’s chief information security officer.

“Now, it’s a matter of applying the spirit of the sprint to our continuous monitoring program and our risk management framework,” he says. “This will help ensure we’re addressing risk and not just managing by checklist.”

The comprehensive nature of the sprint and how agencies respond will be key to ongoing improvement, security experts say.

Cybersecurity Is a Marathon and a Sprint

“Cybersecurity is not about how well you’re prepared for any single event,” says Jon Oltsik, senior principle analyst with the Enterprise Strategy Group, a research firm. “Agencies have to be prepared for anything, at any time. The most important thing now will be the long-term strategies they employ to address their high-priority vulnerabilities.”

During the sprint, Census officials uncovered a lack of uniformity between the bureau’s security systems and those of its parent agency, the Commerce Department. By using a common set of security tools, the two organizations found a way to more effectively share information. They also created a way to present it to senior officials, so they can clearly understand the overall security infrastructure, Ruland says.

The Census Bureau looked at a security information management (SIM) tool that the Commerce Department will use in its enterprise security operations center. The tool, which collects and aggregates security log data, helps analysts spot emerging threats across all department systems. Census has long used a different tool than that of its parent department. “If they see something of interest and want to take a closer look, all the necessary information is in one place,” he says.

Commerce wants to create a more unified IT environment with the current re-evaluation of SIM tools, and the other review of technologies fits right into that — something the cybersecurity sprint helped set into motion.

Similarly, the sprint spurred the bureau to review its two-factor authentication requirements. “We accelerated our reviews and updates for identifying our most important assets,” Ruland says. “We double-checked that our risk management framework and our security assessments relating to high-value assets are still providing the appropriate level of security.”

Offering Privileged Access to Systems

Census’s risk-management framework combines technology and policies to ensure that security considerations are applied at the start of any new system development efforts. “We embed a security engineer within any new initiative from day one,” Ruland explains. “They look at things from a business perspective. From there, we create risk profiles for every system and continuously monitor them for security.”

The bureau also used the sprint to review the number of employees who have elevated system access privileges and whether those designations were still required for each person’s specific duties.

Post-sprint, the Census Bureau is considering a variety of updates to its security strategy — some addressing technology, others encompassing policies and training.

“We’re not going to make all the changes overnight or in 30 days. Some may not be fully addressed within a month or two,” Ruland concedes. “But we have a clear plan for moving forward for doing what needs to be done.”

The State Department devoted sprint resources to its smart card program, expanding secure authentication technologies based on HSPD-12 guidelines, says Bill Lay, the agency’s chief information security officer.

The State Department was challenged with its smart card rollout because of the large number of authorized U.S. citizens who work overseas in embassies. “Because much of our network is outside the United States, it’s difficult logistically to manage smart cards that must be updated every three years, according to the standard,” Lay says. “This has made it difficult to use them as an authentication tool.”

The department used the sprint to increase its installation of new hardware and software for issuing and managing cards, and then performed extensive testing to ensure everything worked properly with the existing architecture.

Officials reviewed the number of privileged cardholders to see if that number could be reduced. Both efforts are paying off.

Lay reports that a significant increase in the number of cards issued and the ­re-evaluation of privileged users will be part of the department’s security priorities.

Accelerating Security Efforts in Specific Areas

“Reducing the number of privileged users comes down to balancing centralized and decentralized administration,” Lay says. “It depends on creating a command-and-control system that allows a few people to administer a network globally from a central location rather than having administrators scattered across the world.”

Agencies used the sprint in similar ways to accelerate security efforts in select areas. The Justice Department, for one, placed a high priority on creating strong authentication for privileged users.

“Today, 83 percent of our privileged users use strong two-factor authenti­cation,” says Department of Justice spokesperson Wyn Hornbuckle. “With an enterprise of our size and geographical dispersion, we have made tremendous progress with our general user community. We expect to continue to improve through the rest of 2015.”

The Defense Department has long prioritized computer security, given its size and high value for hackers. Before the sprint, DOD launched an initiative in May that directed stakeholders to review and increase their emphasis on cybersecurity basics.

“Part of that review resulted in the development of a cyberbasics scorecard that leadership could review,” says Lt. Col. Valerie Henderson, a department spokeswoman. “Our cyber scorecard effort aligned with the administration’s strategy to enhance the federal government’s cybersecurity. DOD was an aggressive participant in this effort.”

The OPM Breach's Bottom Line

The sprint was a strong response to the OPM breach, but was it effective? Security officials say that in addition to helping agencies focus resources on a common effort, it provided a fundamental, governmentwide benefit.

“All your management training says, ‘Engage senior leadership early on when launching new initiatives.’ I commend Tony Scott and OMB for making that happen,” Lay says. “It’s a game changer when everyone in a department aligns around security.”