In September 2016, the Committee on Oversight
and Government Reform, U.S. House of Representatives, 114th
Congress finally released what we’ve all been waiting for, The OPM Data Breach: How the Government Jeopardized Our National
Security for More than a Generation. Wow, about time.
In a
recent CSO Online article, The OPM breach report: A
long Time Coming
, Taylor Armerding summarizes congressional report and the national frustration
with the entire fiasco. In fact, both report and article titles pretty much sum
up how America feels about the Chinese exfiltration of personal data.
If you
want to know the details of the event, please read the article and report as
both are fascinating. They explain very
well how this incident will impact security cleared US citizens for
generations; literally.
Readers in
our career field (those of you reading this article) who are Facility Security
Officers for cleared defense contractors, government employees, or other
security practitioner under the national industrial security program
(NISP)
may experience additional frustrations in addition to those shared by the
referred report and article.
Frustrations expressed from other sources:
My SF-86
lists every place I’ve ever lived since I was 18, every foreign travel I’ve
ever taken, all of my family, their addresses. So it’s not just my identity
that’s affected. I’ve got siblings. I’ve got five kids. All of that is in
there---James Comey, Director of the FBI
“(The
SF-86) gives you any kind of information that might be a threat to ) the
employee’s) security clearance.”---Jeff Neal, Former DHS official
Frustrations not nationally expressed:
The
additional frustrations is grounded on the fact that the Office of Personnel
Management conducts security investigations, collects very personal information
from interviews and reports, contracts investigators who communicate the
information, and stores the information. The data collected on each person and
the compilation of that information warrants a robust security policy to
protect personal identifiable information.
Keep in
mind, OPM is one of the agencies that require industry to undertake intense security training in protecting PII,
practicing cybersecurity, reporting security violations, detecting and denying
insider threat, and so on. While cleared defense contractors are complying with
training requirements, undergoing security reviews, and demonstrating
security programs to protect classified information on information systems,
compliance with DFARS requirements concerning computer networks, OPM was
negligent in practicing what they preached.
The report
lists OPMs failures to protect the network and sensitive information and slow
reaction to both the attack and reporting requirements. Additionally, while contractors are required
to conduct investigations of security violations, determine cause, and as
necessary, practice disciplinary action, no one has been fired as a result.
Imagine
what would happen if a defense contractor networked was hacked and the
following information was infiltrated:
Employee
information including:
·
Current
and past addresses
·
Security
violations
·
Mental
health counseling
·
Alcohol
and drug dependency
·
Marital
problems
·
Credit
history
Get the
picture? The employees would sue and the oversight agencies would review and
report circumstances. Chances are that the responsible parties would be
terminated.
According
to the report, the cyberattack issue was detectable, preventable, and
actionable, but OPM failed on all three.
Lesson for FSOs
and security practitioners
Become
cyber-aware…become involved in cybersecurity. It’s not necessary to become an
expert, just understand. Many FSOs are great at the physical security
requirements for PII, classified information, export controlled and
other tangible items requiring clearance and / or need to know enforcement.
It’s not too much of a leap to relate physical security requirements to that of
protection of information on networks or stand alone computers.
Our
profession has to become more involved in cybersecurity other than advising
“don’t open attachments”, “only conduct company business on the computer”, and
the standard slogan heavy or bumper sticker appropriate language. FSOs should
become informed of how to respond to different threat categories and access
points and provide cutting edge security awareness and security refresher
training.
Applying the knowledgeable
security focus:
Read,
learn, discuss with IT and network professionals how the importance of programs
to deny, deter, detect, observe, and report cyberattacks. Here are some physical security fundamentals
that can be applied for immediate cybersecurity action:
Though the
reader may not be an expert, they can form a team from IT and all business
units to accomplish the task. This is
the same exercise physical security and loss prevention practitioners’ use; or
at least they should:
Determine what needs to be protected
Identify sensitive
information on the enterprise network. Every business unit has a piece in the
puzzle; program managers, accounting, personnel, contracts, etc. Involve all aspects of the enterprise in the
exercise.
Determine where the information exist
Is the
information on an internal or external network? Which one(s) On a standalone
computer? Document all locations
Determine who needs access to the information
Limit
access to the networks, folders or locations based on who is authorized to use
it.
Do program
managers need financial information related to other contracts? Does the CFO
need intimate software development details? If yes, ensure they have access, if
not deny access.
Determine threats to the information
The
obvious threats are the trusted employees and external hackers. These
categories are the bare minimum necessary to cataloging the threat. Ask, how
can the internal threat access information? How can the external hacker access
the information?
So far so
good right? Well, it becomes more technical from here and it where you might
need an advisor, consultant or other help.
Determine how
to deny, detect, report, and monitor systems for cyberattacks.
This
requires skill to buy the right technology or hire the right employees.
Document
all actions and provide report to senior management.
Programs
do not live long without senior management buy in. Since we recommend forming a
team, use the team concept to develop and maintain momentum. Provide recommendations to the key management personnel, get
approval, and have them champion the program to senior objects. Change
management may be in order.
Hopefully,
this article provides thought provoking and imagination stoking ideas to help
develop a security system that includes cyber consideration. The referred
report demonstrates and quantifies an active adversary with a demonstrated
history of attacking high level government agencies; as well as the poor action
of those responsible for preventing access to sensitive information. None are
immune, but all are responsible. Our profession exists in the defense industry.
Our national security depends on doing everything we can to be aware of, train
for, and respond appropriately to all threats.