Governance , Incident & Breach Response , Security Operations

Dissecting the OPM Breach

Ex-DHS Cybersecurity Leader Mark Weatherford Analyzes Hack
Dissecting the OPM Breach
Mark Weatherford (Photo courtesy of The Chertoff Group)

Mark Weatherford, the former deputy undersecretary for cybersecurity at the Department of Homeland Security, says the Office of Personnel Management neglected to take several basic steps that might have helped to prevent a breach that may have exposed the personally identifiable information of 4 million current and former government workers.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

OPM said that after it confirmed the breach, it instituted additional network security precautions, including installing anti-malware software, limiting remote access for network administrators and restricting remote network administration functions. That brought an exasperated response from Weatherford: "This is jacks or better to open; if you're not already doing this stuff, you're not even at the game."

In an interview with Information Security Media Group, Weatherford says these basic cybersecurity steps might not have prevented the breach, but would have made it far more difficult for the hackers. "If they're not deploying anti-malware in their systems already, come on, this is kindergarten stuff," he says. "If they're not monitoring remote access, shutting down remote access, it's embarrassing to me that somebody probably comes out and says ... that they're going to start doing that now."

Weatherford says he doesn't understand why the system OPM used to detect the breach didn't protect the employees' PII. "If all [the system] does is say, 'Bad guys are here,' what the heck good is that if it's letting all the intellectual property and PII flow out?" Weatherford asks.

The federal government concedes that the employment records of 4 million individuals might have been exposed to the hackers who breached the Office of Personnel Management computer systems, but it hasn't yet confirmed that data was removed from government computers. Weatherford and a number of other security experts, however, believe that's what happened.

Deploying Intrusion Prevention

All federal civilian agencies, including OPM, have deployed the Einstein 2 intrusion detection system, but most agencies have yet to implement the advanced Einstein 3A system, which has breach prevention features. DHS says that as of June 1, it's providing Einstein 3A services to 13 federal civilian agencies, protecting nearly half of federal civilian personnel, and has signed agreements with 52 other agencies to deploy the more advanced system. DHS and OPM spokesmen did not reply to inquiries about whether OPM has Einstein 3A in place.

At a White House briefing on June 5, Press Secretary Josh Earnest said the implementation period to deploy Einstein 3A has been accelerated, and the system should be implemented in all federal agencies by next year, two years earlier than originally planned.

In the interview, Weatherford:

  • Explains why it might have taken a month for IT security personnel to determine the anomalous traffic they noticed on the network was a breach;
  • Discusses the value of federal government investment in cybersecurity;
  • Describes the challenges government technologist face in getting buy-in for changes in entrenched programs, including IT security efforts, that have strong support in Congress.

Weatherford is a principal at the security consultancy The Chertoff Group. As DHS deputy undersecretary, Weatherford worked with national critical infrastructure sectors and federal government agencies to develop an understanding of the cyberthreat environment and create more secure IT network operations. Before joining DHS, Weatherford served as chief security officer at the North American Electric Reliability Corp., where he directed its cybersecurity and critical infrastructure protection program. He previously served as the CISO for the state governments of California and Colorado.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.