Latest Hack Revelations Drive Federal Cybersecurity to a Sprint

Published: June 16, 2015

CONGRESSCybersecurityDHSNational Defense Authorization ActOMBOPMPolicy and Legislation

By now most of us are aware of the recent acknowledgement by the Office of Personnel Management (OPM) that their systems were hacked, exposing the records at least 4 million federal employee. The few days that have followed have seen a flurry of activity and additional revelations, building to a crescendo where OMB has issued a 30-day directive for agencies to improve their cybersecurity.

The size and scope and of the OPM hack made national and world news when it was first revealed. It has since come to light that the breach was significantly larger than first reported, with hackers accessing at least one other data system containing highly sensitive information from government background investigations.

The breach discoveries and disclosures have sparked a flood of questions, concerns and response activities. In addition to issuing statements on the breach, OMP has set up a Web page, including an FAQ, where those who may be affected may get information and updates and take steps to mitigate the impacts.

Then just a few days later, the Department of Homeland Security (DHS) disclosed that upwards of 390,000 current and former DHS employees, contractors and job applicants may have had their private data compromised in a computer system hack against a DHS contractor that was discovered in September 2014. DHS only began notifying those potentially affected at the end of April.

The resulting reactions cover every constituency in the federal cybersecurity community. The OPM disclosure drew the ire of members of Congress, who are demanding a more detailed explanation of the hack and its ramifications. The Senate Majority Leader, Mitch McConnell had announced that he intended to attach to the latest National Defense Authorization Act (NDAA) some proposed cybersecurity legislation dealing with cyber threat information sharing and liability protection, but that may be off the table after some members have balked at the legislation over privacy and other concerns. Some senators are using the latest events as an opportunity to demand more funding for OPM for IT and to call for a rescinding sequestration.

There are a lot of questions about the effectiveness of federal cybersecurity efforts at all levels, but especially around detection capabilities. The creation of the $6 billion Continuous Diagnostics and Mitigation (CDM) program in 2013 and the 10-year long DHS Einstein program – among other efforts, like FISMA, etc. – have been launched to raise the overall cybersecurity resilience of federal agencies. But with the latest disclosures, some experts are questioning whether CDM and Einstein are up to the task, given that the OPM hack took more than a year to discover. Defending, in part, Einstein and CDM in a hearing before the House Committee on Oversight and Government Reform on the OPM Data Breach, Andy Ozment, DHS Assistant Secretary for Cybersecurity & Communications at the National Protection and Programs Directorate (NPPD) addressed DHS’ role in the recent compromise at OPM and how DHS is working with OPM and other agencies to accelerate improved cybersecurity across the Federal Government.

The revelations have propelled what Federal CIO Tony Scott is calling a government-wide 30-day Cybersecurity Sprint where agencies have a month to patch all known vulnerabilities, identify and mitigate known threats, limit privileged access and tighten access controls, and "dramatically accelerate" the use of personal identity verification (PIV) cards and additional forms of multifactor identification.  The effort includes eight priority areas that address broad security areas from data protections and incident recovery to embedded security and reduced attack surfaces. Other accounts of the OMB directive provide additional details, as the memo has not yet become public. OMB has also accelerated the revision of government-wide IT security policy guidance to shore-up privacy protections and clarify how multiple security elements, like FISMA and NIST technical guidelines, fit together.

At the end of the 30-day window agencies are required to report to OMB and DHS on their progress and any challenges they encountered. The clock is ticking.