The breach we could have avoided

Published: Sep 30, 2015

Author: Jason Chaffetz

Publication: The Hill

The worst data breach in American history compromised the sensitive, personally identifiable information of 21.5 million Americans.

The Office of Personnel Management (OPM) attack was the result of negligence, inadequate cybersecurity measures, mismanagement of IT budgets over decades, poor data management and incompetent leadership that, unfortunately, remain in place today.

The significance of the breach cannot be overstated.

Social Security numbers and health, financial, employment and residency information were placed in the hands of our greatest adversaries. The perpetrators even swiped fingerprints of 5.6 million individuals.
FBI Director James Comey described the breach as “a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government.”

Another former senior intelligence community official referred to the stolen data as the “crown jewels” and a “gold mine for a foreign intelligence service.”

It was an extraordinary theft. It was also entirely foreseeable.

Competent leaders would have seen the obvious threat and responded to it. The OPM’s didn’t.

By ignoring repeated warnings of system vulnerability, failing to adopt basic cybersecurity best practices and wasting millions of dollars maintaining outdated technology, OPM leaders left the agency’s valuable data vulnerable to attack.

The resulting breach was entirely predictable and its risk well known.

OPM leadership consciously ignored warnings of “material weakness” in data security from the inspector general (IG) for at least eight years.

Inexcusably, OPM leadership operated systems without valid authorizations despite knowing the inherent risks.

The OPM did not encrypt Social Security numbers despite being required to do so.

It is also unclear why the OPM left all 21.5 million individuals’ security clearance files active on its system. Information that isn’t available on a network can’t be hacked.

President Obama’s decision to appoint Katherine Archuleta as director of the agency based on political patronage rather than on skill and expertise topped off the perfect storm.

It’s of small comfort that Archuleta resigned after the damage was done. The OPM’s chief information officer is still on the job. By law she is responsible for securing the agency’s IT systems. She spectacularly failed at this mission, yet remains at the helm.

Bad decision-making at the OPM was not limited to security measures. The agency also proved a poor steward of IT dollars.

Since 2008 the Obama administration has spent in excess of $525 billion on IT, and it’s not working.

Instead of investing in cutting-edge technology, officials wasted millions on outdated legacy systems, which make the application of security tools far more challenging.

Astonishingly, the OPM operates using 1950s-era Cobol language, which is difficult, if not impossible, to update to include encryption or multifactor authentication due to its aging code base.

Yet the OPM spent nearly 80 percent of its budget in fiscal 2014 on old IT, like Cobol. Nearly $70 million was allocated to operations and maintenance with a mere $14 million on development modernization.

As the OPM embarks on its better-late-than-never plan to overhaul its IT infrastructure, the agency’s failure to change leadership portends more failure. It is once again disregarding warnings from the IG that its plan has a “high risk of failure.”

We can’t keep doing the same thing and expecting a different result. If we want to ensure that a breach of this magnitude never happens again, we have to have the right leadership.

Right now, we don’t.

Experienced leaders in IT and cybersecurity would ensure that the controls already in place are being followed. That’s not happening.

The 30-day cyber sprint initiated by the Office of Management and Budget (OMB) in the aftermath of the hack yielded a 30 percent agencywide increase in multifactor authentication for certain users, from 42 percent to 72 percent.

It was over 10 years ago, though, that the White House first issued direction to agencies to accelerate the use of multifactor authentication. It shouldn’t have taken a crisis of these proportions for agencies to get their IT houses in order.

It was only after the 30-day cyber sprint was complete that the OPM increased its multifactor authentication participation from 42 percent to 97 percent of all users.

We may never fully rid ourselves of the threat posed by those who wish to do us harm.

However, with more competent leadership, a commitment to strong cybersecurity measures and better stewardship of IT dollars, we can do much more to prepare and protect ourselves.

The OPM’s network was a disaster waiting to happen. We have the tools and ability to avoid a future disaster. We need to maintain the pressure on our federal agencies to ensure they have the will.

Chaffetz has represented Utah’s 3rd Congressional District since 2009. He is chairman of the Oversight and Government Reform Committee and sits on the Judiciary Committee.

The significance of the OPM breach cannot be overstated.

Posted by House Oversight Committee on Thursday, October 1, 2015