On Wednesday, September 7, Republicans on the U.S. House of Representatives’ Committee on Oversight and Government Reform released a report detailing the events leading up to the sweeping hack of the federal Office of Personnel Management’s (“OPM”) databases. The report concludes that it was ultimately a failure of culture and leadership at the OPM, not a lack of technology or tools, that led to the breach.
The OPM is tasked with checking the backgrounds of 90 percent of federal government job applicants. In June 2015, the OPM announced that the personnel records of 4.2 million former and current federal employees had been compromised. A month later, OPM announced that the background investigation data for 21.5 million individuals were compromised as well as the fingerprint data of 5.6 million of these individuals.
According to the Committee’s 231-page report, the OPM data were compromised through a series of breaches from 2014 to 2015 that were “likely connected and possibly coordinated” by two Chinese government-sponsored groups. The report concludes that the breach and exfiltration of the data can be attributed to a longstanding failure of the OPM’s leadership to implement basic cybersecurity measures, such as employing strong multi-factor authentication. Furthermore, tools were available that could have prevented the breaches, but the OPM failed to leverage those tools to mitigate the agency’s extensive vulnerabilities.
The report offers a number of recommendations, including ensuring that agency Chief Information Officers are empowered, accountable, and competent, and are retained for more than the current average of two years. The report also recommends that the government move away from the use of social security numbers and that federal information security efforts move toward a zero-trust model in which users inside a network are treated as no more trustworthy than users outside a network.
The Democratic Committee staff issued a 21-page memorandum in response, explaining that it could not support the report because the report failed to adequately address federal contractors and their role in federal cybersecurity. According to the memo, the Committee’s investigation found that federal cybersecurity is intertwined with government contracts and that cyber requirements for government contracts are inadequate. The memo highlights that the OPM breach was achieved using credentials taken from one of the OPM’s contractors to disguise its initial movements into and through the OPM’s computer network.
