Severe leadership errors and outdated technology are among a litany of systemic failures that caused the large-scale data breach of the U.S. Office of Personnel Management (OPM), according to a new scathing government report.
The 241-page analysis blames the department for endangering America’s national security, even after being “warned since at least 2005 that the information maintained by OPM was vulnerable to hackers.” The U.S. House Oversight and Government Reform Committee conducted the study on OPM, the federal agency in charge of managing government employees.
Hackers, believed to be sponsored by the Chinese government, were able to steal sensitive records and the personal information of more than 21 million government personnel. This encompasses federal employees and contractors for all federal agencies, including the U.S. Department of Defense.
The purloined data included in-depth background investigations on employees, like gambling, alcohol and drug use history, as well as “the names of any relatives” (even very distant ones) and “their home addresses.” Fingerprint data of 5.6 million people were also reportedly stolen.
While cybercriminals have been able to take information from the State Department, the Nuclear Regulatory Commission, the IRS and the White House, the Oversight Committee contends that none compare to this one due to sheer size.
The committee’s assessment pinpoints a number of bureaucratic and operational breakdowns, including the “absence of an effective managerial structure to implement reliable IT security policies” and lack of urgency to fill this void. It also highlights that OPM broke legal protocol by not fulfilling the Office of Management and Budget’s deep-rooted obligation “to use multi-factor authentication for employees and contractors who log on to the network.”
The “lax state” of OPM’s IT infrastructure likely caused the online intrusion and if there wasn’t such a reactive procrastination “they could have significantly delayed, potentially prevented, or significantly mitigated the theft.”
OPM also seemingly misled Congress and the American public of the scope of the breach and “downplayed the fallout.”
CyTech, a private cybersecurity firm who detected the invasion during a demonstration of its security tools, provided the Oversight Committee with the requested information in a very expedient manner, but “OPM dragged its feet.”
And even though OPM’s IT system was reportedly antiquated and CyTech provided forensic support and incident response assistance, the federal agency never paid the business for its services and in doing so broke the law.
OPM also purchased security tools from a separate IT company from the June 2014 to October of the same year, but took anywhere from three to fifteen months to deploy them. Even after a lengthy investigation that took more than a year, “the reasons for the extended period of time between purchase and full deployment varied and are not entirely clear from the record.”
OPM has one of the lowest federal cybersecurity spending in comparison to other agencies in the past years, according to tables at the end.
During investigative hearings, House Oversight Chairman Rep. Jason Chaffetz told OPM officials that they had “completely and utterly failed.”
“I’m looking here today for a few good people to come forward, accept responsibility, and resign for the good of the nation,” Rep. Ted Lieu told the room. And his wish was granted, after former Director Katherine Archuleta and then-Chief Information Officer Donna Seymour resigned in February.
OPM now asserts that it has since improved its cybersecurity infrastructure and capabilities since it is under new leadership.
“While we disagree with many aspects of the report, we welcome the committee’s recognition of OPM’s swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies, and processes,” an official blog post written by Director Beth Cobert of OPM reads.
Along with listing a number of upgrades made to its cybersecurity capacity, Cobert also addressed fellow government.
“We hope Congress will also continue to support our efforts and provide us with the resources we need to continue to strengthen our cybersecurity posture now, and into the future,” she continued.
The Oversight report quotes several high-ranking officials in the field of intelligence and national security to help clarify this instance’s magnitude. Most paint a very bleak picture for America’s cybersecurity infrastructure after the revelations of this breach became apparent.
“[OPM data] remains a treasure trove of information that is available to the Chinese until the people represented by the information age off. There’s no fixing it,” says former CIA Director Michael Hayden.
“We cannot undo this damage. What is done is done and it will take decades to fix,” John Schindler, a former NSA officer explains.
Chairman of the Information Technology subcommittee Rep. Will Hurd, who is one of the few Congressmen with a storied career in cybersecurity, presented an ominous warning during a hearing on this issue.
The massive data breach of OPM “is just another example of the undeniable fact that America is under constant attack. It is not bombs dropping or missiles launching; it is the constant stream of cyber weapons aimed at our data.”
Send tips to email@example.com.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact firstname.lastname@example.org.