[BreachExchange] One year after OPM cybertheft hit 22 million: Are you safer now?

Thu Jun 9 19:58:38 EDT 2016

https://www.washingtonpost.com/news/powerpost/wp/2016/06/08/one-year-after-opm-cybertheft-hit-22-million-are-you-safer-now/

Are you safer now?

That’s the question for the 22 million federal employees and others whose
personal information was stolen by cyberthieves from the Office of
Personnel Management (OPM) in a heist announced one year ago.

Beth Cobert thinks so. And former congressional critics now like what they
see.

Cobert is OPM’s acting director. She took over in July, after the agency’s
uninspired response to the cyber disaster forced out former director
Katherine Archuleta.

[OPM Director Katherine Archuleta resigns under pressure]

“The federal employee should have confidence in our IT systems,” Cobert
said, ignoring a Subway sandwich in her office conference room two days
before the June 4 anniversary of the announcement. “We have made huge
strides. We have a lot of great tools in place. … I am confident in the
systems. My data was stolen in the breach just like many other people’s. I
am a customer of the identity-theft protection services.”

During an interview and in a subsequent email, Cobert outlined a number of
actions OPM has taken to strengthen cybersecurity, including:

- Deploying “two-factor strong authentication” for all network users
- Implementing a continuous monitoring program for all IT systems
- Creating and hiring a cybersecurity adviser position that reports to the
OPM director
- Establishing an agency-wide centralized IT security workforce under a
newly hired chief information security officer
- Modifying the OPM network to limit remote access exclusively to
government owned-computers
- Deploying new cybersecurity tools, including software that prevents
malicious programs and viruses on OPM networks
- Implementing a system that automatically stops sensitive information,
such as Social Security numbers, from leaving the network unauthorized
- Enhancing cybersecurity awareness training with emphasis on Phishing
emails and other attacks.

These efforts have been noted in Congress, where members were harshly
critical of OPM a year ago. Even Rep. Jason Chaffetz (R-Utah), chairman of
the House Oversight and Government Reform Committee, now has good things to
say about the agency and its current leadership. He was fierce in his
denunciations of Archuleta and Donna Seymour, the former agency chief
information officer, whose resignation Chaffetz demanded along with
Archuleta’s.  Seymour resisted until she finally resigned in February, just
before another Chaffetz hearing.

“The most important and significant change was personnel,” Chaffetz said.
“Beth Cobert is a breath of fresh air and she gives me a great deal of
confidence that they will ultimately solve this problem.”

But the problem isn’t solved yet.

A May report from the Office of Inspector General (IG) offered a sobering
view of OPM’s information-technology improvement program. Here is some of
what the report said:

- “OPM has still not performed many of the critical capital project
planning practices required by the Office of Management and Budget”
- “We are even more concerned than ever about the lack of disciplined
capital planning processes”
- “Because OPM’s lifecycle cost estimates are unsupported and probably
significantly understated, there is a high risk that future budgets will
continue to be inadequate to complete the Project”

Cobert said the agency agrees with the bulk of the IG’s recommendations for
development of a more comprehensive information technology modernization
plan. “We are very much aligned with the IG,” she said.

The whodunit question remains unanswered, at least publicly.

Based on his classified briefings, Chaffetz said the theft probably wasn’t
related to a “business scam.” He would not elaborate.

Rep. Gerald Connolly (D-Va.) said, “We still don’t know what the Chinese
hackers, presumably Chinese hackers, who succeeded in this breach intend to
do with that data.”

While the work on the IT system continues, services to protect the identity
and credit of employees have been in place for months. One of the two
breaches hit some 4 million people, about a quarter of whom have signed up
for identity-protection and credit-monitoring services. A much larger
breach involved 21.5 million people and more than 11 percent of them have
enrolled for services. There is considerable overlap among the two groups,
leaving the total affected at about 22 million.

OPM says the sign up rate for services is much greater than the industry
standard. Out of 22 million affected, only 6,800 problems like identity or
credit theft have been reported, according to OPM. There is no way to know,
according to press secretary Sam Schumach, if those cases are directly
related to the OPM breaches.

The agency is “actively working” to extend the identity theft insurance to
$5 million and identity and credit monitoring services from three to “the
10 years that was also approved by Congress,” Cobert told a House hearing
last month.

Connolly said it will take “years of monitoring and I hope proactive
protections, credit-wise, identity-wise and otherwise for unwitting victims
of this breach.”

Cobert’s “first obligation,” he added, is “to protect those who are
innocent victims of this breach.”

“I think she is seized with this mission in a way, maybe, previous
management was slow to come to.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160609/8ff18379/attachment.html>