This story is the first in a new bi-weekly GovLoop series called “The Intersection”. The goal is to make technology relevant and easy to understand for all government employees. Consider this blog the bridge that connects you (the tech user) with the tech innovators and policy makers. The next post will be published on GovLoop.com July 14.
The Office of Personnel Management is in the hot seat this month — and probably will be for the next several months.
But OPM Director Katherine Archuleta won’t be the last agency leader called before Congress to explain why security audit reports were not heeded and how massive breaches could have happened.
“Unfortunately, I doubt it will be the last [cyberattack],” Chairman Ron Johnson said during last week’s Senate Homeland Security and Governmental Affairs Committee hearing on the OPM hacks. (Read our recent coverage here.)
“The cyberthreats will continue to grow in size and sophistication,” Johnson said. But “the first step in any problem is recognizing the problem and admitting you have one. OPM has become a case study in the consequences of inadequate action and neglect.”
To be clear, this is not just an OPM issue. Every agency should be assessing and remediating IT security flaws on a continuous basis – but that’s still a work in progress. In the wake of these OPM breaches, Sen. James Lankford made a comment about information sharing I think is worth repeating. Too often we hear about agencies facing similar issues and making the same mistakes, but that shouldn’t be.
“Every federal agency wants to see your notes,” on how to improve cybersecurity and how to respond to a breach, Lankford told Archuleta.
It’s inevitable that persistent and very advanced hackers will continue to worm their way into government networks. OPM alone combats more than 10 million attempted breaches a month, and it only takes one successful attempt to wreak havoc. But no agency should be fighting in the dark or found standing flat-footed, considering the wealth of information from other agencies and warnings from government watchdogs.
With that said, I’ve rounded up a few key lessons learned from the OPM breaches:
Be proactive
In what many would hope is a new way forward for OPM, the agency said Monday it was proactively taking its Electronic Questionnaires for Investigations Processing (e-QIP) system offline to avoid another breach. The system will be down for up to six weeks while OPM fixes a security flaw. It’s a hassle for many, but the alternative could be much worse.
OPM said its actions were not “the direct result of malicious activity on this network,” and there is no evidence that hackers took advantage of that security flaw. “Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network,” according to an agency press release.
Archuleta took major heat from lawmakers at recent hearings because she failed to shut down several systems, despite an inspector general recommendation to do so last year. The systems did not have a so-called authority to operate (ATO), or formal confirmation that they met all security requirements to stay up and running.
Over communicating isn’t a bad thing
If you don’t tell your story, someone else will. I understand that an investigation is still underway, but details that can be shared should be made public and accessible to everyone. At the end of the day, current and former feds want to know how they are affected by the breach and what they can and should do to minimize the damage.
I don’t know how often secretaries and other senior leaders meet with their IGs to discuss serious matters, but it’s evident that those lines of communication need strengthening. During one Senate hearing last week, Archuleta and the OPM IG, Patrick McFarland, were communicating with each through the senators. It didn’t help that McFarland told lawmakers last week he doesn’t think OPM system are secure at this point. If everything goes according to plan, staff from Archuleta’s and McFarland’s staff are finally supposed to meet this week.
Communications with people outside OPM is also critical. Archuleta said she is reaching out to chief security officers at leading private firms for advice, as her agency continues to work with the FBI, Department of Homeland Security and others.
OPM has been more proactive recently about sharing updates, including a cybersecurity action plan detailing 23 concrete steps to improve security of its IT systems. That’s great! But what makes public updates like these effective is the ability for everyday people to understand what they mean. One of the many things I’ve learned at GovLoop — and it’s applicable now — is that clarity builds confidence, which builds commitment. The more feds understand about security, the better equipped and empowered they are to be a part of the solution.
A lack of clarity has been a major issue in the aftermath of the OPM breach. I’ve fielded emails from people asking me how the breach happened and questioning if there’s any point in applying for federal jobs if the government can’t secure their personal information.
Yes, bad things are bound to happen, but how agencies respond and convey their response efforts to the media and general public is key. In the wake of a major event, lawmakers aren’t interested in knowing what agencies are considering or looking into – they want to hear what is being done and how quickly it will be finished.
Fight fires, even if you didn’t start them
Archuleta has been under intense scrutiny for decisions she’s made – and decisions she’s failed to make. A number of the security shortfalls she’s dealing with predate her tenure as director, but those problems are now her problems.
Federal Chief Information Officer Tony Scott, who is charged with setting governmentwide IT policies, vouched for Archuleta’s leadership. He told senators that the work underway at OPM serves as a template for what other agencies need to do. But he is worried that as agencies beef up their security defenses they will likely discover more breaches and face more scrutiny. That could cause a chilling effect for anyone wanting to take on leadership roles, Scott said. “I think we need to be careful about distinguishing fire starters from firefighters.”
That’s not always easy to do because people want to see someone held accountable. But the truth is Archuleta walked into a blazing fire from the day she was sworn in, November 4, 2013, as OPM Director. Archuleta’s top IT official, Donna Seymour, testified that hackers were already lurking around OPM’s networks back in November 2013.
“If there’s anyone to blame, it is the perpetrators,” Archuleta said during a senate subcommittee hearing last week.
You can only imagine the firestorm that comment set off. My advice to firefighters in government putting out fires they did not start: Make sure you understand the good, the bad and the ugly about where your agency has been and is heading. Know what fires are currently burning, and have an action plan in place for putting them out. Learn how to tell your story, and tell it well.
Aside from the credit of hacking OPM, one other bonus was the large amount of information there. I would like for there to be an analysis of the information that is asked for (with a concomitment “Is this truly necessary to accomplish the job? question), how long should the information be retained, where should the information be stored, who has access and when (and how) is the information destroyed. I don’t think we’re seeing any questions like the above posited yet.