When news first broke of the OPM hack back in June, few understood the massive scale of the attack. Originally thought to have affected 4 million federal employees, estimates quickly rose to over 22 million impacted. Since that time, government agencies have scrambled to shore up their cyberdefenses and OPM has worked to provide identity protection services to those affected by the hacks. But the question remains, are these the right steps?
While these efforts are helpful, Parham Eftekhari believes that the government can do much more. As Co-Founder and Senior Fellow for the Institute for Critical Infrastructure Technology (ICIT), a cybersecurity think-tank, Eftekhari specializes in assessing cybersecurity strength and IT infrastructure health. His organization recently released a report titled “Handing Over the Keys to the Castle: OPM Demonstrated that Antiquated Security Practices Harm National Security,” which analyzes what cybersecurity practices are most harmful to the federal government.
In an interview with Chris Dorobek on the DorobekINSIDER program, Eftekhari outlined both basic and more advanced cybersecurity measures that government agencies could implement to prevent another mass cyberattack and detailed what OPM hack victims should expect in the future.
“What really matters [about the OPM hack] is what went wrong, what were the circumstances at the agency that allowed for this tragic outcome to happen…and most importantly, what can we do to prevent this outcome?” Eftekhari asked.
To Eftekhari, the OPM hack is about more than just the personal data that was lost –it represents a much larger, systemic problem across government agencies. “It’s not just the 22 and a half million people that were impacted, it was their children, and their spouses and their parents, and their extended families and their friends,” he said. Of OPM’s 47 major network systems, only 11 belonged to OPM IT instead of outside contractors. None of the systems required any kind of personal identification verification to access.
Disturbing as these numbers are, OPM is not alone in its dated cybersecurity practices. “Every agency needs to shore up its defenses,” Eftekhari said. But what exactly does that entail?
“It starts with strong perimeters, with going back to basics,” Eftekhari argued. To modernize the government as a whole, agencies must first implement basic multilayered security measures like antivirus, intrusion detection prevention, and dual factor authentication. These would lend agencies much stronger security perimeters. Once these are in place, agencies can look at employing “advanced concepts like encryption [and] behavior analytics, then we can start to really talk about having more secure government agencies,” he said.
“Unfortunately, we’ve been talking about these same concepts for a number of years, yet we have a problem executing,” Eftekhari said. Non-IT leaders have not allocated proper funding for cybersecurity. “Without the proper resources behind all of the great ideas, concepts and technologies, we’re going to continue to fall into the same pitfalls that we currently are in,” he argued. According to Eftekhari, instead of spending money on new, innovative technologies, the majority of IT funds are still used to maintain legacy systems, which are much harder to secure.
However, “technology’s not really the problem, it’s just an overall cultural issue that we have,” he said. At OPM, there was no network map, so employees had no way of knowing what their network looked like, let alone how to secure it. In addition, the agency “lacked basic governance on disabling old accounts and limiting access to the least privileged,” Eftekhari said. “This is something that other agencies are challenged with as well,” he said.
What can agencies do? Aside from patching vulnerabilities and implementing basic security measures, such as two-step authentication, Eftekhari argued that agencies should implement advanced encryption and behavior analytics.
Eftekhari explained,“[User behavior analytics] essentially allows the network administrator to create a baseline of understanding of…what the users on your network are typically doing and then monitor for anomalies.” For example, if agency administrators knew an employee works 9 to 5 and typically only accesses one database, they would be able to know something was wrong if that employee’s credentials were used to access another database at 1AM on a Saturday. This sort of knowledge would allow administrators to mitigate threats before they become a larger problem.
“If user behavior analytic technology was available at OPM, they would have been able to identify [suspicious behavior] and stop this breach from occurring,” Eftekhari said. However, because they lacked even the most basic cybersecurity measures, over 22 million people lost their personal data.
According to Eftekhari, the stolen OPM data is unlikely to end up on the black market. “The risk here is not so much that there’s going to be identity theft,” but rather espionage and blackmail. Decades down the road, the credentials taken from this hack could be used in both the private and public sector to access sensitive information.
“You need greater vigilance on the part of agencies and intelligence communities to be monitoring the activities of victims to stop…[them] from being exploited,” he said. “Offering identity theft services is nice…but you really need to be training these victims to look out for suspicious behaviors.”
To do shore up their security, government agencies will have to monitor their networks with both newer technology and more skilled personnel. “We’re never going to stop cyberattacks from happening; what we can do is create environments that prevent the data from being exfiltrated,” Eftekhari said.
If there’s one thing the government should learn from the OPM hack, it’s that strong cybersecurity requires both humans and technology.
Employee training and behavior analysis are part of the solution that seems to be ignored in a lot of plans for how to deal with attacks like this.