US Government Is Still In Turmoil Over Cyber Defense

The giant OPM Hack of 2014 reverberates as the US Government finds that it still lacks the fundamentals of a robust cyber-defense.

The White House Office of Personnel Management has recently published a report, which is depressing news for an agency that has been in more-or-less continuous turmoil since a devastating cyber-attack in March 2014. 

That attacks stole the sensitive personal information of some 25 million US government employees, including millions of security clearance files, from the agency files and those of two of its important contractors. The fingerprint data of some 5.6 millions of those employees was also stolen. 

According to a scathing report on the break-in published two months ago by the Republican majority on the House Committee on Oversight and Government Reform, the intelligence value of the theft, carried out from China, “cannot be overstated, nor will it ever be fully known.”  

The report notes that the agency is still suffering from high staff turnover in sensitive info-security jobs and top management, including five Chief Information Officers in three years, as well as longstanding failures to check security controls on computer systems to make sure they are adequate.

It is also lethargic in dealing with a variety of longstanding security weaknesses and has still not taken action on scores of security recommendations laid out in previous Inspector General reports, some made years before the catastrophic hack. 

Among other things, the report notes that only two of the agency’s major computer applications comply with the government’s own standards for verifying user identities, which date back to 2012.

Among the 18 “major” computer systems that have not been given a renewed OK on their security controls, the report notes, are five that are owned by the Chief Information Officer, two that belong to the chief financial officer, and four systems that were inherited by a newly amalgamated National Background Investigation Bureau, a reformed chunk of the bureaucracy that now operates under the Department of Defense.

One of the systems is also owned by the Office of the Inspector General.  Indeed, according to the report, OPM, despite “several initiatives underway,” still lacks a full inventory of its many servers, databases and software, let along the important issue of how they are linked with each other, fundamentals of a robust cyber-defense.

The report drily notes that lack of what it calls a “mature inventory system significantly hinders OPM’s efforts related to oversight, risk management, and securing the agency’s information systems.”

In another section, the document observes that even when OPM scanning turns up less-than-critical weaknesses, the agency does not track the efforts made to correct them, “there is a significantly increased risk that these weaknesses will not be addressed in a timely manner, and that the systems will indefinitely remain susceptible to attack.” 

To fix the problems, or at least address them, the audit report offers up a barrage of 26 recommendations, with notes alongside many of them to show they are repeats of recommendations made years before. 

For its part, the agency management concurs with almost all of them, including new staffing hires and appropriate inventories. It balked slightly, however, at a diffident suggestion that the Director of OPM, currently, Acting Director Beth Colbert, “consider shutting down information systems that do not have a current and valid [security] Authorisation.”   

The agency said it would prefer to make its own “risk-based decision” on whether to keep operating a system without that clearance, then forward it’s evaluation to the OPM head for “ultimate decision.” 

Perhaps that is progress: The Inspector General first made the shut-down suggestion in 2014, the year of the great cyber-theft, without any apparent effect. 

Fox News:      US Navy Personnel Data Breached:  

 After The OPM Hack Security Clearances Will Now Be Done By The Pentagon:

 

 

« On Facebook, Fake US Election News Was More Popular Than Real News
Irish Law Firms Experience 50% Increase In Cyberattacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Technology Industries of Finland (TIF)

Technology Industries of Finland (TIF)

Technology Industries of Finland (TIF) is a business and labour market lobbying organization that promotes the competitiveness and business conditions of Finland’s most crucial export industry.

ComTrue Technologies

ComTrue Technologies

ComTrue Technologies provides artificial intelligence solutions and information security solutions.

Celestya

Celestya

Celestya is dedicated to providing the most advanced and cost effective systems for human behavior education on cybersecurity awareness training.

Fox-IT

Fox-IT

Fox-IT prevents, solves and mitigates the most serious cyber threats with smart solutions for governmental bodies, defense, law enforcement, critical infrastructure, banking and large enterprises.

SynerComm

SynerComm

SynerComm is an IT solution provider specializing in network and security infrastructure, enterprise mobility, remote access, wireless solutions, audit, pentesting and information assurance.

H3Secure

H3Secure

H3 Secure focuses on Secure Data Erasure Solutions, Mobile Device Diagnostics and Information Technology Security Consulting.

Thomsen Trampedach

Thomsen Trampedach

Thomsen Trampedach offers a tailored-made brand protection solution to each customer using a proprietary enforcement automation and reporting tool and a multilingual enforcement team.

Gorodissky IP Security

Gorodissky IP Security

Gorodissky IP Security is a comprehensive approach to protecting your intellectual property on the Internet and beyond.

TrustGrid

TrustGrid

Trustgrid is a pioneer and leader in secure, cloud-native software-defined connectivity.

Midwest Cyber Security Alliance (MCSA)

Midwest Cyber Security Alliance (MCSA)

Midwest Cyber Security Alliance is a nonprofit, nonpartisan collaboration of individuals, businesses, government entities, and professionals advocating for more effective cyber security solutions.

MyKRIS Asia

MyKRIS Asia

MyKRIS specialise in providing and managing Internet network services and cyber security services to enterprises.

PatchAdvisor

PatchAdvisor

PatchAdvisor core services include Vulnerability Assessments/Penetration Testing, Application Vulnerability Assessments, and Incident Response.

Cura Technology

Cura Technology

Cura Technology offers a wide array of security solutions meticulously designed to address specific facets of your security requirements.

Argenta Talent Acquisition

Argenta Talent Acquisition

Argenta Talent Acquisition is a recruitment partner specializing in Space and Defense, Intelligence Community, all things Technical, Cyber, and Logistics.

SOCRadar

SOCRadar

SOCRadar is an Extended Threat Intelligence (XTI) SaaS platform that combines External Attack Surface Management (EASM), Digital Risk Protection Services (DRPS), and Cyber Threat Intelligence (CTI).

Neptune Shield

Neptune Shield

Neptune Shield's mission is to deliver cutting edge Maritime focused Cyber Security & Threat Protection through our Hampton Roads based Tech & Cyber Security Hub.