US Government Is Still In Turmoil Over Cyber Defense

Uploaded on 2016-12-05 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

The giant OPM Hack of 2014 reverberates as the US Government finds that it still lacks the fundamentals of a robust cyber-defense.

The White House Office of Personnel Management has recently published a report, which is depressing news for an agency that has been in more-or-less continuous turmoil since a devastating cyber-attack in March 2014. 

That attacks stole the sensitive personal information of some 25 million US government employees, including millions of security clearance files, from the agency files and those of two of its important contractors. The fingerprint data of some 5.6 millions of those employees was also stolen. 

According to a scathing report on the break-in published two months ago by the Republican majority on the House Committee on Oversight and Government Reform, the intelligence value of the theft, carried out from China, “cannot be overstated, nor will it ever be fully known.”  

The report notes that the agency is still suffering from high staff turnover in sensitive info-security jobs and top management, including five Chief Information Officers in three years, as well as longstanding failures to check security controls on computer systems to make sure they are adequate.

It is also lethargic in dealing with a variety of longstanding security weaknesses and has still not taken action on scores of security recommendations laid out in previous Inspector General reports, some made years before the catastrophic hack. 

Among other things, the report notes that only two of the agency’s major computer applications comply with the government’s own standards for verifying user identities, which date back to 2012.

Among the 18 “major” computer systems that have not been given a renewed OK on their security controls, the report notes, are five that are owned by the Chief Information Officer, two that belong to the chief financial officer, and four systems that were inherited by a newly amalgamated National Background Investigation Bureau, a reformed chunk of the bureaucracy that now operates under the Department of Defense.

One of the systems is also owned by the Office of the Inspector General.  Indeed, according to the report, OPM, despite “several initiatives underway,” still lacks a full inventory of its many servers, databases and software, let along the important issue of how they are linked with each other, fundamentals of a robust cyber-defense.

The report drily notes that lack of what it calls a “mature inventory system significantly hinders OPM’s efforts related to oversight, risk management, and securing the agency’s information systems.”

In another section, the document observes that even when OPM scanning turns up less-than-critical weaknesses, the agency does not track the efforts made to correct them, “there is a significantly increased risk that these weaknesses will not be addressed in a timely manner, and that the systems will indefinitely remain susceptible to attack.” 

To fix the problems, or at least address them, the audit report offers up a barrage of 26 recommendations, with notes alongside many of them to show they are repeats of recommendations made years before. 

For its part, the agency management concurs with almost all of them, including new staffing hires and appropriate inventories. It balked slightly, however, at a diffident suggestion that the Director of OPM, currently, Acting Director Beth Colbert, “consider shutting down information systems that do not have a current and valid [security] Authorisation.”   

The agency said it would prefer to make its own “risk-based decision” on whether to keep operating a system without that clearance, then forward it’s evaluation to the OPM head for “ultimate decision.” 

Perhaps that is progress: The Inspector General first made the shut-down suggestion in 2014, the year of the great cyber-theft, without any apparent effect. 

Fox News:      US Navy Personnel Data Breached:  

 After The OPM Hack Security Clearances Will Now Be Done By The Pentagon:

 

 

« On Facebook, Fake US Election News Was More Popular Than Real News
Irish Law Firms Experience 50% Increase In Cyberattacks »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Veridify Security

Veridify Security

Veridify Security (formerly SecureRF), develops and licenses quantum-resistant, public-key security tools for the low-resource processors powering the Internet of Things.

herdProtect

herdProtect

herdProtect is a second line of defense malware scanning platform powered by 68 anti-malware engines in the cloud.

SEWORKS

SEWORKS

SEWORKS provides offensive and defensive app security that ensures mobile and web apps are safe from dangerous hacking threats.

ExpressVPN

ExpressVPN

ExpressVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

Scantist

Scantist

Scantist is a cyber-security spin-off from Nanyang Technological University (Singapore) which leverages its expertise to provide vulnerability management solutions to enterprise clients.

Deepwatch

Deepwatch

The Deepwatch Platform helps organizations reduce risk through early and precise threat detection and remediation.

PAX Momentum

PAX Momentum

PAX Momentum is the Mid-Atlantic’s premier startup accelerator, specializing in cyber, enterprise software, telecom, CleanTech, FinTech, InsureTech, and AI.

Octiga

Octiga

Octiga is an office 365 cloud security provider. It offers Office 365 monitoring, incident response and recovery tools.

SecureOps

SecureOps

SecureOps is transforming the Managed Security Service Provider industry by providing tailored cybersecurity solutions proven to protect organizations from cyberattacks.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

Intelligent Technical Solutions (ITS)

Intelligent Technical Solutions (ITS)

We help businesses manage their technology. Intelligent Technical Solutions provide you with the right technical solution, so you can get back to running your business.

Vali Cyber

Vali Cyber

Vali Cyber was founded in 2020 with the mission of addressing the specific cybersecurity needs of Linux.

Ermes

Ermes

Ermes – Intelligent Web Protection provides companies with a solution that effectively secures them against web threats.

Fescaro

Fescaro

FESCARO is a trusted cybersecurity partner for global automakers and their partners, helping them transition to software-defined vehicles (SDVs) with tailored automotive software solutions.

Hudson Rock

Hudson Rock

Hudson Rock’s products — Cavalier & Bayonet — are powered by our cybercrime database, composed of millions of machines compromised by Infostealers in global malware spreading campaigns.

Lyvoc

Lyvoc

Lyvoc is a premier cybersecurity integration partner renowned for its expertise in supporting its clients to accelerate and secure their digital transformation.