OPM officials did nearly everything wrong as far as security goes and then lied about it, House Oversight Committee Republicans said in a final report on the OPM breach.Photo illustration by Sean Gallagher, based on image by Colin
Feds Under Attack: OPM Breach
CIA officers pulled from China because of OPM breach
US counter-intel czar to hack victims: “raise shields” against spearphishing
China and Russia cross-referencing OPM data, other hacks to out US spies
Obama administration decides not to blame China publicly for OPM hack
Government IT official ran law enforcement data systems for years with faked degrees
View more storiesreader comments 19
Share this story
A report from the Republican majority on the House Oversight and Government Reform Committee published today places blame for the 2014 and 2015 data breaches at the Office of Personnel Management squarely on the OPM’s leadership.

The report finds that the long-time network infiltration that exposed sensitive personal information on about 21.5 million individuals could have been prevented but for “the longstanding failure of OPM’s leadership to implement basic cyber hygiene.”
“Tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency’s extensive responsibilities,” the report concluded.

And the committee’s majority report also asserted that former OPM Chief Information Officer Donna Seymour lied repeatedly during her testimony, misstating how the agency responded to the breach and misleading Congress and the public about the damage done by the attack.

Ars extensively covered the shortfalls in OPM’s security last year.
The House Oversight report reveals that there were two separate extensive breaches—one beginning as early as November of 2013, which went undiscovered until March 2014 and was finally shut down completely two months later, allowed attackers to obtain manuals and technical information about the types of data stored in OPM systems.

A second attack began shortly afterward, targeting background investigation data, personnel records, and fingerprint data.

These breaches were determined to be likely conducted by the “Axiom Group” and “Deep Panda,” respectively, two China-based hacking groups alleged to have ties to the Chinese government.

The attacks used a series of domains—some with OPM-related names (opmsecurity.org and opmlearning.org) and registered under the names of Marvel superheroes Tony Stark (Iron Man) and Steve Rogers (Captain America)—to control malware and exfiltrate stolen data.
Ironically, the tool that discovered the ongoing breach, CyFIR from CyTech Services, was never actually purchased by OPM.

Though Seymour told Congress OPM had purchased licenses after a trial in a segregated test network, the tool was actually demonstrated on OPM’s live network, and no licenses were ever purchased. OPM officials returned the trial software after deleting images from OPM’s own incident response—images that included “more than 11,000 files and directories” of forensic data, the report noted.
“Documents and testimony show CyTech provided a service to OPM and OPM did not pay,” the report found, noting that this violated federal law against accepting voluntary services.
The report recommended that federal agencies “must ensure agency CIOs are empowered, accountable, competent, and retained for more than the current average of two years,” and that agencies promptly provide justification to Congress for continuing to use systems when their “authority to operate” (ATO)—the certification that they are operating in compliance with federal information security regulations—lapses.

Eleven of OPM’s systems had been operating without an ATO at the time of the breach, in some cases for over a year or more.
The report also recommended that OMB and other federal agencies move toward a “zero trust IT security model” where users on the network are treated with the same level of security as users outside the network and that agencies reduce the use of Social Security numbers in identifying employees to reduce the risk of exposure of personal identifying information.
Reuters reports that Rep.

Elijah Cummings (D-Md.), the ranking minority member of the House Oversight Committee, rejected the Republicans’ report, claiming factual deficiencies. Rep.

Cummings also said that the errors made by OPM’s contractors were not sufficiently taken into account in the assessment.

Two OPM contractors were involved in breaches of background investigation data.

Leave a Reply