OPM Breach Review: A Lesson for CISO’s

by Al Hartmann

October 14, 2016

access_time 6 min read

An OPM Breach Review

The grim-faced panel are dreading the grilling about to be handed them by irate members of Congress following the disastrous 2015 security breach of the U.S. Government’s Office of Personnel Management (OPM).


Cyber attacks, attributed to the Chinese government, had breached sensitive personnel databases and stolen data of over 22 million current, former, and prospective U.S. government employees and family members. Stern warnings were ignored from the Office of the Inspector General (OIG) to shut down systems without current security authorization.

Presciently, the OIG specifically warned that failure to shut down the unauthorized systems carried national security implications. Like the Titanic’s doomed captain who maintained flank speed through an iceberg field, the OPM responded,

“We agree that it is important to maintain up-to-date and valid ATO’s for all systems but do not believe that this condition rises to the level of a Material Weakness.”

Additionally the OPM worried that shutting down those systems would mean a lapse in retirement and employee benefits and paychecks. Given a choice between a security lapse and an operational lapse, the OPM chose to operate insecurely and were pwned.

Then director, Katherine Archuleta (shown above, on panel’s left), resigned her office in July 2015, a day after revealing that the scope of the breach vastly exceeded original damage assessments.


Despite this high value information maintained by OPM, the agency failed to prioritize cybersecurity and adequately secure high value data.

“The OPM Data Breach:  How the Government Jeopardized Our National Security for More than a Generation”
September 7, 2016

What are the Lessons for CISO’s?

Rational CISO’s will wish to avoid career immolation in a massive flaming data breach disaster, so let’s quickly review the key lessons from the Congressional report executive summary.

Prioritize Cybersecurity Commensurate with Asset Value

Have an effective organizational management structure to implement risk-appropriate IT security policies.  Chronic lack of compliance with security best practices and lagging recommendation implementation timelines are indicators of organizational failure and bureaucratic atherosclerosis. Shake up the organization or prepare your post-breach panel appearance before the inquisitors (see above photo for appropriate facial expressions).

Do Not Tolerate a Lax State of Information Security

Have the necessary monitoring in place to maintain critical situational awareness, leave no observation gaps.Do not fail to comprehend the scope or extent or gravity of attack indicators.  Assume if you identify attack indicators, there are other indicators you are missing.  While OPM was forensically observing one attack avenue, another parallel attack went unobserved. When OPM did take action the attackers knew which attack had been detected and which attack was still successful, quite valuable intelligence to the attacker.

Mandate Basic Required Security Tools and Expeditiously Deploy Cutting-Edge Security Tools

OPM was woefully negligent in implementing mandated multi-factor authentication for privileged accounts and failed to deploy available security technology that could have prevented or mitigated exfiltration of their most valuable security background investigation files. For privileged data or control access authentication, the phrase “password protected” has been an oxymoron for years—passwords are not protection, they are an invitation to compromise. In addition to adequate authentication strength, complete network monitoring and visibility is requisite to prevention of sensitive data exfiltration. The Congressional investigation blamed sloppy cyber hygiene and inadequate system traffic visibility for the attackers’ persistent presence in OPM networks.

Do Not Fail to Escalate the Alarm When Your Most Sensitive Data Is Under Attack

In the OPM breach, observed attack activity “should have sounded a high level multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data.” Instead, nothing of consequence was done “until after the agency was severely compromised, and until after the agency’s most sensitive information was lost to nefarious actors.” As a CISO, sound that alarm in time (or practice your panel appearance face).

Finally, don’t let this be said of your enterprise security posture:

The Committee obtained documents and testimony proving OPM’s information security posture was undermined by a woefully unsecure IT environment, internal politics and bureaucracy, and misplaced priorities related to the deployment of security tools that slowed vital security decisions.

In short, “Don’t OPM IT!