“How many of you were burned by OPM?”
*Entire room raises hands without reservation.
In October, Ntrepid Founder and Chief Executive, Richard Helms, joined industry experts in Baltimore for a panel at the 2016 CyberMaryland Conference to dissect the aftermath of the OPM Breach. Helms’ perspective on the subject is supported by his nearly 30 years of experience as a former CIA operations officer, however, Helms prefers to come at the subject of the OPM breach from the perspective of the adversary (in this case, the Chinese government) and explore their intent for the stolen data.
In The Art of War, Sun Tzu says, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.” By looking at the OPM breach through the enemy’s eyes, Helms illuminates three major factors that embody the significance of this breach.
1. The trail of breadcrumbs
It has been shocking to find out what we knew and didn’t do anything about. For years, IG reports were published that explicitly outlined the extent of OPM’s IT problems and weaknesses. This means that essentially, the enemy was given a study guide — a ‘gimme’ — that outlined exactly how to conduct a cyber attack against OPM. Most recently, OPMS’ Inspector General assessed OPM’s compliance with the Federal Information Security Modernization Act and found that over 18 of its information technology systems operate without valid authorizations. In addition, it is reported that OPM has not evaluated contingency plans for most of its IT systems in 2016 and does not require multi-factor authentication prior to awarding system access — which is required by the Office of Management and Budget.
2. The scope of the breach
This was not a point of sale breach that resulted in the loss of credit card information or the maiden name of a victim’s mother. Adversaries walked away from OPM with the full backgrounds of the national security community: social security numbers, medical information, fingerprints, results of polygraphs, and essentially any information the federal population has confidentially disclosed throughout their careers (most of which they likely do not even remember). The realm of information now known to the Chinese is hard for the nation to grasp, as it impacted 7% of the population in ways the other 93% has never been exposed (preparing detailed biographic statements, voluntarily being vigorously investigated and in some cases subjected to regular polygraph examinations).
3. The country’s response
For a breach this massive and this influential, the response from OPM was wildly ineffective. This is not surprising, given the fact that OPM is not technically part of the national security community, and therefore cannot relate to the need for protecting this information. While part of the response was an increase in the nation’s IT budget, most of it was for hardware but this was not a hardware problem, it was a people problem. We had someone with no experience in HR or IT directing OPM, and while it’s never about one person, the fact that this went on for years and years suggests that it’s much bigger problem than it is being treated as. The scope is so big, that if you had the ability to bring people back from the dead to build a dream team I think, you still couldn’t fix it.
So what will the Chinese do with this breadth of knowledge?
One can’t be certain, but Helms imagines they will use the information to improve their analytics and espionage. They will be able to anticipate defense positions, decipher who is worth monitoring, identify individuals within the U.S. that they can potentially exploit, and ultimately give them expanding access across the federal government in ways that are both direct and indirect.
To hear more unique perspectives and thoughts on dealing with the ramifications of the OPM breach, check out the full panel discussion podcast.