Sen. Tom Carper points to recent hacking incident as a sign of the urgent need to update laws. (James J. Lee / Army Times)
As investigators probe a March cyber attack on sensitive federal personnel databases, some experts and policy makers are calling for more clarity over who is responsible for protecting federal networks from cyber threats.
Federal officials have not yet concluded whether the breach, alleged to have originated in China, extracted sensitive financial and personal data on people who received or are awaiting federal security clearances. The attack targeted networks of the Office of Personnel Management.
The attack, first reported by the New York Times, allowed access to the e-QIP system, the automated data system for security clearance investigation information, and is being investigated by OPM, the U.S. Computer Emergency Readiness Team, and other elements of the Department of Homeland Security.
Rep. Michael McCual, R-Texas, chairman of the House Homeland Security Committee, said he applauds OPM and DHS for their response to the attack but called on Congress to streamline and enhance the government’s cybersecurity defenses and empower DHS to assume a leading role in defending federal networks. Specifically, McCaul said Congress needs to better clarify DHS’s role so the agency can more quickly detect, mitigate and respond to cyber intrusions.
Sen. Tom Carper, D-Del., chairman of the Homeland Security and Governmental Affairs Committee, said it is critical for Congress to modernize what he said were outdated cybersecurity laws in order to help prevent attacks on critical systems in the future.
Mark Weatherford, former deputy undersecretary for cybersecurity at DHS and consultant at the Chertoff Group, said he agrees. The attack on OPM exposes the problem that no single agency has authority and the ability to manage all government cybersecurity efforts.
“There is no overarching authority that allows DHS to have that kind of insight and visibility across the federal government spectrum,” Weatherford said.
He said Congress needs to step in to enhance DHS’s role because otherwise federal managers will resist allowing an outside agency oversee their cybersecurity efforts.
Weatherford added that agencies have also been slow to adopt tools that can continuously monitor in real-time their networks for vulnerabilities and attacks and mitigate vulnerabilities as they arise.
Weatherford said Congress must clearly establish DHS’s authority to actively monitor and protect agency IT networks, fully fund efforts to adequately protect those networks, and pro-actively solve administrative problems as they arise.
“I think the legislature has almost been negligent and asleep at the wheel. They take great pleasure in bringing people up to the Hill to berate them after a big incident, but they aren’t doing anything to help anyone,” Weatherford said.
OPM and DHS were made aware of the attack through monitoring systems and acted immediately to stop it, according to an OPM spokeswoman. So far the agencies have not identified any loss of personal information.
“We continue to exercise the utmost vigilance in monitoring for potential threats and protecting our information and systems. A multiagency investigation into the attempted breach is ongoing,” the spokeswoman said.
Neither OPM nor DHS would share further details about the attack, their response to the attack or the number of employees who had data in the OPM system.
Traffic to the e-QIP system travels through trusted Internet connections maintained by DHS, which continually monitors that traffic to detect cyber attacks.
A congressional staffer familiar with the ongoing investigation said that, while investigators have not yet found evidence that information was taken, it does not mean that it was not and the administration has yet to issue a blanket denial.
The information contained in the security clearance investigation forms amounts to “a total confession to the government of anything that might be held against it” and would be extremely valuable to foreign adversaries, according to the staffer.
He said that, while it’s too early to know what happened, blame is shared by DHS for not being able to prevent the attack and by OPM for not fully complying with cybersecurity guidelines laid out by Congress.
“Something is obviously not working. I think there are some questions that need to be answered,” the staffer said.
He said the administration should not only worry about whether any information was taken, but whether any data was altered or added. Investigators will need to identify and resolve the vulnerabilities the attackers were able to exploit, he said.
OPM was only 83 percent compliant in fiscal 2013 with Federal Information Security Management Act information security guidelines, according to a May 1 report by the Office of Management and Budget. That was an improvement over the 77 reported in 2012, but OPM still came in at 11 out of 24 agencies ranked by compliance.
OPM spent $7 million in fiscal 2013 on preventing malicious cyber activity and detecting and mitigating intrusions — ranking it 23 out of 24 in spending, after the Small Business Administration.
The security protocols for accessing e-QIP are standard, including 128-bit encryption, combined with transport layer security. Only people who have active investigations can log in to the system, and they must answer a set of unique questions, according to OPM.
The system processes data from the “Standard Form 86, an extensive 124-page questionnaire that collects a wide variety of sensitive information from people applying for national security positions, including Social Security numbers, past employers and residences, passport numbers, financial information, past drug and alcohol use, histories of mental or emotional illnesses, details about relatives and associations with foreign nationals.
That information can be used to steal identities or compromise people applying for clearances, according to Trey Hodgkins, senior vice president at the Information Technology Alliance for Public Sector.
“Clearance vetting is a process that includes very personal and confidential information, so a breach could be very damaging,” Hodgkins said.