The biggest misstep in the breach of Office of Personnel Management networks was not the failure to block the initial breach but the lack of encryption, detection and other safeguards that should have prevented intruders from obtaining any useful information.
The data stolen in the massive OPM breach was not protected by practices like data masking, redaction and encryption — all of which should become the norm, rather than the exception, Rep. Elijah Cummings, D-Md., said during a hearing held by the House Committee on Oversight and Government Reform.
"We cannot rely primarily on keeping the attackers out. We need to operate with the assumption that the attackers are already inside," he noted.
But OPM CIO Donna Seymour pointed to aging systems as the primary obstacle to putting such protections in place for certain systems, despite having the encryption tools on hand. As a result, data on at least 4.2 million current and former federal employees was compromised from one database and an untold number of background investigations were exposed in another.
"A lot of our systems are aged," said Seymour. "Implementing some of these tools take time and some of them we cannot even implement in our current environment."
Not all experts agree. Kurt Rohloff, associate professor at the New Jersey Institute of Technology and director of the NJIT Cybersecurity Center questioned the claim that legacy systems can't support encryption.
"The statement that legacy systems cannot encrypt may not be completely true," Rohloff said. "It may be very expensive to integrate encryption technologies with legacy systems but it is generally possible."
OPM is currently "building a new architecture, a modern architecture that allows us to implement additional security features," Seymour said, stating it is on schedule to be deployed this fall. Once that architecture is in place, the agency will be able to employ stronger data protection schemes, she said.
Even if the information had been encrypted, that might not have been enough to stop attackers from getting usable data from this intrusion, OPM Director Katherine Archuleta told the committee, asking DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment to explain further.
"If an adversary has the credentials of a user on the network, then they can access data even if it's encrypted, just as the users on the network have to access data, and that did occur in this case," Ozment said. "So encryption in this instance would not have protected this data."
The only way to prevent malicious actors from obtaining useful data in this case would have been timely detection of the intrusion.
"It's basically impossible for a target of any real size to be perfect across that whole exposed area," said Richard Bejtlich, chief security strategist at FireEye and nonresidential senior fellow at the Brookings Institution. "When the intruder gets that first foothold, somebody has to notice and then react to contain the intruder before he can accomplish his mission."
Despite the speed of computer processing, it still can take hours, days, maybe even weeks for bad actors to find their way around a system and effectively exfiltrate the data.
"If at any point during that timeline you notice they got in … and you contain them, then you win, Bejtlich added. "That's the difference between a breach where something catastrophic happens and unauthorized access, which is just getting that initial foothold."
Slideshow: Federal data intrusions of 2015
OPM was part of a second set of task orders on DHS's Continuous Diagnostics and Mitigation (CDM) program, which gives agency's the tools to track all the assets on their networks and detect anomalies. This functionality, coupled with identity and access management tools slated for the next phase of CDM, could have helped OPM spot the intruders.
Even if the hackers had valid credentials, if they were used from an unusual IP or were discovered accessing information in a database that user should not be in, OPM security officials could have seen something was amiss.
Unfortunately, the first phase of CDM implementation won't be finished until later this year and solicitations for the second phase are slated for this summer.
"No single system will solve this problem," Ozment said. "We do need a defense-in-depth strategy."