You might say that the last month has been bumpy road for Joe Ross, co-founder and president of CSID. His company was chosen to deliver identity protection and fraud prevention to more than 4 million victims of the first Office of Personnel Management hack, only to be raked over the coals for lengthy call center wait times and then forced to defend its services when the Hill and others tried to claim it wasn't delivering on promises.
It's a surreal experience for Ross, who sat down with Federal Times Editor Jill Aitoro to talk about the hack and its implications on the federal workforce.
FEDERAL TIMES: I know CSID provides identity protection, fraud prevention. Does the customer base matter?
It's not necessarily the customer base that matters. It is the risk or the information that was exposed. That is the varying degree.
In this case [for] OPM we have a very broad base coverage. We have credit monitoring. We also monitor criminal court, sex offender and arrest records. We also monitor payday loan activity. Finally, we have a proprietary technology [that] monitors the dark Web — that part of the Internet [where] you and I will never go. It is where identity thieves buy and sell information. As [information] is exchanging hands over the Dark Web, our team pulls that in, we put it in a database and we monitor our members and check against that database so we can alert them if we find their email, their Social or a credit card that is being bought or sold.
There has been a lot of talk in terms of the OPM breach stemming from China. Is there any way of knowing whether or not that is the case based on the monitoring that you're doing?
The dark Web — we find a lot of compromises. We found a lot of the credentials that were part of the Adobe breach, and the LinkedIn breach; so if something is exposed on the dark Web, our team has a high probability of finding that information. So far to date, we've seen nothing that indicates any of the OPM information has been compromised.
Would you expect to have found something this early on?
No, and if it truly is a government entity doing it for maybe an espionage-type purpose we most likely won't find that information out there. But what people need to understand is… you transact online, you have multiple apps on your cellphone. Someone is going to compromise a site that you use and your information is out there.
Now let's talk a little bit about what was exposed in the OPM breach.
The first breach was mainly just personnel records of employees, which is name, date of birth, Social and some other information – what you might typically have in a job application. That's why we focus on more than just the credit monitoring, because with that information, you can do other things such as create government IDs, apply for benefits. Now, with individuals doing so much on social media, it is very easy to social engineer. I can take one information about you and then I can go to LinkedIn and I can pull down another piece of information. I can go to Facebook and get another piece of information.
All of what you described seems to link up with what a cyber-criminal would do. What would an adversary, another country, possibly do with that kind of information?
It wouldn't be necessarily be to harm you personally. They're not going to go out and open a credit card account. But as you've seen some of the CIA and FBI analysts talk about, they might do the same type of social engineering. So maybe there is a two-factor where they need a password; if they can go out and garner the same information on Facebook, they might be able to use a login credential that was compromised or learn something about you so that maybe they can guess. The key is, what do you do with that information to get to the next level of government information?
If this did stem back to a country like China, should we anticipate more breaches?
I don't know if you'd anticipate more breaches, but if it was a government entity that gathered the knowledge they're going to use it and they're going to figure out how to use it. Breaches are happening. OPM is just one that was in the limelight.
I know the services you're providing to OPM are under the first breach that occurred. Based on your expertise, what are the risk factors for the employees that were exposed in the second breach of about 22 million?
It just gives them another inroad into another government entity. If they have a fingerprint now they can couple that together [with information gained from personnel records and social engineering] to gain access into another agency or another government entity.
What kind of technology is needed for the government agencies to protect the data they have in place that could be exposed as a result of this?
I think the government is really focused now on firewalls and encryption, but you still have the personnel aspect. We can go out and monitor the dark Web and I can tell you I found your username and password, but it is also important for an agency to know that we found your username and password because that username and password [can be used to access] the government networks. These are very smart people. The firewalls and the encryption is very, very important. But you also have to monitor the individuals.
There is just not enough monitoring [to ensure employees] protect these credentials. These are the keys to the kingdom. You have to guard them. You can't frivolously enroll on a social media site with the same username and password you're [using to access] your work emails.
Do you think hackers have already accessed government systems as result of this?
We know for a fact with OPM but I think there will be others. They are very smart individuals and there is a community of them. It is almost like video games. You hit a level and you go into a forum, and someone tells you how to make it to the next level. Now, when they hit a firewall, they'll exploit it or they'll put that information in a chatroom. All of a sudden there are 100 different people trying to help them get to the next level. They get credibility. It is very hard to keep people out if they really want in.
Is there misinformation out there right now that you think needs to be clarified?
I think there was early on and there are still bits and pieces. In one of Sen. [Mark] Warner's letters, he had some information about constituents [that said] they had the wrong information on the report. A lady mentioned that she had her maiden name on there, and she hadn't used it in 10 years. Someone mentioned that their address was on the sex offender list and they weren't a sex offender. The system is doing what it is supposed to do. We're sending all the information that is out there in the public domain.
We can't determine what is you or not; but it's the monitoring and watching that is important.
The other key thing was the call center. Early on, that was an issue. But keep in mind, this breach is very different. There were 4.2 million people that were affected by the breach but there were tens of millions of people that thought they were affected by the breach. We staffed a call center to service the 4.2 million – we know how many people are impacted, we have a rule of what percentage will call in, we know how long the calls will take and we can staff accordingly. But two to three days into this breach, we realized that the population that thought they were affected were looking for a voice too. They wanted someone to talk. So we made the decision to open up that call center. Did it create long hold times? Yes. We had hold times over two hours that first week or so but 50 percent were people that were not affected.
Identity theft is a very emotional experience. If you've ever been a victim of it or you think you are, you want answers. That was a conscious decision, it created long hold times but I can tell you right now our hold times are under a minute and so it is under control.
You all supported a contract that I believe was a sole source, done pretty quickly. Any idea whether that is a direction that OPM is going to go?
I don't know anything about that. Just understand in the breach world, contracts are always issued quickly. The goal is when you find you have a problem, you want to engage as quickly as possible and get them a solution in hand. I know people look at that probably compared to a normal government contracting RFP process, and it might seem short. But in the private sector when you're responding to breaches they always go very, very quickly.
If you had to say, who is more at risk, the personnel or federal systems themselves?
I think in this case it truly is government. If it is a government entity [that did this], I don't think the individuals have to worry as much as if it was a Russian Mafia crime group that is out for monetary gain.
What do the agencies have to worry about?
I think agencies have to worry about the same thing the private sector worries about. It is trade secrets, it is IP, it is information that we don't want getting out. It is not just OPM. We need to look much broader. If we're tightening up the security, then we need to look beyond just OPM and insure the rest of the agencies have those same safeguards in place.