The Secure ID Coalition Calls on OPM to Fully Implement Authentication Security Requirements Following the Newly Revealed Data Breach

On June 4, 2015, the Office of Personnel Management (OPM) revealed it was the victim of a massive data breach that included the personal information of approximately four million current and former federal employees. The attack is only the latest in a series of major security failures at the agency, demonstrating the need to more fully implement existing information security regulations and take additional steps to restore public confidence in government.

OPM essentially functions as the federal government’s human resources department, making it a hot target for hackers: it maintains records that include sensitive information on the overwhelming majority of federal employees. The breach leaves federal employees highly vulnerable, and hackers and identity thieves can now use the stolen personal information combined with information widely available online to open fake financial accounts, impersonate victims and sell their information as an identity profile. Additionally, as security strategist John Schindler notes, the OPM breached data represents a “Holy Grail” for foreign intelligence services, since they can potentially use the unflattering personal information to influence or blackmail federal employees holding security clearances to revealed classified information.

What makes the announcement even worse is OPM, an organization touching virtually every other federal agency, has a documented history of cybersecurity weaknesses. For example, last November OPM’s inspector general published a report that cited “material weaknesses” in the agency’s information security practices, and went so far as to argue for temporarily shutting down two database systems because their security flaws “could potentially have national security implications.”

cybersecurity-key1Moreover, the November 2014 IG report found that OPM still fails to secure all of its workstations with personal identity verification (PIV) authentication an important security measure put in place after 9/11. HSPD-12 is a 2004 presidential directive requiring all agencies to issue secure smart cards to access federal buildings and networks. OMB memorandum M-11-11, issued in February 2011, further enforces HSPD-12 and requires multifactor authentication to access IT systems across the executive branch by the beginning of FY 2012. The November 2014 IG report found that OPM still fails to secure all of its workstations with PIV authentication, and bluntly noted that “none of the agency’s 47 major applications require PIV authentication,” a critical security tool.

This is not the first time OPM suffered a major data breach. Last December, the agency notified over 48,000 employees that their personal information might have been exposed due to a compromised computer network at KeyPoint Government Solutions, a major provider of background check services for the federal government. Furthermore, hackers infiltrated OPM’s own databases in March 2014, accessing records related to tens of thousands of employees who had applied for top-secret security clearances.

So where do we go from here?

For starters, OPM and other federal entities must move to fully comply with HSPD-12. This means (1) issuing PIV cards to the remaining federal employees and contractors that lack them, and (2) requiring the cards to access agency networks and all major applications. For example, according to former White House cybersecurity coordinator Howard Schmidt, more than 11 years after HSPD-12 was signed, only 70 percent of federal employees possess PIV cards, and if the Department of Defense is excluded, that number drops to 40 percent. Additionally, 16 federal agencies, including OPM, still allow most employees to access the networks without the authentication security of the PIV smart card.

Rigorous authentication of federal employees matters because it is the first step in keeping malicious actors off the federal networks, much like locking your front door at home. And while it won’t solve every cybersecurity vulnerability, it provides network administrators and cybersecurity personnel with a high degree of confidence that individuals accessing networks are who they say they are.

We deserve more from our government, and we should expect as much. As President Obama stated this week at the G-7 conference in Germany, “This problem is not going to go away — it's going to accelerate.” The American public risks sliding into a dangerous new normal, where hacks and loss of digital, personal identity information is not only expected but tolerated. It is up to us to hold government accountable when programs are not fully implemented and policies leave us vulnerable. Indeed, if we can’t expect government to protect its own employees, how can we expect it to protect us as citizens?

Add comment

Security code

Learn How