As news breaks that a second breach at the federal Office of Personnel Management may have seen another set of data, potentially more valuable than that accessed during the first, Philip Lieberman, President of privileged identity management specialists Lieberman Software, has been talking about what went wrong. Here's what he had to say on the matter:
The apparent US Government policy with regard to the protection of commercial enterprises attacked by nation states and others has been benign neglect (perhaps a shoulder to cry on). Current law and government policy forbid commercial enterprises to take any action against the attacker and handle the matter via the rule of law and in the appropriate jurisdiction. Since there has been little to no recourse possible, commercial enterprises have been attacked and damaged with little government assistance. We are told to build better walls and operate in a defensive mode even though both our government and governments of others have cyber weapons that commercial enterprises with no effective defence. Using technologies such as air gaps, segmented networks, encryption, privileged identity management, can reduce the damage and scope of damage caused by these weapons. So there is no real defence, only the concept of acceptable loss.
On the other hand, the US Government has been clear that an attack on its citizens and systems would result in severe response directed by the government itself (which is well within its power and rights). However, there are two issues to review: first the government agency OPM did not implement appropriate controls in line with the sensitivity of the data it was managing, and did not implement even basic controls to limit the amount of damage to an acceptable loss. Second, there will be an inevitable consequence to the intruder, but unfortunately, a bell cannot be unrung and even with retribution, the information about the government employees is now out in the wild and in the hands of an entity that could cause a great deal of grief for the entire country.
It is a tragedy that the Executive Branch as well as NIST and NSA have been preaching the gospel of security by design, segmentation of data and control, proper identity management, as well as effective monitoring. Here with OPM we have an agency entrusted with the defence of its government employees ignoring the guidance given by the government as well as failing to implement off-the-shelf technologies that are common to the commercial realm. A fix for the problem was a phone call away to virtually any of the defence contractors in the beltway who have been dealing with these types of attacks for decades.
Unfortunately, this problem now falls on the President as Commander and Chief as to an appropriate response. Unfortunately, there is no response that undoes the consequences of the exploit and there is no consequence appropriate to the action taken by this nation state. The President can drop the hammer on the entire Federal Government and the legislature can now mandate appropriate changes for the Federal Government to minimize the chance of a repeat of this scenario.
The statements by the Federal unions is a good sign that they too are ready to allow the implementation of appropriate technologies for privileged access and identity management, auditing, and a change in job rules to allow the Federal Government to operate in secure manner appropriate to the threats of this day and age.
At its core, this was not so much a problem of technology, as much as it was a lack of process, systems design, lack of external oversight such as the use of penetration testing and red/blue team war games to check and repair weaknesses, as well as the lack of technology and cyber defence staff to automatically stop the attack and at worst, minimize the consequence.
In every tragedy there is an opportunity to create a better future. As the Commander in Chief, the President will now need to deal with serious threats from the outside and serious weaknesses within his own government. I hope that the legislature backs him as well as the unions to change the government so that there will not be a repeat of this scenario (or at least make future attacks less effective).