I am still reading the report of the House Oversight Committtee on the loss of security clearance data from OPM. Having the Chinese get access to security clearance data was the most significant theft of data, on a par with the undermining of SWIFT and the central bank of Bangledesh. It is difficult to read for any person with extensive government security experience because it brings back a flood of bad memories. What is obvious to all reading this report is how important it is for government leaders to cover up incidents rather than do what should be done to protect the data. "Make me look good" is more important than doing the right thing.
In 2014 I was preparing for a speech on China and its theft of data. I went back to the Inspector General (IG) reports issued on the systems in OPM and found other reports going back to 2012 that were equally illuminating. OPM did not know how to secure its systems and didn't listen to its own IG about how to implement some of these basic security mechanisms I have a few examples listed below, that illustrate the point:
1. There was no two-factor authentication on critical systems. This was a mandated requirement that was not implemented, probably because someone said it was "an unfunded requirement". We used to hear that often. We don't do it because we don't have the money. One of my bosses once said the inability to do what it required is a management resource problem, not a security problem. Get the money and get it fixed.
2. Some systems (23) were not accredited, meaning the senior leaders had not accepted the risk of operating them with the deficiencies they identified. This is an old management trick - don't acknowledge the risk so you can later say you didn't know about it, or the full extent of it. Policy should establish a penalty for managers who don't acknowledge risk and ignore it. We did the same thing for Boards of Directors, so it can be done.
3. They had no equipment inventories on their systems, nor did they map their networks to establish where there equipment was.
4. They had no aggregated audit or intrusion detection capabilities.
5. There was little to no remediation of identified deficiencies. In other words, they identified things that needed to be corrected, but had no plan to correct them.
So, once a hacker got in, the likely hood of ever finding him were slim to none. The ability to do what basic security programs require could not be done there, even by people who might be motivated to do those things. They had a fragmented security program that wasn't integrated at the top with a CSO. When things finally started to come apart, top management tried to cover it up. This is when they get to find out that there are people working for them who put their country over the reputation of some of the leadership. We can't have leadership that puts itself above the needs of the people paying their tax dollars to our government. We have a right to expect better.
No comments:
Post a Comment