The Washington PostDemocracy Dies in Darkness

Why OPM should have seen the latest cyberattack coming

(Reuters/James Lawler Duggan/Files)

Hackers gained access to information of about 4 million current and former federal employees in December, U.S. officials have said. But the agency at the heart of the attack, the Office of Personnel Management, should have seen it coming.

An annual audit of its information security systems released last year showed the agency had major security problems. And it had already suffered a breach thought to target sensitive information about government security clearances.

[In a series of hacks, China appears to be building a database on Americans]

According to a report by OPM's inspector general's office released in November, the agency couldn't even find all of its equipment.

"OPM does not maintain a comprehensive inventory of servers, databases, and network devices," the audit, which reviewed the agency's operations through September, found.

That could make it a lot harder to keep them safe, experts said. "You can't defend yourselves well if you don't know what systems you have and where your data is," said Richard Bejtlich, chief security strategist at cybersecurity firm FireEye and a Brookings Institution senior fellow. "You won't be able to fend off an basic adversary, let alone an advanced adversary."

The report also noted that eleven "major systems" were operating without the agency certifying they met security standards.

The lapse constituted "a material weakness in the internal control of the agency's IT security program," according to the report. A "core cause" of the authorization delays was that there were "no consequences" for operating without approval.

The 2014 report actually showed an improvement over previous years. Government audits of OPM's information security programs have repeatedly warned about such problems. "We have significant concerns regarding the overall quality of the information security program at OPM," a 2009 IG report said.

The latest report said the agency had made "some improvements" to its security program, although "some problem areas that had improved in past years have resurfaced."

OPM did not immediately respond to requests for comment.

However, the breach disclosed this week was discovered in April after information security improvements were rolled out by OPM earlier this year, according to the agency. "OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks," the agency said in a statement Thursday about the attack, which reportedly targeted an OPM data center housed at the Interior Department.

This is also not the first time OPM has been the victim of a cyberattack. Last year, hackers targeted information about employees filing for security clearances.

Both breaches are thought to be linked to Chinese hackers, according to The Washington Post's Ellen Nakashima. Other attacks on government agencies have also been linked to foreign hackers -- including intrusions into the unclassified e-mail systems at the White House and State Department last year believed to have been carried out by Russian hackers.

The way the government purchases equipment and services is part of the problem, said Scott Montgomery, vice president and chief technology strategist for Intel Security. "Restrictions on acquisition creates dramatic drawbacks in the way government can roll out and deploy information technology," he said.

Federal security compliance rules are "equally archaic,"  he said, and don't match up with the current threats facing government networks. "There are a lot of security controls in government that don't have as much to do with whether a system or agency is secure so much as they're checklists."

FireEye's Bejtlich said government officials focus too much on finding and patching vulnerabilities rather than on identifying breaches. "At the end of the day, whether you are breached or not is important -- not whether you are patched and compliant," he said.

But those struggles are not unique to the public sector, Montgomery said, noting that Target and other major retailers met industry compliance standards when they suffered massive breaches. And across the board, he said, it is difficult to find the right people to deal with the current wave of cybersecurity incidents.

"The pool of trained information security professionals is shallow, and the government needs to invest in tracking down and retaining top-tier talent," he said. "There's just not enough in any organization."

The administration has acknowledged that issue: In May, OPM gave federal agencies approval to go outside of traditional civil service hiring procedures when appointing people to digital positions tied to a planned reboot of government information technology systems.