LESSONS LEARNED FOR BUSINESS FROM THE OFFICE OF PERSONNEL MANAGEMENT SECURITY BREACH

On July 9, 2015, the Office of Personnel Management (OPM) announced that more than 21 million Social Security numbers were compromised in the recent security breach the agency suffered. This is in addition to the 4.2 million Social Security numbers compromised as reported in June of this year. The two systems breached were the Electronic Official Personnel Folder (eOPF), an electronic personnel file for federal employees (often referred to by federal employees as “Your Federal Birth Certificate”) that includes compensation, employment actions, retirement plans, work schedules, and personal identifying information of federal employees, and the EPIC database, which contains sensitive information gathered for government employee and contractor investigations. The EPIC database also includes local law enforcement and emergency personnel who may have contact with federal anti-terror “fusion” centers during their activities. Information regarding CIA personnel may not have been affected because it does not use the EPIC system for background investigations and personnel clearance. 

Unnamed sources continue to link both intrusions to China. After testifying before Congress about the breaches and under intense pressure from Congress, OPM’s Management Director Katherine Archuleta resigned on July 10. 

In response to the first attack, the Obama administration ordered a “30-day Cybersecurity Sprint” which requires federal agencies to beef up cybersecurity by conducting penetration tests on their systems, fixing any known vulnerabilities immediately, restrict the number of privileged users who can access privileged information, implement multi-factor authentication procedures, and deploy monitoring systems to detect intrusions. However, many agencies may require more than thirty days to implement one or more of these new practices after years of simply “checking the box” to claim security “compliance” with regulations without really being secure. 

Companies can learn from the security deficiencies at OPM as part of their continual monitoring and evolution of cybersecurity efforts. In particular, as recently as November, 2014, the Office of Inspector General issued another in a string of audit reports which identified numerous vulnerabilities and security protocols at OPM (the report can be found here). Despite these warnings, OPM continued to fail to implement relatively simple cybersecurity measures. The following are some of the deficiencies that were noted in the 2014 audit report:

 OPM had not fully established a risk executive function, and there was no individual accountable for appropriately analyzing and implementing management and/or board approved strategies to minimize the information security risks to the organization. 

Lesson learned: In order to achieve appropriate accountability, and consistent with NIST and ISO standards, companies and federal organizations should designate at least one individual accountable to the organization for assessing and addressing information security risks – this individual should report up to the board, information security committee or other appropriate management on a regular basis or as required during security incidents.

 OPM did not maintain a comprehensive inventory of servers, databases, and network devices. In addition, OIG was unable to independently attest that OPM has a mature vulnerability scanning program. 

Lesson learned: In order to properly implement security controls it is essential that businesses inventory and map all information system components, including the sensitivity of the data stored in and processed by those components.

 Although about 80 percent of OPM’s systems had implemented monitoring technologies to detect a security event, the remaining twenty percent of OPM’s systems and all systems operated by outside contractors did not include such monitoring as required by the Federal Information Security Management Act (FISMA). As a result, OPM was not able to understand the activity on any of its contractor’s networks and only had a limited understanding of the scope of activity occurring on its own networks, potentially further exacerbating the damage due to the breach.

Lesson learned: Intrusion detection or other monitoring tools are an important component of an organization’s cybersecurity protections to detect abnormal activity, minimize the damage due to the breach, and to understand the extent of a breach.

 Access control mechanisms to highly sensitive information did not require two factor authentication. The Office of Management and Budget mandated the use of Personal Identity Verification (PIV) readers as a form of secondary authentication for access to work stations and applications, however the OIG reported that none of OPM’s 47 major applications required the use of such authentication.

Lesson learned: To mitigate the chance of a breach from an attacker simply having a password, companies should use two factor authentication methods whenever possible to protect access to its most sensitive information.

 OPM continued to use outdated IT components that contained known security vulnerabilities. For example, it continued use Adobe’s ColdFusion and JRun Web server applications. The ColdFusion source code was stolen from Adobe, and Adobe dropped the entire JRun product line in 2013, with support ending in 2014. OPM also continued to operate systems based on Microsoft’s Windows XP operating system under a custom support agreement with Microsoft. Some of the core systems used to access some of its most sensitive information have not been updated since they were patched for Y2K. 

Lesson learned: If your hardware or software systems are too old to support modern security techniques, have known vulnerabilities, or are no longer officially supported, update the systems. If you cannot afford to update the systems, consider keeping them off the Internet.

The breaches at OPM illustrate that some federal agencies have failed to adopt an approach to security that includes understanding how attackers may exploit systems in unexpected ways, including the use of trusted white-hat hackers to conduct penetration tests that resemble current actual attacks. An important part or every company’s cybersecurity program should include monitoring current developments in information security, which includes learning from the security mistakes made by others, and taking steps to avoid making those same mistakes. 

TELECOMS’ SETTLEMENT WITH FCC HIGHLIGHTS THE IMPORTANCE OF ENCRYPTION AND VENDOR DUE DILIGENCE 

On July 9, 2015, the Federal Communications Commission (FCC) announced a $3.5 million settlement with TerraCom, Inc. and YourTel America, Inc., resolving an investigation into whether the companies failed to properly protect the confidentiality of personal information they received from more than 300,000 consumers. The FCC’s action and settlement highlight the important roles both encryption and vendor due diligence play in the protection of sensitive personal information, such as Social Security numbers and driver’s license numbers. The case provides useful guidance for all companies – not just those regulated by the FCC.

The FCC’s investigation found that the companies’ vendor stored consumers’ personal information – including names, addresses, Social Security numbers, driver’s licenses, and other sensitive information – on unprotected servers that were accessible over the Internet. The FCC asserted that “the Companies’ choice to store, or its vendor’s choice to store, files containing the PI of customers in a publicly accessible folder on the Internet, without password protection or encryption, is the practical equivalent of having provided no security at all.” This lack of adequate security in turn resulted in a data breach which exposed their customers’ personal information to unauthorized individuals. The lack of encryption played a prominent role in the FCC’s enforcement action. 

The case also demonstrates the importance of vendor due diligence. Had TerraCom and YourTel conducted appropriate due diligence on their vendor, they likely would have discovered the vendor’s lax security practices with respect to encryption of sensitive personal information. Learning from this enforcement action: Companies should ensure that their security practices and the security practices of their vendors include the encryption of all sensitive information such as Social Security numbers and driver’s license numbers. 

INTERNATIONAL SPOTLIGHT: CHINA’S NEW NATIONAL SECURITY LAW AND PROPOSED CYBERSECURITY LAW AIMS TO STRENGTHEN GOVERNMENT’S POWERS

On July 1, 2015, the Chinese government announced that it had enacted a new national security law. The law is a general pronouncement of the importance of national security to the Communist Party, and stresses that security must be maintained in all fields, including culture, education, international waters and cyberspace. The cybersecurity measure is intended to make the Internet, information technologies, infrastructure, and data in key sectors “secure and controllable.”

The law will give the government more power to crack down on actual and perceived security threats, both internal and external. While it remains to be seen exactly how the law will be implemented, it is a signal to western companies that the Chinese government is taking security – including cybersecurity – very seriously, potentially making it even harder for companies to do business in China. 

Following quickly on the heels of the national security law, on July 6, 2015, Chinese lawmakers released a draft of a cybersecurity law that would require Internet service providers to retain user data and cooperate with authorities. A translation of the proposed law can be found here. 

Among other things, the law would elevate the authority given to the Chinese government to crack down on Internet content. In the past, China has frequently taking action to prohibit and limit many types of online content, such as pornography and political discussions. Foreign sites have been blocked, and domestic sites use automated censorship mechanisms as well as staff members to remove posts on forbidden topics. The proposal also includes the ability of the government to restrict Internet access in a particular region to “safeguard the national security, social stability or handle a sudden major incident of concern for social safety.” 

Under the proposed law, Internet service providers must store data collected within China inside Chinese territory. Data stored overseas for business purposes must be government-approved. Network equipment must also be approved under testing standards issued by China's cabinet.

The law would also strengthen the government’s power to oversee data collection and to block private messages that disseminate information prohibited under Chinese law, including those deemed “to promote terrorism, extremism, incitement to subvert state power and overthrow the socialist system.”

As with the national security law, the proposed cybersecurity law is short on details, and it remains to be seen how the law will be implemented and enforced. One aspect of the law, for example, requires the development of safeguards on “critical information infrastructure.” The manner in which this is implemented could have a significant impact on companies looking to do business in China. 

Companies looking to do business in China should keep a close eye on how the national security law and the proposed cybersecurity law (upon its likely passage) are implemented and enforced, as both laws will have a significant impact business dealings in China.