As Congress continues seeking accountability for the data breaches at the Office of Personnel Management, a U.S. House committee this week turned its eyes to the possibility that for the government, this is only the tip of the cyber iceberg.
“Cyber criminals and foreign enemies are working night and day with the latest technology to exploit every vulnerability in our system, while OPM is behind the times and operating apparently at a pace with systems designed for the last century not for the current threat. The United States has some of the world’s best technological minds and resources, yet OPM’s management is failing,” stated Research and Science Subcommittee Chairwoman Barbara Comstock (R-Va.).
“Cybersecurity must be a top priority in every government agency from the top Cabinet official on down,” she added. “We need an aggressive, nimble, and flexible strategy to anticipate, intercept, and stop cyberattacks. Those who are engaging in cyberattacks on our citizens, agencies, and companies – whether they be nation states, adversaries or hacktivists – are a reality we will be living with in the 21st century and we must develop and use all the tools and technology available to thwart them and understand this is an ongoing problem we have to constantly be on top of.”
Comstock questioned whether the nation’s leaders fully recognize the potential casualties of the current “cyberwar” as witnesses from OPM, the National Institute for Standards and Technology (NIST) and the US Government Accountability Office detailed the ways in which government agencies struggle to keep pace with cyber risks.
David Snell, director of federal benefits at the National Active and Retired Federal Employees Association, emphasized that the OPM breach goes beyond endangering financial information and could also have the effect of compromising the safety of government employees by way of blackmail. Military and intelligence secrets crucial to national security could be at risk, he said.
“The recent breaches should be a wake-up call to this country and its leaders about the dangers of cyberterrorism and the critical need to protect our government’s core functions. In preparing for the future, it is necessary for our leaders to properly evaluate how we ended up in this situation yet again,” said Snell. “It also is incumbent on Congress to ensure federal agencies have the necessary resources to ensure a breach of this magnitude does not reoccur. Let’s make sure this isn’t the tip of the iceberg, but rather the last time our federal government has to deal with a cybersecurity breach that threatens the financial security of its employees.”
He added that OPM’s handling of the breaches falls short of expectations as well, with few updates and little notification to the federal employees affected by the second breach.
GAO representative Gregory Wilshusen noted that better cooperation is needed across all federal agencies, adding, “The danger posed by the wide array of cyber threats facing the nation is heightened by weaknesses in the federal government’s approach to protecting its systems and information.”
Dr. Charles Romine of NIST also explained to the committee that there is no simple fix for the government’s issues.
“Establishing a sound security baseline is not the end of security for an agency, just as developing an IT system is not the end of an IT project. NIST provides standards, guidelines and tools for agencies to test and assess their security and then to continuously monitor their implementation and new risks,” said Romine. “This process is essential to ensure the baseline is initially implemented correctly and remains appropriate as technologies, threats, and missions evolve. We stress that the authorization of a system by a management official is an important quality control under FISMA. By authorizing processing in a system, the manager accepts the associated risk. This causes that official to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.”