A group of government officials gave sparse details to a House committee Wednesday on the lessons learned from the data breach that affected the Office of Personnel Management last year.
Before the House Committee on Oversight and Government Reform, federal Chief Information Officer Tony Scott, OPM CIO Donna Seymour, and officials from the Government Accountability Office and Congressional Research Service spoke on how the government’s cybersecurity policies have evolved in the wake of an attack that exposed personal information of more than 27,000 federal employees.
Last August, Falls Church, Virginia-based USIS said a state-sponsored attack exposed information from a network used to conduct background checks on prospective government employees. OPM, along with the Department of Homeland Security and the FBI, conducted an investigation after the hack and ended its contract with USIS in September.
Seymour said the investigation that followed the hack allowed OPM to strengthen contract clauses in order to better define what’s required from third-party contractors and what all sides of a contract are responsible for when it comes to network security.
When asked by Rep. Elijah Cummings, D-Md., what parts of OPM’s network were compromised, Seymour said it’s tough to tell because USIS only allowed access to two sections of the company’s network used on the contract.
“It’s difficult because of the way the network was architected,” Seymour told Cummings. “If you asked me to physically secure an apartment building, but you only allow me into two apartments, I can’t tell you how secure the building is. We were not able to go to the boundaries of the network.”
USIS did not respond to Cummings’ request to attend the hearing.
Other committee members used the OPM hack to highlight the growing number of attacks the federal government faces, questioning how Scott plans to make sure agencies are following the best practices under the recently passed Federal Information Security Management Act and Federal Information Technology Acquisition Reform Act provisions.
Scott said he is working with OMB and the CIO Council to issue updated guidance to agencies in the next few months but called cybersecurity a “moving target.”
“What was satisfactory even two to three years ago is table stakes now on where you get started,” Scott said. “I think it’s important to recognize that will likely continue to be the case.”
Gregory Wilshusen, GAO’s director of information security issues, said the government has had opportunities to improve on this work by listening to the office’s recommendations for protecting federal systems, adding that “safeguarding computers is a continuing concern.”
“Cyber adversaries have a variety of tools and techniques to perpetrate attacks,” he said in his opening statement. “Federal systems remain at increased and unnecessary risks for exposure and loss.”
But even as Scott reiterated his focus on FISMA and FITARA, he admitted the talent needed to see these policies through is in short supply.
“It’s not just a problem for the federal government,” Scott said. “In my last role, it took nearly six months to find a CISO that we wanted. It was the most exhausting, time-consuming search I’ve done in my professional career. It’s a challenge broader than the federal government.”
But beyond talent, the committee stressed that the cybersecurity policies the nation sets forth will only work if staff stays abreast of the changing landscapes of digital threats.
“The best security policies in the world will amount to a hill of beans if an organization’s culture does not translate good policy into better practice,” Rep. Gerry Connolly, D-Va., said.