OPM: Stolen biometric data list grows by 4.5 million

The Office of Personnel Management underestimated the number of people who had their biometric data stolen in this year’s high-profile hack, with an additional 4.5 million people being affected.

In a Wednesday press release, an OPM spokesman said the subset of individuals whose fingerprints have been stolen has increased from approximately 1.1 million to 5.6 million. That number, according to the agency, comes after OPM and the Defense Department identified archived records containing additional fingerprint data that were not previously analyzed.

The agency says the revision does not increase the overall estimate of 21.5 million individuals impacted by the breach.

“An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals,” the release reads.

According to OPM, the ability to misuse fingerprint data is limited. A working group between OPM, DOD, the Department of Homeland Security and the intelligence community has been established to review the potential ways adversaries could misuse fingerprint data now and in the future.

“If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” the release reads.

In July, OPM announced sensitive information, including the Social Security numbers of 21.5 million individuals, was stolen from the agency’s background investigation databases. That includes 19.7 million individuals that applied for a background investigation and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.

Rep. Darrell Issa, R-Calif., the former chair of the House Committee on Oversight and Government Reform, told FedScoop that it’s “not uncommon for a breach to be revised up,” but wondered how the revision will drive the federal cybersecurity strategy forward.

“We’re not doing it right,” Issa said. “We’re having major breaches and they’re not all Russian or Chinese in nature. So now the question is, have we learned from this breach? And the answer is ‘no.’”

Current House Oversight chair Jason Chaffetz, R-Utah, said in a released that OPM “has bungled this every step of the way.”

“OPM keeps getting it wrong,” Chaffetz said. “This breach continues to worsen for the 21.5 million Americans affected. I have zero confidence in OPM’s competence and ability to manage this crisis. OPM’s IT management team is not up to the task.”

Earlier this month, OPM and DOD awarded a contract to Portland, Oregon-based ID Experts for identity theft protection, identity monitoring, and data breach response and protection services in the hack’s wake.

The House Committee on Oversight and Government Reform issued a letter Tuesday asking OPM and DOD for more information related to that contract.

The National Treasury Employees Union, the nation’s largest independent federal-employee union, called on OPM to extend lifetime coverage for federal employees.

““This is further evidence that OPM’s proposal to offer credit monitoring and identity theft protections for up to three years is totally inadequate,” NTEU National President Tony Reardon said. “In light of today’s news, I once again urge the administration to provide lifetime coverage.”

White House: Cyber war deal with China a long way off

When President Barack Obama meets with his Chinese counterpart Xi Jinping this week, China’s economic cyber-espionage against U.S. firms will be on the table, but it’s only one element of a vast and complex relationship, White House officials told reporters Tuesday.

Any agreement with Beijing on international cybersecurity norms is a long way off, the officials said, declining to rule out the possibility of punitive measures including sanctions against Chinese companies or officials.

“We believe very strongly that the U.S. and China both have interest in investing in clear international norms as it relates to cyber activity,” said Deputy National Security Adviser Ben Rhodes. “The goal here is you start a common understanding,” he added.

“You have agreed upon principles and as the two largest countries in the world, I think we can lead an effort to develop international norms that govern cyber activity,” Rhodes said.

The New York Times reported earlier this week that the U.S. and China has been negotiating such a deal, under which both countries would agree to foreswear cyber attacks against critical infrastructure in peacetime.

“I’m reluctant to raise expectations but it’s a long term goal, ” said Dan Kritenbrink, senior director for Asian affairs for the National Security Council. “We’re a long ways from getting there but that certainly is a goal.”

Rhodes said cyberattacks on U.S. businesses will be a “very important part of the agenda and the discussion” during Xi’s visit. U.S. officials distinguish between conventional espionage achieved through cyber-means and the online theft of intellectual property on a massive scale to benefit Chinese companies at the expense of their U.S. competitors.

“We’re working together to try to arrive at common principles that give us greater confidence that China is acting in a manner that does not disadvantage our businesses,” Rhodes said.

Chinese officials have repeatedly denied government involvement in hacking. At a welcoming banquet Tuesday evening in Seattle, Xi said China is a “staunch defender of cybersecurity, but has also been hacked,” calling for anyone responsible for hacking brought to justice by rule of international law.

“Commercial cybertheft against government networks are crimes that must be punished in relevance to international treaties,” Xi said. “The international community should work to ensure and a peaceful and open cybersecurity space.”

Xi also said he was willing to open joint dialogue in fighting cyber crime together with the U.S. Chinese and U.S. investigators have already cooperated on a handful of cases, including an online purveyor of child pornography.

Cybersecurity was a topic of conversation during the the last visit of Xi to the U.S. when he met Obama in Sunnylands, California, in 2013. Rhodes admitted that things have soured since then, with attacks continuing to affect American businesses.

“Cyber is an issue where we have not made the progress we have wanted to make,” Rhodes said. “We’ve not seen the types of steps that give our companies greater assurance and we have been very forthright about that.”

In the event that those goals goes unfulfilled, Rhodes said the U.S. is prepared to take “punitive measures,” including economic sanctions.

“Sanctions remain a tool and we are prepared if necessary to pursue sanctions if we felt a case that merited that type of punitive action,” he said.

However, Rhodes said the cyber issue is only one in a complicated relationship between the world powers.

“There’s going to be parts of the relationships thats cooperative and parts that competitive. We welcome the peaceful rise of prosperous China,” he said. “What we’re not going to do is, because we have significant differences with China, we’re not going to cooperate with them on other issues.”

Shaun Waterman joins FedScoop as editor-in-chief

Dear FedScoop readers,

I am pleased to announce the addition of award-winning veteran journalist Shaun Waterman as FedScoop’s new editor-in-chief.

Waterman will lead FedScoop News into the next phase of its growth, managing and expanding the award-winning team of journalists that produce its website and daily newsletter.

Shaun is a world class editorial leader with a significant track record of leading, developing and expanding prestigious news organizations. He was the obvious choice as we looked for a seasoned and talented editor-In-chief to continue building upon the momentum of FedScoop News while leveraging new strategies to continue to grow our readership and team.

“FedScoop has built an exceptional brand that is both deeply respected and beloved by the government tech community. I’m excited to be a part of this expanding brand and by the new opportunities that leading FedScoop News offers,” said Waterman. “The chance to work with the talented team here was too good to pass up.”

Shaun comes to FedScoop from POLITICO, where he successfully launched a premium subscription real-time news service covering federal cybersecurity policy. He is an acknowledged expert on technology and national security, a regular presenter at leading conferences like Hacker Halted and the Aspen Security Forum, and author of a major report on the cybersecurity of critical infrastructure for the Center for Strategic and International Studies. Waterman, who has also worked for the BBC and United Press International, is a two-time winner of the Society of Professional Journalists’ “Dateline Washington” award, honoring the best reporting in the nation’s capital.

I am thrilled to welcome Shaun to our leadership team and I am excited to have him at the helm of FedScoop News.

Warm Regards,

Goldy Kamali
Founder and CEO
Scoop News Group
FedScoop//StateScoop//EdScoop

Government’s password-killer launches three new pilot projects

The Commerce Department program designed to help kill off the password has awarded grants to three new pilot projects.

The National Strategy for Trusted Identities in Cyberspace, or NSTIC, already has 15 pilots – each designed to offer more secure alternatives to the much derided but still ubiquitous password and login combination as a way of establishing identity on the Web. The pilots are designed to show the potential benefits of more secure online identities and stimulate a marketplace for better ways of logging on.

The three new pilots announced Monday will each focus on a different use case: state income tax returns, online health information and social networking.

MorphoTrust USA, a Massachusetts-based tech firm gets just over $1 million to demonstrate how biometrically verified online driver registration processes can be leveraged to protect state tax payers and prevent refund fraud.

HealthIDx of Alexandria, Virginia, gets more than $800,000 to show how so-called “triple-blind” technology can protect the privacy of users of an online health provider. Users choose a credentialing service that verifies their identity via a third-party ID broker, but neither the credential provider nor the broker knows which medical service users are visiting online and the medical site doesn’t know which credential provider the user has selected.

Finally, Galois Inc. of Portland, Oregon, gets more than $1.8 million to demonstrate how biometric authentication can be used to secure and securely share personal data online.

The 15 existing pilots have dealt with everything from using one-time passwords delivered via SMS to biometric verification via a mobile phone.

NSTIC has also piloted Connect.gov — a one-stop ID shop that enables users to logon securely to multiple government sites without having to develop a different login and password for each of them.

ONC releases final plan for health IT through 2020

The Office of the National Coordinator for Health IT released its final plan Monday for the nation’s development of health IT over the next five years.

The Federal Health IT Strategic Plan 2015-2020 lays out how ONC and other federal agencies plan to use IT to promote health care and wellness in the coming years, particularly thorough the promotion of interoperable electronic health records.

While IT is the focus of the extensive plan, quality health care is the end goal, wrote Karen DeSalvo, national coordinator for health IT, said in an ONC blog post after the plan’s release.

“The Plan’s strategies for achieving this aim focus on making electronic information available so individuals can manage their health, providers can deliver high-quality care to their patients, public health entities and long-term services and supports can improve community health, and scientists and innovators can advance cutting-edge research and solutions,” DeSalvo said in the post, which was cowritten by Gretchen Wyatt, a senior strategy adviser, and Matthew Swain, a senior strategy analyst.

DeSalvo and her colleagues added, “Where the Plan has a broad scope, it’s implementation has a singular focus: improving the health and well-being of this nation through responsive, collective engagement on health IT and information use.”

This latest document will continue to build on a prior plan from 2011, which focused on setting the foundation for the nation’s health IT infrastructure, fostering and encouraging the use of EHRs by hospitals and health care providers.

“This was our opportunity to work with our federal partners and think about a future agenda in which we’re working to improve health well beyond what the health care system can do,” DeSalvo said in December when the draft of the plan was released.

This plan’s scope extends beyond electronic health records, said Seth Sazinski, director of ONC’s Office of Planning, Evaluation, and Analysis.

“One of the key points from a strategic emphasis was about broadening our focus with the plan. So this meant more of a focus on health, including health care, as well as from a technology standpoint looking beyond EHRs to other types of health IT and things like telehealth,” Sazinski said.

Before arriving at the final strategic plan, ONC received feedback from more than 400 people and organizations. The executive summary explains that despite being called the “final” strategic plan, ONC and the federal government will make adjustments if needed, continuing to engage key stakeholders to ensure the nation can take advantage of the developing health IT infrastructure.

Cloud companies to agencies: Help us help you

The chairman of the House Committee on Oversight and Government Reform’s IT subcommittee, along with various cloud computing company representatives, pressed federal agencies to do more to embrace the cloud during a Tuesday field hearing in San Antonio, Texas.

“We deserve a federal government that harnesses innovative solutions such as the cloud to modernize record keeping, improve critical government functions, maximize security, and be wise stewards of our tax dollars,” said Rep. Will Hurd, R-Texas.

Despite the 2010 release of the government’s “cloud first” policy, cloud adoption among federal agencies remains slow, he said.

Echoing the chairman’s comments, witnesses from Amazon Web Services, Rackspace and VMware complained that many government technology executives have balked at integrating mission IT on their services.

“Today, the U.S. government imposes outdated requirements that effectively require U.S. cloud providers — all of which are global corporations — to create separate operating entities that employ only U.S. citizens,” said John Endgates, chief technology officer of Rackspace Technologies, in his prepared testimony. “These requirements raise unnecessary barriers to entry for providers who would otherwise be glad to serve the federal market. And they needlessly raise costs for providers and the government alike.”

Mark Kneidinger, director of Federal Network Resilience for the Department of Homeland Security, said agencies remained worried about ceding the power to control their own hardware and infrastructure.

The concern “is driven by the ability to have a degree of awareness as to the level of security that’s provided at the cloud level, and the visibility the agency has to make sure they are meeting their responsibility for securing their assets,” Kneidinger said.

Endgates said cloud services often have better security than what agencies currently have in place because their technology is updated much faster than what can be done on legacy systems.

“I feel that agencies could take immediate advantage of some of the scale efficiencies of the cloud provider when it comes to security,” he said. “To be player in the cloud, you have to defend against the most sophisticated attacks on the planet on a regular basis, so you get very good at it.”

Mark Ryland — chief architect for Amazon Web Services’ worldwide public sector — agreed, adding, “Threats don’t exist when it’s updated all the time.”

DHS is working on initiatives that should put CIOs at ease when it comes to cloud security, according to Kneidinger. He said part of the next push of the White House’s Office of Management and Budget cybersecurity sprint is to examine strategies for moving legacy systems to the cloud. DHS is also working with the Federal Risk and Authorization Management Program to establish a “Triple H” (High Confidentiality, High Integrity and High Availability) baseline.

He also said that the Federal IT Acquisition Reform Act will allow CIOs to push for better spending.

“When I was a federal CIO, I only controlled 20 percent of IT spend,” he said. “With FITARA in hand, that’s going to allow the CIO to have oversight of all the IT spend and be able to take a look at how they can move some of the missions support activities into the cloud.”

There is a lot of room for growth in cloud spending. According to a 2014 GAO report, seven major agencies only spent 2 percent of their IT budget on cloud services — a 1 percent increase from 2012.

IGs hampered by lack of data access, shortage of personnel — report

Federal auditors, faced with evaluating issues like the strength of an agency’s cybersecurity, are struggling to keep pace with a rapidly advancing technological climate, the Association of Government Accountants’ 2015 Inspector General Survey found.

Released Friday by AGA, the member organization for financial professionals in government, and accounting firm Kearney & Company, the report compiles the responses of inspectors general in numerous federal agencies to a 66-question survey on issues like budget, data analytics and IT.

“There is need for a comprehensive reexamination of the audit and reporting requirements placed upon the IGs, with consideration given to providing flexibility as to the frequency of these audit and reporting requirements,” the report states. “It has been a challenging year for the IG community.”

Created in 1978 by the Inspector General Act, the 73 IG offices across the federal government are charged with the independent oversight of their respective agencies, preventing fraud and law violation as well as ensuring efficiency in all operations. The advent of new considerations like cybersecurity has increased the auditing burden of IG offices and further stretched declining budgets.

According to the survey, many IGs complain that their resources are spread thin as a result of broad audit mandates in the 2014 DATA Act, which requires them to perform general audits — such as conference spending reviews and travel card monitoring — that may not be relevant to their agencies. More than half of IGs reported spending at least 20 percent of their budget on mandatory audits, while 13 percent spent more than 40 percent on the investigations. Opponents of these audits argue that the resources could be better spent elsewhere; more than half of surveyed IGs said they would devote any additional budget toward cybersecurity audits.

Another barrier to efficient auditing is a law preventing IGs from sharing data across offices.

“IGs felt technological advances that enable data analytics on a broad scale were key to more efficient, effective oversight,” the report states. “This type of data analytics enables OIGs to identify anomalies and predict risk areas where fraud may occur.”

The Computer Matching and Privacy Protection Act of 1988 prevents government offices from examining federal data sets they did not collect. Although offices can procure certain records across agencies, the process is lengthy and typically prevents IG offices from compiling data sets which could aid them in identifying law-breakers.

The issue is amplified by falling staff numbers: 45 percent of IGs indicate their offices have shrunk since 2012, while 32 percent have remained stable.

“Declining resources and increased mandates have challenged the IGs’ flexibility to address risks,” the report states.

The report formulates a number of recommendations for IGs to enhance their capabilities, including the stimulation of greater collaboration across the federal IG community as well as the prioritization of budgets. The larger issue at hand, though, is the regulation that IGs perceive as stymieing their operations. The report calls on the federal government to refresh its “one-size-fits-all” approach to auditing and open up avenues for IG offices to access data while simultaneously protecting citizen privacy.

NIST issues draft framework for cyber-physical systems

As the use of the Internet of Things continues to grow, the National Institute of Standards and Technology wants to make sure all of those things work as directed and communicate with one another as seamlessly as possible.

NIST Friday released its draft framework of standards for cyber-physical systems intended to help companies creating products for the IoT.

The draft framework outlines common attributes that systems share, regardless of what type of Internet-connected device is being constructed. Whether it’s a wastewater management system, the smart energy grid, or a company controlling its manufacturing infrastructure, NIST wants to make sure those systems interact successfully with the broader cyber-physical system environment.

“Creating a complex device involves a lot of people with varying interests and concerns, from the designers to the engineers to the safety testers,” said David Wollman, who co-chairs NIST’s Cyber-Physical Systems Public Working Group, in a release. “What the framework provides is an organized treatment of these concerns so the [company making products, or other group using the framework] can address and manage them all effectively. It will prompt them to think of concerns they may not be aware of, and support understanding and integration of different [cyber-physical systems].”

In an interview, he told FedScoop that the framework is key to not only cyber-physical systems themselves, but systems within systems that will be built as the technology matures.

“Our goals were to develop a common understanding of cyber physical systems and be able to understand the uniqueness in order to develop a framework which helps both individuals smart domains, like manufacturing or the smart grid, to help systems be developed within those domains, and also to cross the domains, so you could have cyber physical systems that could function in a much more complicated Internet-worked environment,” he said.

The 213-page document took more than a year to create, with input from a “few hundred members” drawn from the public and private sectors. NIST will be taking comments on the draft over the next 45 days and plans to make a second draft public shortly thereafter.

Wollman said NIST reserved the right for another comment period due to a “very vigorous face-to-face meeting” over the first framework during the summer.

“We actually needed to have a lot of effort over the summer to crystallize some of these comments,” Wollman said. “We only arrived, after the summer, at terminology that people really resonated with.”

Those looking to comment can do so via NIST’s cyber-physical system working group’s website.

House Oversight letter probes OPM on deleted breach data

House lawmakers are demanding more information from the Office of Personnel Management about a network security tool that its makers claim helped detect the huge cyber breach which rocked the federal government over the summer.

In a Sept. 9 letter to acting OPM Director Beth Cobert, House Oversight Committee Chairman Jason Chaffetz said he wants access to information that was reportedly erased from the tool, called CyFIR. He said the data the device held is relevant to the committee’s investigation of the recent breaches to OPM’s networks, which exposed the personal data of millions of federal employees.

“The deletion or loss of that data — intentional or otherwise — would damage the Committee’s effort to determine how and why OPM’s networks were infiltrated,” he writes. Ohio Republican Rep. Mike Turner also signed the letter.

Chaffetz writes that, during a demonstration to OPM officials in April, CyFIR discovered malicious code on the agency’s network, leading to the discovery of the massive breach. OPM held onto the tool during its response to the hack, and vendor CyTech reported the the device’s data storage drive had been wiped once OPM returned it on Aug. 20. OPM has said that its officials knew of the breach before the demonstration of the tool, and that CyFIR did not uncover the hack.

The committee is demanding OPM produce any documents related to the agency’s use of the CyFIR tool, especially those that mention the deletion of data; any information related to what CyFIR found; and all data on the device at the time the drive was wiped.

OPM spokesman Sam Schumach told FedScoop in an email that “OPM has received the committee’s letter and is working to respond in a timely manner.”

White House, tech community mourn Jake Brewer

Political officials, as well as tech and media luminaries, have taken to social media to express their sadness over the death of White House senior adviser Jake Brewer.

President Barack Obama said in a statement he was “heartbroken” after learning that Brewer died in a bicycle accident Saturday in Howard County, Maryland.

“We set out to recruit the best of the best to join their government and help us harness the power of technology and data to innovate new solutions for the 21st century. Simply put, Jake was one of the best,” the statement reads. “Armed with a brilliant mind, a big heart, and an insatiable desire to give back, Jake devoted his life to empowering people and making government work better for them. He worked to give citizens a louder voice in our society. He engaged our striving immigrants. He pushed for more transparency in our democracy. And he sought to expand opportunity for all. I’ve often said that today’s younger generation is smarter, more determined, and more capable of making a difference than I was as a young man. Jake was proof of that.”

Brewer had been serving as an adviser in the White House’s Office of Science Technology and Policy. Previously, he co-founded Define American, a charity that focuses on immigration, and he had worked at Change.org, U.S. Ignite and the Sunlight Foundation.

On Sunday, people took to Twitter to mourn Brewer’s death.

His wife Mary Katharine Ham, editor-at-large for conservative website Hot Air, posted a heartfelt tribute on Instagram.

A memorial education fund in Brewer’s name has been set up on a GoFundMe page.