|
U.S. personnel management hack
preventable, congressional probe finds
Send a link to a friend
 [September 07, 2016]
By Dustin Volz
WASHINGTON (Reuters) - The U.S. Office of
Personnel Management (OPM) did not follow rudimentary cyber security
recommendations that could have mitigated or even prevented major
attacks that compromised sensitive data belonging to more than 22
million people, a congressional investigation being released on
Wednesday has found.
Two breaches at the federal agency detected in 2014 and 2015 were made
worse by lax security culture and ineffective leadership, which failed
to harness available tools that could have stopped or limited the
intrusions, according to the report from the Republicans on the U.S.
House of Representatives’ Committee on Oversight and Government Reform,
a copy of which was seen by Reuters.
“The OPM data breach and the resulting generational national security
consequences cannot happen again,” said Republican Representative Jason
Chaffetz, the committee’s chairman, in the report.
The investigation faulted OPM - which manages employment matters for the
federal government, including background checks for most agencies - for
not moving more quickly to address early signs of an attack, allowing
hackers to later siphon off reams of personnel data.
It also said OPM ignored repeated inspector general reports dating back
to 2005 that warned of cyber security shortcomings.
Representative Elijah Cummings, the top Democrat on the oversight panel,
rejected the report’s findings in a memo to other Democrats. He claimed
the report had factual deficiencies and did not account for mistakes
made by federal contractors.
U.S. intelligence officials have linked the Chinese government to both
OPM breaches, an accusation Beijing has denied.
Though the Republican report credits OPM with improving its cyber
security over the past year, it also includes suggestions for the
federal government to address vulnerabilities.
[to top of second column] |
A lock icon, signifying an encrypted Internet connection, is seen on
an Internet Explorer browser in a photo illustration in Paris April
15, 2014. REUTERS/Mal Langsdon
They include longer retention of qualified chief information
officers, reduction of the use of social security numbers, and a
"zero trust model" of information security that enforces strict
controls on what data users inside a network can access.
In a blog post set to be published on Wednesday, Beth Cobert, acting
director of OPM, said she disagreed with aspects of the
congressional investigation, which "does not fully reflect where
this agency stands today."
OPM has achieved “significant progress” over the past year to
improve cyber security, Cobert said, including requirements for
multi-factor authentication, modernized information technology
infrastructure, a new senior cyber security adviser, and the
formation of a new organization responsible for background checks on
employees and contractors, she said in the blog post, a copy of
which was seen by Reuters before publication.
That new entity, the National Background Investigations Bureau, is
intended to replace OPM’s Federal Investigative Services. It will
have its information systems handled by the Pentagon and is expected
to be operational by Oct. 1.
(Reporting by Dustin Volz; Editing by Bill Rigby)
[© 2016 Thomson Reuters. All rights
reserved.]
Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
