OPM breach: We get exactly the IT security we're willing to pay for
Everyone who's now working for the federal government or has a security clearance may have had their personal records stolen. While obsolete hardware and software weren't the only reasons the Office of Personnel Management (OPM) had its personnel records stolen, it didn't help.
Representative Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, ranted "You failed. You failed utterly and totally," at OPM's management. He also said, this incident "may be the most devastating cyberattack in our nation's history." He continued, "OPM's security policy was akin to leaving its doors and windows unlocked and expecting nothing to be stolen." He's right too.
Chaffetz wants OPM Director Katherine Archuleta and Seymour fired. Doubtlessly some one will be fired, but whom should be kicked out the door?
Let's look more closely. Archuleta claimed that "In February 2014, I immediately became aware of security vulnerabilities in the agency's aging legacy systems and I made the modernization and security of our network and its systems one of my top priorities." She must have been. There's nothing new about this old problem.
Back in the 80s, when I worked as a system administrator, network admin, and programmer for NASA and Naval Sea Systems Command, we were still using gear from the 60s and 70s. For example, when I helped manage NASA Shuttle data communications in the mid-80s one backup connection I monitored was a 1950s telex 110 baud line to the Bermuda tracking station. It always checked out, but I thank God we never had to use it on a mission.
The reason for this wasn't because we felt secure with antique equipment. We didn't. It was that we never had anything like enough Capital expenditures (CAPEX) funding at either NASA or DoD for IT. That's still the case today.
Security
In 2011, the OPM's Federal Data Center Consolidation Initiative (FDCCI) observed that the last major OPM data center update happened in the mid 1990s. In other words, Windows 95 was the hot new desktop when OPM's mainframes were last given a through overhaul.
As you might guess, in 2011 the OPM already realized that "Many critical applications at OPM are hosted on legacy platforms and have not been re- architected in many years. In some cases, documentation of these systems is lacking, making it difficult to estimate time and cost of consolidation."
Why? The OPM's IT deparment "has historically been underfunded, especially on the operations side, making it difficult to make investments in consolidation projects, even when those have positive ROI in later years."
The OPM report shows that the organization was well aware of its problems. Looking ahead, the agency wanted to move to a modern virtualized, cloud-based system, but it was never sufficiently funded.
After the OPM was hacked in March 2014--oh yes this successful attack wasn't the first--Seymour said "Our antiquated technology may have helped us a little bit." It didn't this time. Security by obscurity never works for long.
Fast forward to this year. In the OPM's 2016 budget request, it asked for $32 million more. Archuleta wrote "Most of these funds will be directed towards investments in IT network infrastructure and security. As a proprietor of sensitive data - - including personally identifiable information for 32 million federal employees and retirees -- OPM has an obligation to maintain contemporary and robust cybersecurity controls."
Clearly, OPM long knew they had a major problem on their hands due to their reliance on out-of-date equipment and software. They knew their obsolete IT infrastructure made them more vulnerable to hackers. And, they knew what the answer was. It's just too bad they couldn't get Congress to pay for it.
Congress, which has been mired in partisan politics for years, has been barely able to function at all. For example, Congress barely kept the Department of Homeland Security running earlier this year.
The real culprits behind the OPM hack aren't Archuleta and Seymour They're the scapegoats. The real blame should fall on Congress, which as they showed in the 2013 budget sequestration, refuse to rationally budget for critical government needs.
Without sufficient funding, the OPM might as well tried using stone knives and bear skins to secure its systems. Just because Mr. Spock could work technical miracles on Star Trek with obsolete tech is no reason to think OPM's IT staff could do it in real life.
Related Stories: