The legacy computer systems at the Office of Personnel Management were too old and creaky to use encryption or sufficiently protect data. That argument surfaced in a House Oversight and Government Reform Committee hearing, but there are plenty of other security issues to take the blame.
The OPM said June 4 that 4 million individuals had their personally identifiable information compromised. OPM's data center is housed by the U.S. Department of the Interior. Officials don't know the full extent of the breach yet.
Rest assured that heads will roll over the cyber attacks, which have been blamed on China. But the role of creaky systems is worth pondering.
At the House hearing, Katherine Archuleta, director of the OPM, said:
When I was sworn in I said that I would develop an IT strategic plan in my first 100 days and delivered on that promise in February 2014. I immediately became aware of security vulnerabilities in the agency's aging legacy systems and I made the modernization and security of our network and its systems one of my top priorities.
Archuleta said that the OPM sees 10 million confirmed intrusion attempts a month and will see more. The OPM has shored up its network monitoring, logging and firewalls. The catch is that the systems being protected are too old and vulnerable.
The lack of investment has left the OPM vulnerable. "I want to emphasize that cyber security issues that the Government is facing is a problem that has been decades in the making, due to a lack of investment in federal IT systems and a lack of efforts in both the public and private sectors to secure our internet infrastructure," said Archuleta.
The legacy system storyline is valid, but only goes so far. Yes, the government agencies need more funding for cyber security, but the to-do list is long. Among the key weak spots cited in the testimony given on Tuesday.
- Talent. Sylvia Burns, CIO, for the Department of the Interior, said talent and cyber security expertise is critical. Burns said the long-term plan is to strengthen the department's security and privacy workforce. Here's the rub: Cyber security experts can make better money elsewhere.
- Network design. All of the execs in the hearing said they were designing new networks that can be segmented and carved off in an attack.
- A security focus. While the folks giving testimony noted security monitoring, the between the lines reading is that cyber security wasn't a primary focus. That reality isn't surprising since most entities---public and private---don't get serious about cyber security until after they are hacked, exposed and take a public beating.
- Collaboration. The OPM is now working well with the Department of Homeland Security, which is piecing together the cyber attack via a system called EINSTEIN. The public and private sector will need to collaborate more.
- The bad guys are well funded. It's highly likely that the cyber attackers---whether state or non-state actors---are going to have more technology and funding than the Feds.
When you add up those moving parts and glaring holes, it's obvious that legacy systems are just one issue among many. The only real takeaway from the hearing on Tuesday is that the attacks will continue on the Federal government systems and probably accelerate.