Last year’s digital breach at the United States Postal Service should have been a wake-up call for other agencies to strengthen their own cyber-security — giving the Office of Personnel Management a chance to spot problems that left it vulnerable to hackers.
The breach of the United States Postal Service last November exposed the personal information on more than 800,000 current and former postal employees’ information, including their Social Security Numbers, even though the agency’s security practices complied with the law, a government watchdog recently reported.
More recently, hackers stole personal and other information of more than 21 million present and former civil servants from the federal government’s Central Personnel Data File and other sensitive databases maintained by the Office of Personnel Management.
“Staffing and support for cyber-security functions provided for basic operations and compliance with legal and industry requirements,” the report said. “However, it did not provide for effective operations, including skilled, 24-hour-a-day incident response and analysis, effective vulnerability management or role-based training.”
Like the Postal Service, OPM’s breach was caused by problems such as a lack of employee training and using outdated software, rather than technical failures, according to a recent Institute for Critical Infrastructure Technology report.
“Training remains the easiest and best strategy to mitigate adverse effects of the OPM breach such as insider threats, spear phishing emails, social engineering, or future breaches,” the think tank’s report said.
In fact, OPM even repeatedly ignored warnings and suggestions from its own IG.
“The single most significant recommendation that agencies like OPM could heed is to actually listen to the advice of the inspectors general and do everything within their power to meet or exceed regulatory measures, the report said.
Ultimately, the poor practices at OPM and the Postal Service boil down to one theme that suggests other federal agencies may also be at risk: cybersecurity laws are too weak.
Current law “never incentivized anyone to have internal security for their systems,” said Shane Tews, a fellow at the American Enterprise Institute. It’s entirely up to federal agencies’ discretion to determine their level of cyber-security, even when their networks house confidential and personal information.
“This has not been a priority level discussion,” Tews said. “There are very limited protocols on how information security should be managed.”
Tews added that other government agencies could have similar weaknesses as the Postal Service, since laws don’t define what level of cyber-security is required.
“I think you have no assurance” that agencies can protect personal information, Tews said. “It seems to me the Postal Service breach was a foreshadowing of things to come.”
Postal Service officials were not constantly monitoring their networks for breaches prior to last year’s massive breach, according to the USPS IG.
Likewise, OPM’s head of cyber-security noted the importance of constant surveillance three months before the attacks on his agency were announced.
“Agencies should approach security as if they’ve already been compromised,” OPM Director of Security Operations Jeff Wagner said in a white paper published in the Bethesda chapter of the Armed Forces Communications and Electronics Association March 11.
One of the attacks on OPM went undetected for more than a year.
The ICIT report noted the hackers that attacked OPM likely used legitimate government credentials to breach the system — an easily correctable problem with modern intruder-alert systems.
The valid credentials could have been obtained through the same methods used to deceive ill-trained employees, like spear phishing.
“These methods are rudimentary and have been the simplest avenue of attack for about two decades,” the report said.
The IG reported many other cybersecurity flaws at the Postal Service that could be present at other government agencies.
Primarily, Postal Service “leadership had not established a cyber-security culture” and didn’t train employees how to properly protect against hackers, the report said.
The Postal Service also didn’t prioritize its cyber-security budget.
“Without adequate resources, the Postal Service did not have the cyber-security capabilities to prevent, detect or respond to advanced threats,” the report said.
In fact, the agency employed significantly fewer cyber-security employees than is typical in the private sector, according to the IG. Also, the highest salary of a Postal Service cyber-security manager was around $140,000 – about $10,000 less than the industry’s regular staff.
The Postal Service also used obsolete software and operating systems, which meant they no longer received security updates.
One example of the outdated software included an “operating system that supports five servers for the Postal Service’s debit and credit card payment processing system,” the report said.