Canada is different from the U.S. in a lot of ways. One of them is that our parliamentary committees, under the control of the government, don’t have anywhere near the power of the independent Congressional committees south of the border.
So private companies here have little chance of being forced to testify and be raked over the coals for security breaches, the way executives from Target were last year before Congress, and the way Katherine Archuleta, director of the U.S. Office of Personnel Management (OPM) was yesterday when she appeared before the House House Committee on Oversight and Government Reform. (You can watch a replay here.)
Too bad. A dose of public whipping might spur some CEOs and boards to put security higher on their priority lists. Archuleta insisted it was when 18 months ago she took over the department, which manages the personnel files of most federal civil servants, and learned of the vulnerabilities in its “aging legacy systems.” “I made the modernization and security of our networks one of our top priorities,” she said. But the OPM has acknowledged discovering two breaches, one of which exposed 4.2 million public records, while the damage by the other hasn’t been calculated yet.
As others have pointed out, these records not only include the usual personal information like dates of birth and social insurance numbers, but may also include sensitive health information.
Committee members weren’t impressed. Even before Archuleta was sworn in committee chair Jason Chaffetz of Utah hauled out several years of security reports from the inspector-general of audits, who regularly pointed out OPM’s security failings. Therefore the breach, Chaffetz said, was “inexcusable,” and OPM was “grossly negligent” for what he said may “the most devastating cyber attack in our nation’s history.”
Then he lit into Archuleta. Why wasn’t the data encrypted? Encryption is a valuable tool and is an industry best practice, she began, and OPM’s cybersecurity framework promotes it. She appeared to start to say that some of her systems are encrypted, when Chaffetz cut her off for reading from a statement. Why didn’t you use it?, he repeated.
“An adversary possessing proper (access) credentials can often dectrypt data,” she replied. “It is not feasible to implement on networks that are too old. The limitations on encryption’s effectiveness is why OPM is taking other steps, such as limiting administrators’ accounts and requiring multi-factor authentication.”
“OK,” Chaffetz replied, “but it didn’t work, so you failed utterly and totally.” As I said, a public whipping.
One committee member tried to ease the pain by getting one of the government witnesses appearing with Archuleta to acknowledge that there is no silver bullet — no one technology that when applied makes an IT system safe. Fair enough. But Archuleta was made to look helpless.
Chaffetz suggested her only choice was accepting the inspector-general’s recommendation that systems be shut down until they were repaired or replaced — which Archuleta implied was impractical for a government department — or leave the door unlocked. OPM hasn’t said publicly yet how the breaches occurred. But Seymour said after the breach was discovered the department has toughened things up, such as mandating two-factor authentication for users remotely accessing systems, installing additional firewalls, reducing number of privledged users and reducing their ability to do certain things. OPM is also installing a new network architecture.
Committee members weren’t the only ones unimpressed with the testimony. Forrester Research security analyst John Kindervag told me this morning that legacy systems can definitely be encrypted (or, as he put it, “you can encrypt anything”). And, he added, as long as key management is kept separate from the data it’s the best protection around. Even if an attacker got a user’s credentials, revoking all keys after the breach is discovered makes the data useless, he said.
“Encryption is the only thing that might help this. We can’t keep layering crap on the network and hope it’s somehow going to stop this. Encryption is definitely the right answer, and just because the OPM can’t figure out how to do it doesn’t mean it’s not a valid answer.”
Here’s the dilemma for CISOs: If for the time breaches being can’t be prevented, is it inevitable your organization looks as if it was defenceless when one happens? One problem, of course, is that the public, customers or shareholders aren’t owed an explanation that includes information attackers could find useful. But they should be told everything short of being heroic was done on IT systems.
Private companies can stonewall reporters and shareholders, whose first question will be “Was the data encrypted?” followed by “Was there an intrusion detection system?” and “Was there a system on the network watching data flowing out of the company, and if so why didn’t it detect something suspicious?”
One lesson, of course, is that after a breach any organization will look bad. It will look worse depending on the answers to pointed questions. At the very least this latest breach shows CISOs that incident response ought to include an explanation that best practices had been followed while systems were being shored up. Archuleta couldn’t say that.