House of Representatives Republicans have slammed the Office of Personnel Management (OPM) for multiple IT security failings which led to the unprecedented breach of over 21 million sensitive records last year, but Democrats claim their report doesn’t tell the whole story.
The GOP members of the Committee on Oversight and Government Reform claimed in the report that the “lax state” of security in the OPM made it simple for hackers to lift security clearance and other files, giving a foreign state a huge advantage which it said will “harm counterintelligence efforts for at least a generation to come.”
Most tellingly, it failed to implement multi-factor authentication as per the Office of Management and Budget’s requirements, and allowed key IT systems which were later compromised to operate without a security assessment.
A first hacker was able to exploit these weaknesses to conduct reconnaissance work on the OPM’s IT network back in 2014, before a second operative installed malware and created a backdoor on the network after using a contractor’s log-ins to gain entry, the report said.
While the first hacker was eventually “kicked off” the network, the second went undetected until it finally began exfiltrating data in July 2014.
The report added:
“The data breach by Hacker X1 should have sounded a high level multi agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest value data…Swifter action by OPM to harden the defenses of its IT architecture could have prevented or mitigated the damage that OPM’s systems incurred.”
The report goes on to allege that the OPM subsequently misled Congress over the scale of the issue.
However, House Democrats have reacted angrily to the report, claiming it fails to adequately address the role government contractors played in the cyber-attack campaign.
They claimed the Committee’s actual findings emphasize the fact that “cyber requirements for government contractors are inadequate” and that “contract requirements for sharing information with private sector companies that handle sensitive government data need strengthening.”
Acting director of the OPM, Beth Cobert, also leapt to the defense of her department, claiming the report fails to recognize the “significant progress” it has made to strengthen its cybersecurity posture, “and reestablish confidence in this agency’s ability to protect data while delivering on our core missions.”
Those efforts are listed in full in her blog on the subject.
It’s widely believed that the Chinese state was behind the attacks.