Republicans on the House Oversight and Government Reform Committee issued a report on the 2014 hack against the Office of Personnel Management (OPM), which resulted in the theft of data on 21.5 million federal employees. While the report is pretty scathing, it includes a number of cybersecurity recommendations for the agency that should be standard best practices for any large organization.
One of the suggestions included in the 12-point plan is to ensure that CIOs are empowered to affect change, and retained for longer than the current average tenure of just two years. The report also suggests reducing the use of Social Security numbers as identifiers; reducing the barriers to implementing IT security policies; stronger security on federal Web sites; and modernizing existing legacy information technology assets.
The timeline laid out in the report paints a unflattering picture of the OPM?EU?s response to the breach. The attackers first gained access to OPM systems in July 2012, thanks to the installation of the Hikit malware package on its network. Evidence of adversarial activity on the network goes back as far as November 2013.
But OPM wasn?EU?t notified of the malicious activity until March 2014. Even then, the attacker was allowed to gain a foothold on the network in May of that year, at which point the hacker installed a backdoor to download the confidential personnel information and began downloading it in July 2014. The attackers continued to steal confidential personnel data from the system until March 2015 but the agency didn’t even realize what had happened until May of that year.
The CIA ultimately pulled many of its officers out of Beijing following the hack fearing that their identities may have been compromised. The Chinese government is widely thought to be behind the attack.
?EU?The lax state of OPM?EU?s…