Just as Target CEO Gregg Steinhafel stepped down after the retail giant’s credit card security stumble stymied 40 million customers, OPM CIO Donna Seymour relinquished her position in favor of retirement after the federal agency failed to protect personal information belonging to 21.5 million people.
Some sources seem to suggest that if the old OPM leadership was the real security issue, then great new leadership must be the solution. Colleagues and security experts inside the federal government laud the new OPM CIO David DeVries for his experience, expertise and training in safeguarding data.
But great leaders use great teams and tools to get things done. In addition to the solid stance that proven executives maintain, public agencies need trusted human resources and well-considered approaches to stand up effective cyber defenses.
Public Agency Protections
Two of the biggest holes in OPM security include the use of outdated software and the practice of outsourcing work on security to China. Any outdated software that you do not retool, patch or upgrade to meet current demands and cover holes serves as a billboard sign inviting sinister data bandits to come right in. Attackers will leverage the same unpatched vulnerabilities again and again. Outsourcing security work to contractors in China, a country known to be involved in cyber spying was a primary vulnerability for the OPM.
To counter these concerns, the OPM should count the costs of data compromises due to hacks and compare those with the expense involved in using more current (patched) software and hiring trusted firms inside the U.S. for security work. Reports confirm that the OPM attack was initiated by a group in China, the same country whose contractors completed the security work on the affected database, though what specific hacker collective lead the attack has been unclear. The Chinese government has hacked into every major U.S. company by now as well as government agencies; giving contractors in China free and open access to every line of data in the OPM database in order to do security work was an ill-fated decision.
On the heels of the OPM incident, President Barack Obama called for speedy vulnerability testing for all agencies followed by swift patching. Vulnerability testing should be a regular occurrence at public agencies, since this is the best way to uncover security holes and determine what patching an agency needs to do. This practice will bring flaws to light that hackers are probably already aware of and busy planning to attack.
Agencies need to build security into their networks from the ground up; this approach is more reliable than adding security after the network is established and security incidents start to pile up. Focus on the data you prize the most, the associated risks and the severity of the disaster if hackers compromise this information. Assume you need to segregate that network from everything else as much as possible.
As for security technologies you do use, choose the best single solution you can afford that gives you the most coverage and safeguards for your precious information stores, then use one-off solutions for any vulnerabilities that remain. Lead your people to be proactive, diligent and vigilant, since attackers are testing your people for vulnerabilities every bit as much as they are scanning your networks for points of entry.
Read more about the challenges of protecting public sector networks