Though lessons learned from the Office of Personnel Management (OPM) data breach have resulted in many improvements in cybersecurity practices, the 2015 breach and subsequent cyber incidents led members at a House Oversight Committee hearing on Thursday to question the pace of Federal data protection efforts.
“Right now it is an uphill fight,” said Department of Defense CIO Terry Halvorsen. “I do believe technology will get us some of the solutions, but I do think this is much like any area in technology: We will make strides forward, people who want to use technology for bad will make strides forward, but it will be a continuing analysis and engagement. It is not going to end anytime soon.”
Some of the technological solutions that OPM has applied since the breach include 100 percent dual authentication across the system, as well as IT system compliance and security officer hiring.
“The IT system compliance was the most significant vulnerability that was identified in the FY 16 report, as well as the IT security officer hiring process, which was something that we were able to accomplish at the end of this year as well,” said Cord Chase, chief information security officer (CISO) at OPM.
OPM CIO David DeVries said that while not all Social Security numbers contained in the OPM system have yet been encrypted, there are plans to have 100 percent encryption by the end of 2017.
Despite these accomplishments, however, both Congress members and witnesses at the hearing noted that the backlog in OPM’s National Background Investigations Bureau (NBIB) vetting process has added to the uphill battle by making it difficult to quickly hire people into the Federal workforce, particularly the cybersecurity talent to protect against breaches.
According to Oversight Chairman Rep. Jason Chaffetz, R-Utah, there is a backlog of 569,000 cases, in part due to a slowing investigation process. In 2015 it took 95 days for a potential hire to be investigated for secret clearance, and 179 days for top secret. In 2016, it took 166 days for secret and 246 for top secret clearance.
NBIB Director Charles Phalen told the committee that his office has doubled the number of companies that are able to conduct the contract investigations and hired 400 new Federal investigators in 2016, with an additional 200 expected to be hired in 2017.
Some committee members worried that President Donald Trump’s executive order freezing hiring in a majority of the Federal government would inhibit agency ability to hire necessary cybersecurity employees. Kathleen McGettigan, acting director of OPM, assured them that agencies can request exemptions from the freeze if the position is deemed critical to national security. OPM had yet to receive any such requests.
Witnesses also told the committee that what government can pay cybersecurity professionals isn’t often enough to retain the necessary level of talent.
Halvorsen testified that he had personally lost good cybersecurity employees “because they can’t anymore turn down the offers [from private companies]. And I can’t counsel them against that.”