Office of Personnel Management / Credit: shutterstock.com

If anyone thought that last month’s OPM breach and the 21.5 million records it compromised was an aberration, Monday’s Ashley Madison hack was sure to make them think again.

In the wake of last month’s breach, former OPM director Katherine Archuleta has defended the agency’s cybersecurity measures. The recently resigned director pointed to the 10 million hack “attempts” that the OPM previously prevented each month and the steps her agency had taken to encrypt personal data.

Local data analytics companies and cybersecurity experts disagree with Archuleta’s defense. They say the breach was perfectly predictable, and potentially even preventable. There are two areas where the federal agency faltered during the attack: threat prediction and breach prevention. Improvements in these areas, they say, could have thwarted the OPM catastrophe and should prevent similar events in the future.

Predicting the Breach

Roger Foster, CEO of D.C.-based healthcare data analytics company ValityX, thinks that behavioral analysis could have indicated that the OPM breach was coming. “You’ve got signature behavior of good software,” he told DC Inno. “This has predictive behavior and you know when there are things going on outside that behavior.”

According to Jay Marwaha, CEO of SYNTASA, another D.C.-based data analytics company, there was plenty of abnormal behavior going on before the OPM breach that suggested an attack was coming. He used the analogy of a burglar breaking into a house to explain the traces that hackers leave behind: “If someone’s breaking into your house, they’re not going to try one door. They’re going to try all the doors and use whichever door’s easiest to open,” he told DC Inno. “They’ll leave fingerprints at those doors in their attempts.”

Marwaha told DC Inno that a data analytics software like SYNTASA’s could have picked up on these fingerprints by analyzing clickstream data, which shows what pages people are looking at and how deep they go into these pages. By running this data through a machine-learning algorithm, one can predict who the potential hackers are.

However, David Read, executive consultant at CGI Federal Emerging Technologies Practice, pointed out that if the breach came through an internal source, there would have been no sign of abnormal signatures or burglar activity. “There’s some speculation about an OPM subcontractor that could have been the source of the breach, that a credential was stolen,” he told DC Inno. If this had been the case, the data would have shown an authorized signature, not a potential hacker in the system.

They’ll leave fingerprints at those doors in their attempts

Even without abnormal signature behavior, Read says the volume of data being accessed should have indicated a breach. At the OPM, “a couple dozen records a day is normal,” said Read. “You don’t get 24 million records like that, unless the breach went on for a year and it’s usually slash and grab.” The CGI executive consultant says that someone must have been accessing huge amounts of records per day, data which should have tipped off the OPM that a breach was imminent.

Bob Gourley, co-founder and partner at strategic consulting and engineering firm Cognitio Corp. and former naval intelligence officer, says the OPM should have known an attack was coming even without data analytics. “Enhanced analytics were not necessary in warning of impending attacks in this case, Gourley told DC Inno. “There was plenty of warning in very clear and unambiguous ways that OPM was a target and that an attack was coming.”

For Gourley, “the multiple phishing attempts against OPM employees and subcontractors, and the successful breach of subcontractors provided clear and unambiguous warning that OPM itself was a target.”

Preventing the Breach

Though each party generally agrees that cyber attacks are predictable, cybersecurity experts are divided on whether or not breaches are preventable. In the case of the OPM breach, however, experts agree that the agency could have employed a number of strategies that at the very least would have made the breach less likely.

Marwaha was outspoken in his support of attack prevention, telling DC Inno, “All attacks are preventable. Our software assigns a score or propensity based on behavior, a propensity to attack on a scale from 1 to 10,” he explained. “Say it’s maybe a 2, somebody has to make a judgment call. Is this a regular attempt or something that needs to be addressed?”

As for how the OPM could have addressed the threat of a breach, Gourley had a number of propositions. “Had protection of federal employee privacy been a priority this information could have been immediately taken offline until automated protections could have been put in place,” Gourley told DC Inno. “The fact is that all data, even the data in old mainframes, could have been encrypted in ways that prevented this breach. And access controls could have been put in place to allow only the right, approved individuals to access the data.”

It will take a great deal of human willpower to bring robust improvements in cyber security to the federal government

Foster agreed that the data could have been better protected, telling DC Inno, ““You’ve got to be able to defend at the data element level. Got to assume that the bad guys are in the network. Why was someone able to get in and get the entire database?”

Yet David Read suggested that the OPM should have had greater security measures in place even before the agency detected any signs of a potential breach. He pointed to HSPD-12, a Homeland Security directive that mandated the use of multifactor authentication in the form of a PIV card. This card, which is required for all federal agencies and contractors, contains a 3-factor authentication, including an airfield communicator, an embedded pin and an embedded fingerprint. This same card is required for computer logins, according to Read.

“One of the first questions that needs to be asked is ‘Why weren’t you following the mandate?,’” said Read. “If it was a credential breach, it came in on a contractor’s password. Why weren’t they using PIV? If they were using PIV, how did someone get an employees PIV card?”

A memorandum from the OPM reveals that not only should the agency have been following HSPD-12 and using PIV cards, but it was actually in charge of developing the credentialing standards for who should receive clearance and obtain a card. The breach then means that either the agency was ignoring the directive it had a hand in developing, or that it gave a card to someone it shouldn’t have, an ironic possibility considering that the OPM created the PIV clearance standards.

The Future of Federal Cyber Security

According to Gourley, it will take a great deal of human willpower to bring robust improvements in cyber security to the federal government. “To prevent the constant re-learning of lessons like this structural changes can be put in place, including better oversight from Congress (who approves all Presidential appointees and funds the IT infrastructure in agencies) and better cybersecurity leadership from the White House.”

Why weren’t you following the mandate?

However, he doesn’t see these changes happening all at once, even with the recent attention security breaches have commanded. “This lesson has been learned and re-learned since the 1970’s and my fear is we will still be learning this for decades to come.”

local cybersecurity experts and data analytics entrepreneurs talk hackers, footprints and big data
You can read more stories on DC startups, technology and innovation at https://www.bizjournals.com/washington/inno