OPM Breach Cited by White House as Reason To Pass Cybersecurity Legislation

Regardless of who is responsible for the breach and its ultimate aim, the Obama administration takes this incident very seriously and recognizes the breach as a threat to national security and a potential threat to the economy, Press Secretary Josh Earnest said. Earnest said he couldn’t guarantee the identity of the individual or individuals responsible for the attack would be made public, saying that may not be in the best interest of the public. The Department of Homeland Security’s U.S. Computer Emergency Readiness Team and the FBI are investigating the breach. An FBI statement said the agency takes “all potential threats to public and private sector systems seriously and will continue to investigate and hold accountable those who pose a threat in cyberspace.”

Chinese aren't particularly interested in personal information, said Hunton & Williams attorney Lisa Sotto, who focuses on privacy and cybersecurity. That “should give individuals some comfort,” she said. In the past 18 months, the U.S. has experienced significant security breaches, which is indicative of a much bigger problem society needs to address, Sotto said. Systems' vulnerabilities must be addressed and serious action taken to ensure data is safeguarded, she said. Only information that is needed should be collected and retained only as long as it’s needed, she said. Chances are much of this data wasn't needed and if disposed of properly, wouldn’t have been in the system for a hacker to breach, Sotto said.

Governments are constantly infiltrating one another’s networks to find out what they can, former NSA intelligence official-turned-whistleblower William Binney told us. It’s standard intelligence procedure, he said.

Earnest said the U.S. has raised concerns with China in particular about its activity and behavior in cyberspace. Earnest pointed to the Justice Department’s indictment of five Chinese military officials last summer for illicit cyber activities as an example. In response to the allegations China or a Chinese citizen was involved, a Chinese Embassy in Washington spokesman said that “Chinese laws prohibit cybercrimes of all forms,” and that China has “made great efforts to combat cyber attacks.” Cyberattacks are a global threat and must be addressed with mutual trust and respect so all countries can work together to address cybersecurity issues, formulate international rules and norms in cyberspace and build a peaceful, secure, open and cooperative cyberspace, he said. “Jumping to conclusions and making hypothetical accusations is not responsible and counterproductive.”

OPM’s system was believed to be penetrated in December, Earnest said. The intrusion was detected in April while OPM’s network defenses were being updated, and last month it was determined that some data may have been exfiltrated, Earnest said. Because adversaries are so persistent and innovative, cybersecurity experts agree one way to enhance privacy is by improving information sharing, Earnest said. Senate Homeland Security and Governmental Affairs Committee Chairman Ron Johnson, R-Wis., called the breach “disturbing,” especially if “that information could be in the hands of China.” OPM says “it ‘has undertaken an aggressive effort to update its cybersecurity posture,’” Johnson said in a news release, but OPM “must do a better job, especially given the sensitive nature of the information it holds.”

Sen. Mark Warner, D-Va., a member of the Senate Select Committee on Intelligence, also expressed concern with OPM’s ability to secure personal data. In a statement saying the incident was the second major breach in a year for the agency, Warner backed passage of the Cybersecurity Information Sharing Act (S-754) and called for the private sector to create information sharing and analysis centers to share information on data breaches. Warner said he's “preparing to introduce data breach legislation that would create a comprehensive, nationwide and uniform data breach standard requiring timely consumer notification for breaches of financial data and other sensitive information."

House Commerce Committee ranking member Frank Pallone, D-N.J., Oversight and Investigations Subcommittee ranking member Diana DeGette, D-Colo., and Commerce, Manufacturing and Trade Subcommittee ranking member Jan Schakowsky, D-Ill., released a joint statement Friday encouraging Committee Chairman Fred Upton, R-Mich., to “immediately schedule briefing on this matter so that we can better understand how this happened and work together to find solutions.” The breach is the latest failure to protect American data, the House members said, adding there are now two types of Americans: “those whose data has been subject to a breach, and those whose data will be breached in the future.”

OPM has instituted additional network security precautions. They include: restricting remote access for network administrators and restricting network administration functions remotely; reviewing all connections to ensure that only legitimate business connections have access to the Internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network, an OPM news release said Thursday. OPM will communicate with potentially affected individuals “exactly what information may have been compromised” by June 19, the spokesman said. Notice will come either via email from the address opmcio@csid.com or via U.S. Postal Service, OPM said. OPM has also created a specific data breach website, where additional information on the affected agencies and individuals will be posted.