A report on the breach of OPM’s computers systems by the Institute for Critical Infrastructure Technology (ICIT) says hackers did not have to work very hard to gain entry. The report also raises a worrisome new possibility about what hackers might have been doing during the months they had undetected access: adding false data to the systems even as they were stealing from it.
As previously reported, many of OPM’s outdated computer systems were operating without a valid security authorization. When the Inspector General recommended OPM shut down those systems last year, OPM refused. An expert quoted in the ICIT report says, “it appears as though this was the equivalent of a car thief politely asking for the car keys and once handed them drove the car for over a year before being noticed.”
The news media has focused on the massive theft of personal data on millions of government workers. The nation responsible (believed to be China) could use the data it stole to create a, “‘linkedin-esque’ database for their intelligence community.” ICIT estimates this database would have a 30-year useful shelf life.
However, ICIT also suggests another possibility which has not been in the news. Given months of access to our database of security clearances, hackers may have inserted some of their own data, essentially creating government security clearances for use by their own spies. The problem is that OPM’s outdated systems make it very difficult to determine, “what is the real data and what is the modified data.”
The report also undercuts some claims made by OPM officials in the wake of the hacking. For instance, OPM’s chief information officer claimed it would have been impossible to encrypt data on OPM’s servers because it was running on an outdated system programmed in COBOL. However, the ICIT report notes, “In actuality, libraries exist, such as PKWare, that integrate modern encryption on antiquated systems.”
OPM repeatedly claimed the intrusion was finally detected as a result of their own efforts to modernize their systems. That’s arguably true but also overstates OPM’s role in detecting the hack. It was actually discovered during a product demonstration for cybersecurity software OPM was considering buying earlier this year.
The Institute for Critical Infrastructure Technology describes itself as a “non-profit, non-partisan group of the world’s most innovative experts and companies that provide technologies and solutions to support and protect our nation’s critical infrastructures.”