Hacking

SPOTLIGHT ON SECURITY

OPM Director’s Resignation Draws Mixed Reactions

The resignation of U.S. Office of Personnel Management Director Katherine Archuleta is drawing mixed reactions from the cybersecurity community.

Archuleta’s departure on July 10, in the wake of a massive data breach resulting in the theft of the personal information of more than 22 million people, is being characterized by security pros as everything from “necessary” to “unfair.”

It was “fair, justified and necessary,” said Richard Blech, cofounder and CEO of Secure Channels.

“Archuleta was the director and had a responsibility,” he told TechNewsWorld. “Excuses and incompetence are unacceptable in the position she was holding.”

Given the security climate in which federal agencies operate, Archuleta ‘s behavior baffled one security pro.

“In today’s modern world, it’s inconceivable that a director would have no concept of the threat to critical information — especially since OPM had been aware of it for a year,” said Neustar Senior Vice President Rodney Joffe.

Ultimately, she was completely responsible,” he told TechNewsWorld. “As director, she owned it all. That’s part of the risk and reward of being at the desk where the buck stops.”

Fell on Her Sword

Archuleta’s departure was justified because she wasn’t forceful enough in her advocacy for better security, maintained John-Philip Galinski, CEO of Global Data Sentinel.

Archuleta should have obtained what she needed to protect the OPM’s data or resigned, he continued.

“To do neither, and then say that certain databases were too old to be encrypted, is to throw one’s hands up in the air and say, ‘I can’t fix it so I’m going to ignore the issue and hope for the best,'” Galinski told TechNewsWorld.

As the evidence of mismanagement at the agency began to snowball, someone had to be held accountable, explained Paul Kurtz, CEO of TruStar and a former cybersecurity adviser to the White House.

“Had she not stepped down, it would have been inappropriate to have her continue as director,” he told TechNewsWorld, “and in the end, she determined she was becoming a distraction.”

In the end, she also decided to be a “good soldier.”

“They needed someone to fall on their sword,” said Jonathan Sander, strategy and research officer at Stealthbits.

“Holding the director of the OPM responsible for this hacking incident is looking for a straw man, because every place that runs systems on computers has got the chance of this happening to them,” he told TechNewsWorld.

CIO Culpability

Responsibility for the breach may lie above Archuleta, argued John Pescatore, director of emerging trends at the SANS Institute.

“The sad fact in the federal government is that it is easier to punish a department head than a CIO,” he told TechNewsWorld.

“Most of the failures in configuration management, patching and privilege management are IT operations failures that many CIOs allow to continue and at best try to spackle over with ‘security,'” Pescatore said.

The federal CIO also allowed IT services to be subcontracted to foreign countries, noted Secure Channels’ Blech. “That’s a major failure of best practices.”

However, it may be too early to be pointing fingers of blame at federal CIO Tony Scott, observed Adam Laub, vice president of product management at Stealthbits.

“Scott was only appointed to his post in early February of 2015,” he told TechNewsWorld. “Without even six months on the job and dozens of agencies to evaluate and analyze, it’s highly unlikely there was anything Scott could have mandated, or any agency could have implemented effectively to have prevented this breach.”

No Magic Plugs

Scott’s short time on the job may be part of a larger problem plaguing the federal government. In the last four years, there have been three federal CIOs.

“It is very difficult for the federal government to attract and retain highly capable and aggressive CIOs,” TruStar’s Kurtz said.

“You may find someone who is progressive and wants to do their part and serve their country, but when they come in they find the bureaucracy and the procurement systems and the level of budget support they get is not sufficient, so they often have a short tenure,” he explained.

Although the experts had mixed views on Archuleta’s resignation, their views were in accord about the uphill battle the OPM has before it.

“Archuleta’s resignation in and of itself will have no effect whatsoever on addressing the problems exposed by the recent breach,” Stealthbit’s Laub said. “Archuleta not being there doesn’t magically plug all their security holes.”

Breach Diary

  • July 14. Barclays confirms it is offering compensation to 2,000 customers after their personal data was discovered on a USB memory device uncovered in a police raid on the southern coast of England.
  • July 15. Walmart Canada shuts down online photo service because of a “potential compromise of customer credit card data” at the site.
  • July 15. Epic Games sends letters to its forums users alerting them that its systems have been breached by hackers and sensitive information about the users stolen.
  • July 15. University of Pittsburgh Medical Center notifies 722 of its members that their protected healthcare information may have been compromised when a file containing it was sent to an incorrect email address.
  • July 16. AppBugs reports dozens of popular Android and iPhone apps contain a vulnerability that allows an attacker to make an unlimited number of login attempts to the apps.
  • July 17. UCLA Health System discloses it has been the victim of a criminal cyberattack that has put at risk the records of 4.5 million patients.
  • July 17. CVS warns customers its online photo service may have suffered a data breach. As a precaution, the company shuts off the site and blocks its mobile app.
  • July 17. Symantec reports that spam volumes have fallen to less that 50 percent of all email traffic on the Internet for the first time since 2003.

Upcoming Security Events

  • July 25. B-Sides Cincinnati. Cincinnati Museum Center, 1301 Western Ave., Cincinnati, Ohio. Free.
  • July 30. How the United States Postal Service secured their email against fraud. 2 p.m. ET. Webinar sponsored by Agari. Free with registration.
  • Aug. 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, US$1,795; before July 25, $2,195; after July 24, $2,595.
  • Aug. 4-5. B-Sides Las Vegas. Tuscany Hotel and Casino, 255 E. Flamingo Rd., Las Vegas, Nevada. Free.
  • Aug. 6-9. Defcon 23. Paris Las Vegas, 3655 S. Las Vegas Blvd., Las Vegas, Nevada, and Bally’s, 3645 S. Las Vegas Blvd., Las Vegas, Nevada. $230, cash only at the door.
  • Aug. 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
  • Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
  • Sept. 16. ISMG Data Breach Prevention and Response Summit. The Westin San Francisco Airport, 1 Old Bayshore Highway, Millbrae, California. Registration: $695.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 18. B-Sides Cape Breton. The Verschuren Centre, Cape Breton University, Sydney, Nova Scotia, Canada. Free.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
  • Oct. 2-3. B-Sides Ottawa. RA Centre, 2451 Riverside Dr., Ottawa, Canada. Free with registration.
  • Oct. 6. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Sharonville, Ohio. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
  • Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway,Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels