The Congressional Research Service has published “Cyber Intrusion into U.S. Office of Personnel Management: In Brief,” a report on the cyberattack on the U.S. Office of Personnel Management (OPM) that was estimated to have compromised sensitive information of 21.5 million individuals. The breach, the report notes, was was detected “partly through the use of the Department of Homeland Security’s (DHS’s) Einstein system,” an intrusion detection system that “screens federal Internet traffic to identify potential cyber threats.”
The report reminds us that “assumptions about the nature, origins, extent, and implications of the data breach may change,” but also notes that James Clapper, Director of National Intelligence, identified the Chinese Government as the “leading suspect” in the attacks.
“It remains unclear how the data from the OPM breaches might be used if they are indeed now in the hands of the Chinese government,” the report says. “Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations.”
As reported by David E. Sanger in the New York Times, the Obama administration is seeking ways to retaliate against China for the theft, but are struggling “to decide what it can do without prompting an escalating cyberconflict.”
Sanger quotes an unnamed senior administration official, who explains that the unprecedented scope of this attack has led to calls for more public response. “One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,” said one senior administration official involved in the debate, who spoke on the condition of anonymity to discuss internal White House plans. “We need to disrupt and deter what our adversaries are doing in cyberspace, and that means you need a full range of tools to tailor a response.”
James R. Clapper, Jr., the director of national intelligence, also said that the number and sophistication of hacking aimed at the United States would worsen “until such time as we create both the substance and psychology of deterrence.” Adm. Michael S. Rogers, director of the National Security Agency and commander of the military’s Cyber Command, has similarly called for “creating costs” for attackers responsible for cyberattacks.
The Congressional Research Service’s report details a series of key questions that could guide future action on the part of Congress. “A potential question for Congress is whether those and other provisions of law give agencies the legislative authority and resources they need to adequately address the risks of future intrusions,” the report notes. “Among the specific questions Congress might consider are the following:
Are the current authorities and requirements under FISMA sufficient, if fully implemented, to protect federal systems from future intrusions such as the most recent OPM intrusions? If not, what changes are needed to sufficiently reduce the level of risk? For example, should the priority level for cybersecurity be elevated with respect to other aspects of mission fulfillment; should the federal government adopt the explicit goal of being assessed by independent experts as having world-class cybersecurity?
What are the barriers to improving federal cybersecurity to a level that would sufficiently reduce the risks of incidents such as the breaches at OPM, and what legislative actions are needed to remove them? For example, do agency heads, responsible for cybersecurity under FISMA, have sufficient understanding of cybersecurity to execute those responsibilities effectively—a broadly held concern with respect to private-sector chief executive officers that the National Institute of Standards and Technology (NIST) Cybersecurity Framework was designed in part to help address? Are the recent amendments to CIO authorities sufficient for them to implement their cybersecurity responsibilities under FISMA?
Does DHS have sufficient authorities to protect federal civilian systems under its statutory responsibilities? For example, should it have greater legislative authority to deploy countermeasures on federal systems, as some legislative proposals would provide?
Are the specific actions taken and proposed by the Obama Administration in the wake of the OPM breaches, such as the “cybersecurity sprint” and the proposed strategy and acquisition guidance initiatives,39 sufficient to provide the required improvements in cybersecurity at federal agencies?