Jul 08

Glass Houses: Comparing the FTC’s data security “guidance” against the OPM’s reported data security failures

On June 30th, the Federal Trade Commission issued data security “guidance” for business as part of its “Start with Security” initiative. According to the FTC, its new guidance is drawn from “lessons learned from the more than 50 law enforcement actions the FTC has announced so far” – with corresponding settlements – against private businesses for alleged lax data security practices.

The FTC’s new “guidance” is certainly useful, identifying potential vulnerabilities and detailing general protective measures that businesses can take to help protect themselves and the personal identifying, health, and financial information entrusted to them by employees, consumers and business partners.

But it also begs a rather obvious question – does the FTC intend to use its own guidance going forward as a benchmark against which it will judge the data security practices of businesses in enforcement actions? Of course it will, so the FTC’s “Start with Security” initiative is not so much “guidance” as an end run on legitimate legislative and regulatory processes. And that should be concerning to businesses large and small.

The great irony in all of this is that the federal government has in at least several high-profile instances failed to adhere to even the most basic elements of the FTC’s data security “guidance.”   The widely-reported Office of Personnel Management hacks offer a timely (and eye-opening) comparator against several of the FTC’s key data security “guidance” principles:

FTC “Start with Security” Guidance  vs. OPM’s reported cyber security failures
Principle #1: Understand your data collection, retention, and use policies, and implement smart data security policies. For example, the FTC notes that companies can avoid risk by not collecting or continuing to maintain sensitive information that the company doesn’t need or use. For years, OPM failed to centralize its cyber security responsibilities and governance or even staff key cybersecurity leadership positions. At the same time, however, OPM maintained a “motherlode” of personally identifiable information and other, highly sensitive information belonging to millions of current and former federal employees in several enormous, unencrypted databases.
Principle #3: Keep information secure by insisting on more secure password systems and comprehensive authentication mechanisms. For years leading up to the 2014/15 hacks, OPM failed to mandate across-the-board use of multi-factor authentication in its major software systems. In a 2014 audit report, the OPM’s Office of Inspector General found that none of OPM’s major applications required Personal Identity Verification (PIV) cards in the identification process. This failure, in particular, may have helped enable the most recently-reported, massive hack into OPM’s databases and systems. It has been reported that hackers in China used login credentials (not PIV cards) that OPM provided to outside government contractor KeyPoint Government Solutions to access OPM’s systems and infrastructure, strongly suggesting that KeyPoint employees were not required to use PIV cards to authenticate their credentials with the Agency.
Principle #4: Store sensitive information securely and protect it during transmission through Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption, and/or an iterative cryptographic hash. Beginning at least in 2009, OPM’s OIG reported a material weakness in the Agency’s overall cyber security program because OPM-issued laptops did not have encryption capability.     In the wake of the latest-reported OPM hack, the CIO for the Agency stated that encryption and data obfuscating techniques were “new capabilities” that the Agency was just starting to build into its databases. And the DHS Assistant Secretary for Cybersecurity has explained that OPM didn’t even have the authentication infrastructure in place for its major applications to utilize encryption in the first place.
Principle #8: Keep an eye on your service providers. The FTC wants businesses to take reasonable steps to select providers that are able to implement appropriate security measures and then monitor that the providers are meeting your requirements. The FTC suggests that businesses include contract provisions requiring security precautions. By all reports, the recently reported hacks into OPM was accomplished through at least two outside contractors’ systems and credentials – indicating that OPM failed to implement appropriate security measures and conduct meaningful monitoring over their operations for at least the past two years.For example, in 2014 OPM terminated its contract with the company hired to conduct its personnel investigations – U.S. Investigations Services, LLC (USIS) – after the company “identified an apparent external cyber-attack on USIS’s corporate network” that resulted in the misappropriation of approximately 27,000 electronic personnel files for federal employees. Forensic investigation into the USIS hack identified a glitch in USIS’s enterprise resource planning (ERP) application software – which was quickly followed by very public assertions by representatives of SAP (the ERP software provider) that USIS failed to timely apply security patches to the ERP software that would have prevented the hack.In addition, login credentials OPM provided to KeyPoint Government Solutions (the company OPM hired to fill the very large gap left by USIS) were somehow stolen by hackers, which enabled them to get inside OPM’s systems and steal a massive amount of information (which OPM still has not fully determined) without being detected for at least several months. KeyPoint representatives have denied any responsibility for the most recent, massive OPM data breach, but cannot say how its credentials were stolen – at least in part because neither OPM nor KeyPoint set up logs to track the type of malicious activity in question.

While the FTC continues to step up its cyber security enforcement efforts against private businesses that suffer damaging data breaches, there are no similar signs of increased accountability within the federal government itself. Despite calls from elected officials from both parties for OPM Director Katherine Archuleta and senior members of her staff to resign, OPM is content with the status quo and continues to use KeyPoint to conduct its personnel investigations for federal employees.

The American Federation of Government Employees, AFL-CIO, has filed a class action lawsuit against OPM, Director Archuleta, OPM’s CIO and KeyPoint Government Solutions in the U.S.D.C. for the District of Columbia alleging violations of the Privacy Act of 1974, the Administrative Procedure Act, and negligence, but commentators have already begun to question whether the plaintiffs will be able to establish cognizable damages to support their claims where it appears the purpose of the hacks was to commit state-sponsored cyberespionage, rather than identity theft for financial gain.

The continuing revelations about what went wrong at OPM highlight the widening disparity between the federal government’s cyber security expectations and demands from private businesses versus the glaring lack of cyber-accountability it has for years tolerated (without any meaningful change) within its own agencies. All of which brings to mind a certain Billy Joel album cover that is rather fitting…

One Response

Leave a Reply