Federal agencies seeking to stop another major hack of Americans’ personal data must establish a “zero trust” system that treats government employees as just as big a threat to cybersecurity as foreign attackers, says a report being released Wednesday by a House panel.
“The zero trust model centers on the concept that users inside a network are no more trustworthy than users outside a network,” says the 231-page report by the Oversight and Government Reform Committee’s Republican majority.
The document is the culmination of a year-long investigation by the panel into the massive cyber attacks against the U.S. Office of Personnel Management that compromised the personal data of more than 22 million Americans.
The report recommends that federal agencies enforce stricter controls over access to their computer networks by employees and government contractors. The OPM breaches raised questions about the security of government contractors. Two contractors that conducted employee background checks for OPM were victims of hackers themselves.
“The zero trust model … assumes that all traffic traveling over an organization’s network is threat traffic until authorized by the IT (information technology) team,” the report says.
Victims of the OPM attacks included current and former federal workers, job applicants, and family members whose information was included in employee applications for security clearances. The information stolen included Social Security numbers and more than 5 million fingerprints.
The attacks against OPM, which happened in 2014 and 2015 and were revealed by the agency last year, are the largest known hacks against the U.S. government. Intelligence officials have said they believe China was responsible for the attacks, but they also believe that the hackers could not have gained entry to the system without the inadvertent assistance of government workers whose credentials were compromised and used by the attackers.
The hacks revealed the vulnerability of sensitive federal data and led to the resignations of former OPM Director Katherine Archuleta and former Chief Information Officer Donna Seymour. Both officials were criticized by Oversight Committee Chairman Jason Chaffetz, R-Utah, for failing to heed warnings from the agency’s inspector general about security weaknesses.
“The OPM data breach and the resulting generational national security consequences cannot happen again,” Chaffetz said in a letter to federal chief information officers at the beginning of the report. “It is up to leaders like you and Congress to ensure it does not.”
The report was released amid growing concerns that foreign hackers may try to interfere with the presidential election in November.
A suspected Russian hacker probed a voter registration database in Arizona and an unidentified attacker gained entry to one in Illinois this summer. The systems that count votes were not compromised, officials said. Those hacks came in the wake of a cyber attack against the Democratic National Committee that is suspected by authorities of having been committed by the Russians. The Russian government has denied any involvement in the attack, which was revealed in July.
In addition to pushing for the “zero trust” policy, the oversight committee offered 12 other recommendations, including:
— Better pay for cybersecurity experts to attract them to government service. Agencies can request permission for “critical position pay” for jobs they can’t fill without offering a high salary. The salary for those jobs can be as much as $205,700.
— Reducing the use of Social Security numbers by federal agencies, who often collect them as a way to identify government employees and customers. Social Security numbers are especially valuable to thieves who steal victims’ identities to gain access to bank accounts, take out loans, or apply for credit cards.
— Passage of legislation by Congress to require federal agencies to notify the public of data breaches in a timely way. The report says that the OPM hacks revealed that some agency officials were reluctant to let Americans know the extent of the attack.
— Modernizing aging federal computer networks, many of which have become outdated and difficult to protect. Some of those old systems are especially difficult to encrypt, which is one of the major tools that cybersecurity experts use to stop hackers from stealing information.