4 Things DoD Has Learned from the OPM Data Breach

In the few months since the data breach at OPM was announced, IT leaders and agencies have been assessing and scrambling to manage the fall-out (with some even finding positives in the wake of the breach).

So where has all this introspection got us? This month, a discussion brought together military leaders to share some of the lessons learned at the DoD.

Writing for Federal Computer Week, Zach Noble, summarized some of the key takeaways:

1.  Advance warnings should have been heeded

Contractors working with OPM in 2014 had warned OPM that they’d suffered several breaches. But a lack of close scrutiny following the revelations bought hackers more time to access critical data.

That’s the type of event where you mobilize one of those cyber protection teams to go out and actually go look at the network and do a clear and secure operation, and survey the network and see what’s actually on there…” said Lt. Col. Scott Applegate, chief of defensive cyberspace operations at Army Cyber Command.

2.  The rules of cyber espionage needs definition

Was the hack at OPM cyber war a real war? Was it just an extension of normal espionage?

Without rules for cross-border cyber battles, it’s hard for the U.S. to hold any nation as the culprit. The absence of a world regulatory body for the Internet also makes it complicated to attribute, detect and mitigate threats.

3.  Threats are on the rise

We all know this. As surface areas increase, thanks to the explosive growth of the Internet of Things, the landscape becomes more complex and therefore more vulnerable. “I think the day-to-day clutter of attacks is just going to increase,” said Applegate. Furthermore, the cost of entry to disrupt a system is low. A hacker can be trained to breach a system for hundreds of dollars, while the price tag for protecting U.S. military equipment from threats runs to billions of dollars.

4.  Change is slow

Although the 30-day sprint to strengthen the federal government’s cyber posture achieved a lot (specifically in terms of increasing the level of two-factor authentication, somehting I wrote about here), user authentication still has a ways to go. “It’s just a huge bureaucratic beast and it takes time to do anything,” said Applegate. “The speed at which we can implement things is very slow and limiting.”

Read Noble’s full article at Federal Computer Week.