Last week, the U.S. Office of Personnel Management (OPM) revealed that it had incurred a second data breach that compromised more than 21.5 million people—much larger than the other hack the agency recently endured. The incident has severe implications for the multitude of private companies that contract with the federal government.
Michael Hayden, former head of the Central Intelligence Agency and a keynote speaker at the 2011 AFP Annual Conference, believes that the effects of the OPM hack could last for nearly half a century . “You have provided the Chinese with the pool of contractors and employees who have access to classified information. This represents a target pool of possible recruitments with a list of their vulnerabilities,” he told FedScoop.
Impact on private contractors
As Hayden noted, independent contractors have been deeply affected by this breach and many of them have been in damage control mode since it hit the news. A representative from one contractor, whose staff is almost fully comprised of former government workers, told AFP that her company is “in turmoil” over the breach. “We’re all on credit watches and we were automatically issued corporate security watches by a few of the credit bureaus,” she said.
Furthermore, the hack is directly taking a toll on the contractor’s operations. “So far, we have not been contacted with fraudulent claims, but we are unable to initiate new clearances or renewals because of the hack. This is a major problem for us as we work in secured information zones,” she said.
But if contractors are looking for help from the federal government, they shouldn’t hold their breath. “The government hasn’t given any guidance on how to protect staff,” she said. “They’re focused on internal employees and have issued help statements to former employees, but none to contractors.”
Brad Deflin, president and co-founder of Total Digital Security and speaker at the recent CTC Corporate Treasurers Forum, told AFP that the OPM hack has made it clear that sensitive, security clearance level personal information is under attack. “It’s safe to assume the perpetrators, Chinese or otherwise, don't care if they get it from the public or private sector,” he said. “If your company works for the government and has employees and contractors with security clearances, it’s essential to review the flow of this information up, down, in and out of the organization with a particular focus on individual operators and perimeter operating environments.”
Deflin provided some step-by-step instructions for what contractors can do:
- Review information gathering, processing, and storing procedures, and individual accountability for compliance.
- Determine where the information flows in and out of the enterprise, especially as it pertains to non-IT managed networks and devices, and add measures that may be outside the IT department’s scope or purview.
- Have conversations and open the lines of communication, particularly at these junctures.
- Be sure your incident reporting process is bulletproof.
Clearly, the attack serves as yet another call to action for corporate treasurers to shore up their systems. Audits of the OPM found that the agency’s systems were ill-equipped to mitigate modern cyberthreats . The Wall Street Journal reported that the OPM added multifactor authentication for 95 percent of its workstations, but none of its 47 major applications used it as of last year.As Special Agent Jason Truppi of the FBI Cyber Division explained in the AFP Payments Security Guide , multifactor authentication is a must in today’s threat environment. “If you’re using two-factor authentication and you have a person who’s willing to go above and beyond that, they’re going to go after your authentication methods,” he said. “It’s a constant battle that you’re just going to have to deal with. So you have to think about those things. Now people are using three-factor authentication.”