Is OPM Breach Just Tip of Iceberg?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/opm-breach-just-tip-iceberg-p-1889

As federal lawmakers return this week from their Independence Day recess,
Congress picks up where it left off before the break: holding hearings on
the Office of Personnel Management breach that exposed the personal records
of millions of government employees and retirees.

On Wednesday, two subcommittees of the House Science, Space and Technology
Committee - one on Oversight and the other Research and Technology - will
hold a joint hearing titled: Is the OPM Data Breach the Tip of the Iceberg?
Expect the answer from witnesses to be yes.

One of the experts scheduled to testify is Gregory Wilshusen, the
Government Accountability Office's director of information security issues,
who told me a few weeks ago (see Ramping Up Agency Security, Yet Again):
"Systems and networks are so complicated and large - and given the priority
or their resources - it's sometimes a challenge for agencies to keep up
with it."

Joining him at the witness table will be OPM Assistant Inspector General
for Audits Michael Esser, who - like Wilshusen - testified at earlier
hearings, and Charles Romine, director of the National Institute of
Standards and Technology's Information Technology Laboratory, in his first
congressional testimony on the OPM breach.

Don't expect any of the witnesses to call for the resignations of OPM
Director Katherine Archuleta and CIO Donna Seymour for not taking
sufficient steps to prevent the breach, as did some lawmakers in the last
round of hearings. With these witnesses, the hearing could provide a valued
lesson to lawmakers about why the federal government faces challenges in
mounting a solid cyberdefense.

Hits Close to Home

Still, for some lawmakers, the OPM breach hits close to home. Research and
Technology Subcommittee Chairwoman Barbara Comstock, a Republican whose
Virginia district sits across the Potomac River from Washington, represents
thousands of federal employees whose personal information was likely
hacked, and they're obviously very upset, which makes her upset. "The trust
between our federal employees, our citizens and their government's
capability to thwart an attack is without a doubt damaged," Comstock wrote
in a letter to Archuleta on June 17. "Serious security measures to avoid
these lapses need to be crafted and put in place in advance of the next
attack."

Let's hope this hearing, and future ones to come, don't turn into a blame
game. Federal officials must be held accountable, but it's more important
for Congress to gain a clear understanding how these breaches occur and can
be mitigated. As Comstock says, the government must craft and implement
better cyberdefenses. Congress must provide the government the support -
monetarily and legislatively - to do just that.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!