Interior scrambles to patch security after OPM hack

The agency that housed the hacked database of federal workers’ personnel files has patched thousands of vulnerabilities identified by a yet-to-be-released inspector general report.

“Vulnerabilities, though, it’s a process,” said Sylvia Burns, chief information officer for the Department of the Interior (DOI), during a House hearing on Wednesday. “It’s not something that’s a one-time hit.”

{mosads}The DOI hosted the databank that was compromised in the first of two major breaches at the Office Personnel Management (OPM).

In early June, the OPM said an intrusion had allowed hackers to make off with 4.2 million federal employees’ personnel records. Officials said digital intruders used a contractor’s credentials to get into the OPM system, then hop over the DOI network where they cracked the personnel database.

A second, more serious, intrusion at the OPM’s own security clearance database also allowed hackers to pilfer sensitive background investigation data on 21.5 million people.

On Wednesday, the House Subcommittee on Information Technology held a hearing to discuss how the suspected Chinese hackers were able to jump from the OPM to the DOI in the first breach.

Apparently an inspector general report that will soon be publicly released found 3,000 security flaws within the DOI’s network.

“If exploited, these vulnerabilities would allow a remote attacker to take control of publicly accessible computers or render them unavailable,” said Mary Kendall, the DOI’s deputy inspector general, told lawmakers. “A remote attacker could then use a compromised computer to compromise the department’s internal networks.”

Several lawmakers expressed concern about the report.

“How confident are you that you have at least the basics down?” Rep. Blake Farenthold (R-Texas) asked Burns.

Burns insisted the agency has been working seven days a week to scramble and fix the risks identified by the agency’s watchdog.

“The bureau has corrected all the vulnerabilities that were identified in that report,” she said.

As part of the White House’s “cybersecurity sprint,” the agency has also been rushing the implementation of two-factor authentication, which requires anyone logging onto the agency’s network to present secondary verification on top of typical login credentials.

By June 26, roughly three weeks after the DOI-related breach was revealed, Burns said the agency had extended two-factor authentication to all of its privileged users, meaning those with access to sensitive data.

And as of Wednesday, Burns said three-quarters of the agency’s unprivileged users were also now using two-factor authentication.

“People have been working around the clock,” she said. “We shared our lessons learned with our other counterparts. We have to all own this problem.”