IG: Interior Has 3,000 VulnerabilitiesHouse Panels Explore Link Between Interior IT, OPM Breach
At a hearing on the role the Interior Department played in a recent breach at the Office of Personnel Management, the Interior deputy inspector general painted a picture of how a hacker might have breached the agency's computer system.
Interior Deputy IG Mary Kendall, in remarks prepared for the July 15 House hearing, said an IG investigation of the OPM breach "found that a remote attacker could ... use a compromised computer to attack the department's internal or nonpublic computer networks."
Kendall did not link the nearly 3,000 vulnerabilities the IG found in Interior's IT systems to the OPM breach. However, the IG office characterized the vulnerabilities found in hundreds of publicly accessible computers operated by three of the agency's bureaus as either "critical" or "high-risk." "If exploited," she said, "these vulnerabilities would allow a remote attacker to take control of publicly accessible computers or render them unavailable."
The House Oversight and Governmental Reform Subcommittees on Information Technology and Interior held the joint hearing to explore the role the Department of Interior played in a recent OPM breach. Interior's computers housed OPM personnel file databases in which the personally identifiable information of 4.2 million government employees and retirees was exposed. Another OPM breach, unrelated to the Interior Department, exposed the PII of 21.5 million individuals who had sought security clearances. Agents of the Chinese government are the leading suspects in the cyber-attacks, according to James Clapper, the director of national intelligence.
Loss of Sensitive Data Possible
Kendall, in her prepared remarks, said Interior's internal networks host computer systems that support mission-critical operations and contain highly sensitive data, explaining that a successful cyber-attack against these internal computer networks could severely degrade or even cripple the department's operations, potentially causing the loss of sensitive data.
"These deficiencies occurred because the department did not effectively monitor its publicly accessible systems to ensure they were free of vulnerabilities or isolate its publicly accessible systems from its internal computer networks to limit the potential adverse effects of a successful cyber-attack," she said.
The IG has prepared a report documenting the vulnerabilities related to the OPM breach and made a series of recommendations to mitigate the identified cyberthreats. A draft of the IG report was made available to the committee and department, but has yet to be publicly published. According to the committee's website, the IG identified as areas of high concern the lack of inventory of IT resources as well as the lack of network segmentation between public facing and internal websites.
Interior CIO Sylvia Burns, in her prepared remarks, acknowledged the IG's findings and recommendations, promising lawmakers that the department will incorporate the recommendations in its cybersecurity action plan. She said the vulnerabilities identified by the IG have been corrected by the three bureaus. Neither witness identified the three bureaus in their prepared testimonies.
"The department takes the privacy and security of its IT systems and data very seriously," Burns said. "The department immediately and aggressively responded to the recent cyber intrusion resulting in the loss of OPM data."
On June 26, she said, the department implemented strong authentication for all privileged users across the department. "Two-factor authentication provides strong controls to ensure that only authorized users, whether a system administrator or regular end-user, are able to gain access to DOI's IT systems," she said. "This protects us from intruders who can compromise usernames and passwords to gain access to our network."
Need for More Examiners
Kendall, in her testimony, said the increased cyberthreat facing Interior means the IG office needs additional examiners.
She said Congress provided the funding for the IG to hire two IT audit staffers for the current fiscal year, which ends Sept. 30, but did not fund a request for fiscal year 2016, which begins Oct. 1, to hire a dedicated staffer for its insider threat program. She said the IG's fiscal year 2017 budget request would seek funding for two IT staffers to conduct cybersecurity audits.