Today, during a White House press briefing, press secretary Josh Earnest delivered little information about the attack on the U.S. Office of Personnel Management (OPM).
Instead he offered a few forward-looking statements about the importance of information sharing between the public and private sector as a way to prevent such attacks, echoing sentiments presented at President Obama’s cybersecurity summit earlier this year. Since hackers often use the same method to attack multiple victims, many believe that sharing data about breaches will help companies stem future attacks.
“The problem is, in order to facilitate that kind of information sharing between the private sector and the federal government, it requires an act of Congress,” said Earnest.
The OPM, which serves as a human resources department for civil servants, first acknowledged a breach of its system yesterday. As many as four million records containing personally identifiable information of current and former government employees may have been exfiltrated. The OPM says it will begin notifying affected parties starting on June 8.
Federal officials said that they believe the attack may have originated from China; however, the White House refused to address this information, saying only that the Federal Bureau of Investigation is looking into the matter and that they haven’t concluded who was responsible for the attack.
The OPM first learned of the attack in April when the agency was upgrading its cybersecurity efforts. It’s uncertain when the system was first infiltrated or for how many months attackers had access to OPM’s network.
“There is a general notion that government agencies unilaterally have their act together when it comes to protecting their information assets; this is fundamentally false,” said Jay Kaplan, former National Security Agency analyst and CEO of Synack.
Security experts say that the attack is just the latest evidence that the government has not put enough resources into protecting its data from cyber thieves. OPM suffered an attack roughly a year ago that seemed targeted at individuals who had applied for top-secret security clearances. Other agencies, like the Postal Service, the State Department, and the White House have all reported hacks in the past.
“The fact that we have no idea how long these attackers have been inside of the OPM is one that should keep the Government up at night. Our investment in cyberwarfare defense needs to increase at the same rate in which hackers are stepping up their game. Otherwise, our data and people are at risk,” said Jesse McKenna, director of project management at cyberthreat researcher vArmour.
White House press secretary Earnest notes that while legislation allowing for information sharing between the public and private sector is necessary, the government will be taking other steps to strengthen its cybersecurity efforts.
Earnest said the government will be rolling out the next generation of its intrusion detection system, Einstein 3, earlier than planned.