Just a little over a year ago, in one of the most infamous cyberattacks in the United States to date, cybercriminals hacked into the records of the U.S. Office of Personnel Management, stealing the personal information of more than 22 million federal employees. While devastating, the breach has inspired swift action on cybersecurity, and the OPM has learned from its mistakes.
For example, a phishing exercise conducted for the OPM by the Department of Homeland Security went much better than planned. The DHS, which staged a practice attack, could not even get in the door without help from the OPM – all of the agency’s defenses had to be intentionally lowered for the DHS to gain access to individuals’ files. Beth Colbert, the acting director of the agency, credits this marked improvement in cybersecurity to the OPM’s employment of new, more powerful security technology, a better understanding of the issue on the part of its senior leaders and a change in the overall culture of the agency. At the heart of these changes is an acknowledgement that cybersecurity is not just an issue for IT. “It is a management issue. It is a leadership issue. It is a legal issue. It’s a privacy issue and you’ve got to bring all those disciplines together to think about what are we doing to protect our assets, what are we doing to defend ourselves against attacks when they occur, and what are we doing to provide services to people who’ve been affected?” said Colbert.
The attack wasn’t just a wakeup call for the OPM, but also for many other government agencies. It inspired the Office of Management and Budget to embark on a “cyber sprint” just a month after the breach, and prompted the Transportation Security Administration to invest heavily in cybersecurity over the past year. Although some agencies lag behind, cyber remains a vexing and rapidly-evolving issue. It is clear that many positive changes have occurred since the OMP breach