CRS scrutinizes the OPM breach
A new report serves as a useful backgrounder for anyone looking for a quick yet detailed review of the circumstances surrounding the breach.
What: "Cyber Intrusion into U.S. Office of Personnel Management: In Brief," a Congressional Research Service report.
Why: In its typically thorough fashion, CRS recaps the discovery, announcement and reaction to the breach of the personnel database at OPM. Nothing new is revealed, but the story is well organized to meet the needs of CRS’s first audience – Congress – and serves as a useful backgrounder for others looking for a quick yet detailed review of the circumstances surrounding the breach.
The report includes a wrap up of what data was exposed, and reminds readers that "the two breaches revealed in June 2015 are not the first incidents targeting OPM databases containing such sensitive information."
CRS also delves into who might be responsible, with a strong focus on China, but notes that "criminal charges appear to be unlikely."
The report also provides a rundown of possible legislative responses, and suggests questions that lawmakers need to answer, such as: "Are the current authorities and requirements under FISMA sufficient, if fully implemented, to protect federal systems from future intrusions such as the most recent OPM intrusions? If not, what changes are needed to sufficiently reduce the level of risk?"
Verbatim: "Some in the national security community have compared the potential damage of the OPM breaches to U.S. interests to that caused by Edward Snowden's leaks of classified information from the National Security Agency. Yet the potential exists for damage beyond mere theft of classified information, including data manipulation or misinformation. While there is no evidence to suggest that this has happened, hackers would have had the ability, some say, while in U.S. systems to alter personnel files and create fictitious ones that would have gone undetected as far back as 2012."
Full report: Read the CRS report here.