CEO, Spires testifies on OPM Breach at Congressional hearing
Resilient Network Systems’ CEO, Richard Spires, formerly CIO of the U.S. Department of Homeland Security and of the IRS, was invited to testify before the Senate Appropriations Subcommittee on Financial Services and General Government on June 23, 2015, regarding issues surrounding the Office of Personnel Management (OPM) security breach that exposed personally identifiable information for over 4 million federal employees.
“What we need are [chief information officers] that have the authority to bring best practices,” Mr. Spires said, “and not to allow systems or practices to continue that jeopardize the security of our data and our systems. That has been the problem for decades.” (quotation from The Christian Science Monitor)
Mr. Spires’ personal experience with the variety of known challenges to safeguard sensitive information within public and private information systems led him to join Resilient’s leadership in 2013. “While at the IRS and DHS, I worked closely with the Chief Information Security Officers (CISOs) at both organizations to implement approaches that would address these security vulnerabilities. I also worked across the federal government on these issues, serving for a period as the Vice Chair of the Federal CIO Council and also as the Co-Chair of the Committee for National Security Systems.” (excerpt from Mr. Spires’ testimony)
In addition to his recommendations for addressing IT Security and data protection, Mr. Spires’ testimony presented three “Root Causes of IT Security and Data Protection Vulnerabilities”, summarized here:
The situation in which most federal government agencies find themselves susceptible to data breaches and compromises of core mission IT systems, are the result of three primary root causes, which include:
1. Lack of IT management best practices – The very best cybersecurity defense is the result of managing your IT infrastructure and software applications well. […] The government has failed to effectively adapt with the changes in IT and the evolving cybersecurity threat.
2. Lack of IT security best practices – While well intentioned and appropriate for its time, the Federal Information Security Management Act (FISMA) skewed the approach for government IT information security. Originally passed in 2002, it set a course for how IT security effectiveness has been measured in government. While there are some good components of the law, the unintended consequence is that it forced CISOs to look at the controls for individual systems when in reality, IT systems across the government were already becoming more interconnected and viewing systems in isolation hid the impact on the larger enterprise security posture.
3. Slow and cumbersome acquisition process – The problem is exacerbated for government when funds are available to invest in IT security, yet it is ponderously slow and difficult to buy commercial solutions to help address vulnerabilities.
Although these challenges are common across government, as well as private enterprises, Mr. Spires’ concluded his testimony with hope that the serious breaches discovered in the past year will initiate adoption of available solutions. “Certainly the data breaches at OPM are terrible for the government and for those millions of us [federal employees] that may be negatively impacted in the future. Viewed through the right lens however, this episode can be the impetus for much needed and sustained change.”