Jay Ahuja, the TSP’s chief risk officer, says attacks will still happen but early response will make the difference.

Jay Ahuja, the TSP’s chief risk officer, says attacks will still happen but early response will make the difference. Stephen Voss

Beyond the Breach

The Thrift Savings Plan bounces back from the theft of personal data on thousands of beneficiaries.

When hackers in 2011 penetrated a contractor’s computer containing the Social Security numbers of 123,000 federal employee retirement plan participants, fund administrators were unaware of the intrusion, had neglected a series of security audit recommendations, and had no legal recourse against the vendor.

Today, a year after learning of the incident, the Federal Retirement Thrift Investment Board is willing to pay the price for stronger security. There is also a new contractor taking over early next year.

Unfortunately, the Thrift Savings Plan break-in is not an exceptional case. Government systems nationwide, even those maintained by the Homeland Security Department and security contractors like RSA, are compromised every day. And the same episode could happen again at the TSP or any place else. But next time, TSP staff should be better positioned to detect something is amiss, rather than hear about it after the fact from the FBI.

Information technology audits obtained through the Freedom of Information Act, an examination of contract language, and interviews with TSP officials and congressional aides depict an organization in which security measures, in general, were implemented after the fact. A lengthy period elapsed between the time of the breach and the time Serco, the vendor whose network was attacked, found out what happened. In July 2011, intruders successfully targeted the computer of a Serco employee who helped keep track of participant accounts. It was not until April 2012 that the FBI informed Serco and TSP of the incident.

“The investigation into the data taken from the Thrift Savings Plan required months of intensive forensic analysis by FBI personnel from multiple field offices and headquarters divisions because the methods behind the intrusion were sophisticated,” bureau officials said in a statement. “Then the FBI had to execute a legal process that involved outside entities, information that also took time to develop and receive.” Officials said they were unable to discuss how the intrusion occurred.

Alan Hill, Serco’s senior vice president for corporate communications and government relations, portrays the contractor and TSP as “victims of a sophisticated and targeted cyberattack.” When pressed, he acknowledges they could have taken more security precautions. 

Serco maintains a heavy footprint in the government, with more than $450 million in federal contracts last year alone. Federal officials this summer awarded the Reston-based firm a potential $1.2 billion contract to support recordkeeping for the nationwide health insurance exchanges created as part of the 2010 health care overhaul Rep. Darrell Issa, R-Calif., chairman of the House Oversight and Government Reform Committee, has criticized the selection of a company that was unable to prevent the exposure of hundreds of thousands of retirement plan records. Hill says Serco’s responsibilities primarily involve processing paper applications and do not include maintaining IT systems or networks for the exchanges. 

Lack of Controls

It’s worth noting there is no evidence the hackers got into TSP’s network. The compromised machine resided on a Serco-owned network dedicated to TSP operations. And as of mid-July, there was no indication the intruders tried to divert funds or commit financial fraud. But their ambitions might be even more serious, several cybersecurity experts say. “It is important to point out that this company is intimately involved in servicing the U.S. government. We have seen many attacks originating from China against data providers trying to get personal information on military personnel—that very well could be what happened here,” George Kurtz, a former McAfee chief technology officer now at cyber forensics firm CrowdStrike, said after the 2012 revelation. 

Most security specialists use the word “sophisticated” to refer to hacks that are targeted and intent on extracting specific information. In one such maneuver, intruders stole RSA’s proprietary login technology to gain access to RSA-protected defense company networks, including those at Lockheed Martin Corp.

James Lewis, a cybersecurity analyst who advises the Obama administration and Congress, said following the TSP’s announcement he had the impression that “at least one smart country is building a database on [U.S. government] employees, using things like TSP and social networks.” But, he added, “it’s hard to believe they didn’t go after any money.”

During the past year, data entrusted to contractors at several major departments has been exposed. DHS recently discovered that personal details on employees holding security clearances had been unprotected since 2009 because of a glitch in the software a contractor was using. The General Services Administration did not know about the leak of federal contractors’ personal and proprietary information held in an IBM-managed database until a good Samaritan user, whose own information was at risk, told the agency.

Months before the TSP incident, agency officials recognized they were not dedicating enough effort to system protections. “TSP still has a significant amount of work to do as far as the documentation of safety and security procedures,” agency executive director Gregory T. Long stated, according to April 2011 board meeting minutes. Seven months after the TSP breach, but before it became public, auditors from the Labor Department’s Employee Benefits Security Administration and KPMG described the TSP’s oversight of computer access and security controls as a “significant matter.” 

Computer safeguards continued to be a sore spot up until the breach became public. Meeting notes from early 2012 state that Ian Dingwall, chief accountant for the Employee Benefits Security Administration, “expressed concern that not all recommendations related to technology concerns had been addressed by the board.”

Security was still an outstanding issue the month TSP officials learned about the infiltration. Notes from an April 2012 board meeting say that external auditors had “identified 18 policies related to IT controls that were not approved or implemented to date.” Auditors discovered nine inactive accounts on a recordkeeping system, and several former TSP employees did not have system access revoked immediately after leaving the organization. 

A Senate Homeland Security and Governmental Affairs Committee aide told Government Executive that congressional staff felt board members knew about security problems before the assault and didn’t do enough to strengthen defenses. 

The board “rejects the contention that our system security was weak,” TSP spokeswoman Kim Weaver says. “The open audit recommendations deal primarily with process and documentation—operational and management controls—not with the technical controls required to provide security to modern federal computer systems.” She acknowledges, however, that previously, the board might have underspent on security. 

The board’s budget is funded through participant fees. Last year’s board wanted to reduce operating costs, including security expenses, Weaver says. The board “was hampered in its ability to address the open findings more aggressively because of budget constraints,” she says.

The new board has boosted the operating budget, “which enables us to make significant progress toward closing outstanding audit findings, which is a top priority,” Weaver explains. Between 2011 and 2012, the TSP consisted of about 100 full-time employees and a budget that grew by less than $20 million, from $128 million to $143 million. Now, 143 employees are on staff and funding has increased to $171 million.

Security After the Fact

Some of the steps TSP has taken since the incident could serve as a guide for agencies that haven’t yet been hit, cyber researchers and agency officials say.

“Attacks such as the one that happened are always going to happen. There’s no way to prevent them. It’s how are we going to respond, early on,” says Jay Ahuja, the TSP’s chief risk officer. His position and office of seven employees are new. In addition, the agency now has a chief information security officer, with whom Ahuja meets weekly. Other new positions include three information systems security officers. 

The major lesson the board drew from the strike is the “need to improve the segregation of our systems” by customizing access rights for each user and heightening the protection of more critically sensitive data, Weaver says. 

“It looks like a classic example of an organization that didn’t focus on security and had only rudimentary controls in place,” says Ed Skoudis, who estimates that more than 90 percent of the breaches he has examined as a computer forensics expert witness involved a lack of segmentation. Skoudis is the founder of Counter Hack Challenges, which constructed “CyberCity,” a 3-D model town that agencies and businesses use to practice securing power grids and other critical industry networks. 

Describing the audit criticisms “as merely process and documentation shortcomings instead of technical is a lame excuse on their part,” he says. “Without good documented processes, even security that, through luck, is accidentally good over the short term decays rapidly.”

TSP officials disagree that fundamental security was lacking. “We are continuously making improvements to our security posture and architecture,” Weaver says. After the incident, Serco took “corrective actions” to strengthen information protections and limit the likelihood of another intrusion, she adds. Serco will be running the system until Oct. 1 and then help shift the job to a new vendor, Science Applications International Corp., until February 2014.

“If this board had stronger oversight on [Serco] this could have been avoided,” a Homeland Security and Governmental Affairs Committee aide says, referring to the extent of the damage. 

Read the Fine Print

The TSP’s original $32 million recordkeeping agreement with Serco did not include contractual remedies in the event of a data breach. “That is a subject area that has been significantly altered in the new contract with SAIC,” Weaver says. 

The deal with Serco included just three sentences on security requirements, according to documents reviewed by Government Executive. One provision barred the contractor from disclosing details about system protections. Another stipulated that Serco must create an inspection program to safeguard government data, and allow government officials to see Serco’s technical operations. The third was a breach notification clause that required Serco and the agency, in the event of a threat, to “immediately bring the situation to the attention of the other party”—which Serco did.

It has been standard industry practice for more than five years to spell out security requirements for contractors, Skoudis says, adding that clauses should be reviewed each time a pact is updated. “Contractors increasingly handle and store a lot of sensitive information on behalf of government agencies. They need to have just as stringent security controls as the agencies themselves,” he says.

Hill says Serco continually makes cybersecurity enhancements to deal with ever-evolving threats. “Serco remains confident of the safety and security of its systems. Through continuous monitoring and improvement, Serco is vigilant in safeguarding the information and systems with which it is entrusted, and we take cyberattacks very seriously,” he says. 

Weaver says the new agreement with SAIC spells out data breach stipulations at length, including who bears what costs, and includes provisions regarding continuous background screening of personnel and security training. The six-year, $227 million deal was awarded Aug. 9.

But, she adds, “Given the sophisticated nature of the attack, it’s extremely unclear whether the attack would have been prevented even if all open audit recommendations had been fully implemented.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.