Beyond the Breach

When hackers in 2011 penetrated a contractor’s computer containing the Social Security numbers of 123,000 federal employee retirement plan participants, fund administrators were unaware of the intrusion, had neglected a series of security audit recommendations, and had no legal recourse against the vendor.

Today, a year after learning of the incident, the Federal Retirement Thrift Investment Board is willing to pay the price for stronger security. There is also a new contractor taking over early next year.

Unfortunately, the Thrift Savings Plan break-in is not an exceptional case. Government systems nationwide, even those maintained by the Homeland Security Department and security contractors like RSA, are compromised every day. And the same episode could happen again at the TSP or any place else. But next time, TSP staff should be better positioned to detect something is amiss, rather than hear about it after the fact from the FBI.

Information technology audits obtained through the Freedom of Information Act, an examination of contract language, and interviews with TSP officials and congressional aides depict an organization in which security measures, in general, were implemented after the fact. A lengthy period elapsed between the time of the breach and the time Serco, the vendor whose network was attacked, found out what happened. In July 2011, intruders successfully targeted the computer of a Serco employee who helped keep track of participant accounts. It was not until April 2012 that the FBI informed Serco and TSP of the incident.

“The investigation into the data taken from the Thrift Savings Plan required months of intensive forensic analysis by FBI personnel from multiple field offices and headquarters divisions because the methods behind the intrusion were sophisticated,” bureau officials said in a statement. “Then the FBI had to execute a legal process that involved outside entities, information that also took time to develop and receive.” Officials said they were unable to discuss how the intrusion occurred.

Alan Hill, Serco’s senior vice president for corporate communications and government relations, portrays the contractor and TSP as “victims of a sophisticated and targeted cyberattack.” When pressed, he acknowledges they could have taken more security precautions. 

Serco maintains a heavy footprint in the government, with more than $450 million in federal contracts last year alone. Federal officials this summer awarded the Reston-based firm a potential $1.2 billion contract to support recordkeeping for the nationwide health insurance exchanges created as part of the 2010 health care overhaul Rep. Darrell Issa, R-Calif., chairman of the House Oversight and Government Reform Committee, has criticized the selection of a company that was unable to prevent the exposure of hundreds of thousands of retirement plan records. Hill says Serco’s responsibilities primarily involve processing paper applications and do not include maintaining IT systems or networks for the exchanges. 

Lack of Controls

It’s worth noting there is no evidence the hackers got into TSP’s network. The compromised machine resided on a Serco-owned network dedicated to TSP operations. And as of mid-July, there was no indication the intruders tried to divert funds or commit financial fraud. But their ambitions might be even more serious, several cybersecurity experts say. “It is important to point out that this company is intimately involved in servicing the U.S. government. We have seen many attacks originating from China against data providers trying to get personal information on military personnel—that very well could be what happened here,” George Kurtz, a former McAfee chief technology officer now at cyber forensics firm CrowdStrike, said after the 2012 revelation. 

Most security specialists use the word “sophisticated” to refer to hacks that are targeted and intent on extracting specific information. In one such maneuver, intruders stole RSA’s proprietary login technology to gain access to RSA-protected defense company networks, including those at Lockheed Martin Corp.

James Lewis, a cybersecurity analyst who advises the Obama administration and Congress, said following the TSP’s announcement he had the impression that “at least one smart country is building a database on [U.S. government] employees, using things like TSP and social networks.” But, he added, “it’s hard to believe they didn’t go after any money.”

During the past year, data entrusted to contractors at several major departments has been exposed. DHS recently discovered that personal details on employees holding security clearances had been unprotected since 2009 because of a glitch in the software a contractor was using. The General Services Administration did not know about the leak of federal contractors’ personal and proprietary information held in an IBM-managed database until a good Samaritan user, whose own information was at risk, told the agency.

Months before the TSP incident, agency officials recognized they were not dedicating enough effort to system protections. “TSP still has a significant amount of work to do as far as the documentation of safety and security procedures,” agency executive director Gregory T. Long stated, according to April 2011 board meeting minutes. Seven months after the TSP breach, but before it became public, auditors from the Labor Department’s Employee Benefits Security Administration and KPMG described the TSP’s oversight of computer access and security controls as a “significant matter.” 

Computer safeguards continued to be a sore spot up until the breach became public. Meeting notes from early 2012 state that Ian Dingwall, chief accountant for the Employee Benefits Security Administration, “expressed concern that not all recommendations related to technology concerns had been addressed by the board.”

Security was still an outstanding issue the month TSP officials learned about the infiltration. Notes from an April 2012 board meeting say that external auditors had “identified 18 policies related to IT controls that were not approved or implemented to date.” Auditors discovered nine inactive accounts on a recordkeeping system, and several former TSP employees did not have system access revoked immediately after leaving the organization. 

A Senate Homeland Security and Governmental Affairs Committee aide told Government Executive that congressional staff felt board members knew about security problems before the assault and didn’t do enough to strengthen defenses. 

The board “rejects the contention that our system security was weak,” TSP spokeswoman Kim Weaver says. “The open audit recommendations deal primarily with process and documentation—operational and management controls—not with the technical controls required to provide security to modern federal computer systems.” She acknowledges, however, that previously, the board might have underspent on security. 

The board’s budget is funded through participant fees. Last year’s board wanted to reduce operating costs, including security expenses, Weaver says. The board “was hampered in its ability to address the open findings more aggressively because of budget constraints,” she says.

The new board has boosted the operating budget, “which enables us to make significant progress toward closing outstanding audit findings, which is a top priority,” Weaver explains. Between 2011 and 2012, the TSP consisted of about 100 full-time employees and a budget that grew by less than $20 million, from $128 million to $143 million. Now, 143 employees are on staff and funding has increased to $171 million.

Security After the Fact

Some of the steps TSP has taken since the incident could serve as a guide for agencies that haven’t yet been hit, cyber researchers and agency officials say.

“Attacks such as the one that happened are always going to happen. There’s no way to prevent them. It’s how are we going to respond, early on,” says Jay Ahuja, the TSP’s chief risk officer. His position and office of seven employees are new. In addition, the agency now has a chief information security officer, with whom Ahuja meets weekly. Other new positions include three information systems security officers. 

The major lesson the board drew from the strike is the “need to improve the segregation of our systems” by customizing access rights for each user and heightening the protection of more critically sensitive data, Weaver says. 

“It looks like a classic example of an organization that didn’t focus on security and had only rudimentary controls in place,” says Ed Skoudis, who estimates that more than 90 percent of the breaches he has examined as a computer forensics expert witness involved a lack of segmentation. Skoudis is the founder of Counter Hack Challenges, which constructed “CyberCity,” a 3-D model town that agencies and businesses use to practice securing power grids and other critical industry networks. 

Describing the audit criticisms “as merely process and documentation shortcomings instead of technical is a lame excuse on their part,” he says. “Without good documented processes, even security that, through luck, is accidentally good over the short term decays rapidly.”

TSP officials disagree that fundamental security was lacking. “We are continuously making improvements to our security posture and architecture,” Weaver says. After the incident, Serco took “corrective actions” to strengthen information protections and limit the likelihood of another intrusion, she adds. Serco will be running the system until Oct. 1 and then help shift the job to a new vendor, Science Applications International Corp., until February 2014.

“If this board had stronger oversight on [Serco] this could have been avoided,” a Homeland Security and Governmental Affairs Committee aide says, referring to the extent of the damage. 

Read the Fine Print

The TSP’s original $32 million recordkeeping agreement with Serco did not include contractual remedies in the event of a data breach. “That is a subject area that has been significantly altered in the new contract with SAIC,” Weaver says. 

The deal with Serco included just three sentences on security requirements, according to documents reviewed by Government Executive. One provision barred the contractor from disclosing details about system protections. Another stipulated that Serco must create an inspection program to safeguard government data, and allow government officials to see Serco’s technical operations. The third was a breach notification clause that required Serco and the agency, in the event of a threat, to “immediately bring the situation to the attention of the other party”—which Serco did.

It has been standard industry practice for more than five years to spell out security requirements for contractors, Skoudis says, adding that clauses should be reviewed each time a pact is updated. “Contractors increasingly handle and store a lot of sensitive information on behalf of government agencies. They need to have just as stringent security controls as the agencies themselves,” he says.

Hill says Serco continually makes cybersecurity enhancements to deal with ever-evolving threats. “Serco remains confident of the safety and security of its systems. Through continuous monitoring and improvement, Serco is vigilant in safeguarding the information and systems with which it is entrusted, and we take cyberattacks very seriously,” he says. 

Weaver says the new agreement with SAIC spells out data breach stipulations at length, including who bears what costs, and includes provisions regarding continuous background screening of personnel and security training. The six-year, $227 million deal was awarded Aug. 9.

But, she adds, “Given the sophisticated nature of the attack, it’s extremely unclear whether the attack would have been prevented even if all open audit recommendations had been fully implemented.”