The government's failure to centralize database security was a key factor in the massive government hack now roiling the Obama administration.
Even after the damaging intrusion, believed to be from China and possibly affecting well over 18 million people, officials say the government is still struggling to fix the problem.
Legislation passed last December is pushing agencies to address the issue, but networks remain vulnerable in the meantime.
“I don’t think it’s been enough,” said Michael Brown, a former director of cybersecurity coordination for the Department of Homeland Security (DHS) and current vice president at security firm RSA.
“There are organizations that are fighting it tooth and nail,” said Tony Cole, global government chief technical officer at security firm FireEye, which works with a number of government agencies on locking down their networks.
The topic came up repeatedly during all three Capitol Hill hearings held this week about the breach, which occurred at the Office of Personnel Management (OPM).
The OPM, “is still negatively impacted by the many years of decentralization,” Michael Esser, OPM’s assistant inspector general for audits, said at a Tuesday hearing.
“As a result of this decentralized governance structure, many security controls went unimplemented and remained untested,” he added.
The agency didn't even didn’t maintain an inventory of all the servers and devices that had access to its networks, according to a November inspector general report.
It’s a failing that has run throughout the government for years, said Andy Ozment, assistant secretary of the Department of Homeland Security (DHS) Office of Cybersecurity and Communication.
“That is the crux of the matter,” he told senators Thursday. “If authority is decentralized within the agency, it’s extremely difficult for the agency to secure [its systems]”
DHS is tasked with helping civilian agencies monitor and defend their networks from digital invaders, although each agency’s chief information officer (CIO) is responsible for securing the agency’s individual system.
But for years, officials and outside experts maintain CIOs have not being granted the power necessary to control staffing and budgets.
“What you have is multiple attack surfaces that allows for the attackers to gain access to wherever they want to go,” Brown said, “because you don’t have the cohesive environment to be able to defend.”
And when those attackers do slip through the cracks, CIOs are poorly equipped to react, said Christopher Cummiskey, a former acting undersecretary for management at the DHS who oversaw a number of the agency’s cyber efforts.
“It’s a command and control issue,” he said. “When you’re trying to respond to a major breach, you’ve got to the secretary’s office. You can’t rely on your own authorities as a CIO, you’ve got to have air cover.”
The years of disorganized management has also bruised morale across the federal information technology (IT) community, according to several former officials.
“It definitely impacted how long it took to get things done, the ultimate success of those things and the success of CIOs in general,” said Vance Hitch, the Justice Department’s chief information officer from 2002 to 2011. “That rippled down. It certainly had an impact and was frustrating for the people who worked in the office of the CIO. I definitely think those things have created a drag on morale.”
Some said it’s even driven talented officials to the private sector, where security oversight is generally more structured and consolidated under the CIO.
“There’s a lot of trepidation that you’re just one breach away from being pushed out the door,” Cummiskey said.
“It left an unsatisfied feeling everywhere, including the Hill,” Hitch said.
Lawmakers took a crack at bolstering authority for CIOs in legislation passed during Congress’s 2014 lame-duck session. The bill, which updated 2002’s Federal Information Security Management Act (FISMA), also requires each agency to review how it purchases, manages and oversees all IT.
“The overall objective,” Hitch said, is “greater accountability in IT.”
The White House in early June released guidance to help agencies implement the new CIO powers. According to Hitch, who was consulted while the guidance was being created, most agencies have convened a steering committee to help comply with the law.
Agencies are expected to be in full compliance by the end of the year, which Hitch believes is “practical and doable.”
But he warned: “Time is passing.”
“Events happen, things happen like the OPM issue, which ultimately bubble up under the umbrella of the CIO,” Hitch said. “There needs to be major improvement by the end of the year, otherwise I think accountability should be had.”