AUDIE CORNISH, HOST:
Joining us now to talk more about what the government has learned since those cyberattacks is Ann Barron-DiCamillo. She led the Homeland Security Department's efforts to track and respond to cyber incidents. She led the cyber response team that investigated the OPM breach, and she joins us now in the studio. Welcome.
ANN BARRON-DICAMILLO: Thank you very much.
CORNISH: To start, remind us from the investigation what was the reason why this breach was as massive as it was?
BARRON-DICAMILLO: It's hard to get to what I would consider a patient zero trying to figure out what exactly was the entry point that the data thieves used to get into these networks. But I think if you look at the things that we found through the investigation, there was a commonality of using weak authentication.
We saw the adversary's leverage credentials, and the user would even update their password that they could then use brute force attacks to re-compromise those credentials.
CORNISH: What do you make of the reforms that they've tried to put in place? Do you get the sense that the government as a whole has really learned about its vulnerability in cyberspace?
BARRON-DICAMILLO: I think the government understands the risk associated with not addressing these vulnerabilities, and they are starting to put their money where their mouth is in trying to ensure that these systems are being upgraded or modernized. I know there's a really aggressive movement on the Hill to try to help modernize a lot of these legacy or older systems that we're seeing.
And there's money that's coming after that. You have to have the money, and you have to have the time. A lot of these legacy systems can't be brought down because they're mission-critical, and so you have to have an ability to run two systems simultaneously which can cost a lot of money. I think we really have to focus on ensuring that these capabilities that we need to protect our systems, protect our data are done not just on one-offs - that those one-offs happen continuously kind of on top of each other, maybe layers. It's going to take many, many months to ensure that these systems are modernized in a way that's for the safety and benefit of the national security.
CORNISH: Are you a victim of this hack as well? Is your name in there?
BARRON-DICAMILLO: Yes. I got my letter and trying to be an advocate for the constituents. You know, I really focus on trying to look at identity theft and that capabilities that the government's providing towards these victims for ensuring that your identity hasn't been stolen or isn't going to be stolen.
Potentially the identity theft aspect of it is a higher concern to me than the credit card theft because credit card data is quickly identified and also, you know, mitigated by banks. But identity theft is something that can be prolonged for years to come.
CORNISH: What have you done to try and prevent this beyond maybe what services or help the government has offered? What do you recommend to your past co-workers?
BARRON-DICAMILLO: Definitely use the services that are being paid for associated with this. I think that that is the first step. You know...
CORNISH: So don't be dismissive of that.
BARRON-DICAMILLO: Don't be dismissive. Sign up for the service and continue to use it and monitor it. I think you need to monitor your own credit history, your own credit scores. In monitoring that, you know, you have to be an advocate for yourself.
CORNISH: But is it a lifetime of monitoring?
BARRON-DICAMILLO: You know, there's an interesting discussion I heard from OPM that, you know, they should even offer this as part of the federal benefits - is identity theft protection for a lifetime because of the kinds of data that they mandate that we provide to them when we sign up for service in federal government. And I thought that was a great idea.
I think, you know, they should look towards providing this as a benefit just like health care - and that they provide for federal employees because of the kinds of data that is in so many of these systems out there, specifically these older systems that potentially have vulnerabilities that could be exploited.
CORNISH: Ann Barron-DiCamillo is a former DHS cybersecurity expert. She's now with Strategic Cyber Ventures, LLC. Thank you for speaking with us.
BARRON-DICAMILLO: Thank you so much for having me. Transcript provided by NPR, Copyright NPR.