US Office of Personnel Management Hires Expert on Cyber-Security
The government's personnel agency announced Wednesday that it has hired a full-time cyber-security expert to help modernize its fleet of aged computer systems following a massive breach of US personnel records.
Clifton Triplett says his mission is twofold: To create a "new culture of security" at the Office of Personnel Management and upgrade some of the oldest information technology systems in government - quickly. He will serve as as the senior cyber and information technology adviser to the acting OPM Director Beth Cobert.
"Some of it's organizational," Triplett said in an interview before his new role was announced. "We need to create a new culture that [computer] security is part of our lives, and make sure our employees and contractors understand that." So if there is another potential intrusion by cyber thieves, "How do we react more rapidly?" Triplett said. "It's retooling to some extent, training the workforce and the organizational structure" of who does what.
Triplett, 57, who is moving to Washington from Houston, has built a reputation as a cyber-security and IT fix-it - and build-it -guy for the private sector, helping Fortune 200 companies in defense, telecommunications, oil field services, tractor, automotive and aerospace do what he's come to the government to do. A West Point graduate who attained the rank of major, he worked on computer security for almost a decade at the Defense Department.
In his new job, the stakes are particularly high. The breaches, which the Obama administration believes were carried out by the Chinese government, exposed the personal data of more than 22 million people in their employment and background investigation files. It included Social Security numbers, performance evaluations, and even the names of family members and friends who were listed as references on millions of applications for security clearances.
OPM, through a contractor, is notifying the victims that their information may have been compromised and offering them identity theft protections.
Now, the agency is focusing on how to permanently shore up its systems to prevent new attacks.
What made the systems so vulnerable is their age. "Let's go back to some of the route causes," Triplett said. "At the time these systems were created, the whole cyber threat was focused as something that might happen at defense or intelligence agencies, not a [human resources] system."
And those agencies addressed the threats much earlier, he said. But for an agency focused on human resources for federal employees, "The people who wrote the applications at the time. . . . This wasn't their forte," he said. "They wrote stuff that was for onboarding personnel records." It's the same problem a lot of companies have: "Legacy systems that were never designed with security in mind."
Since the breaches were discovered in recent months, OPM has put in place "many band-aids," Triplett said, as well as security fixes the agency says are permanent. Now the task is to install advanced security firewalls, continuous monitoring of its systems and other measures to prevent cyber-attacks.
Triplett said he is anxious to consult with the agency's inspector general, who has been critical of its efforts to upgrade its IT systems and who brought his concerns into the open at to numerous congressional hearings on the breaches.
Of course, modernizing these systems will be costly and require new funding from Congress, another battle in confronting cyber threats.