Capitol Hill staffers learn what really happens when there’s a data breach

In the past three years, U.S. lawmakers have struggled to nail down key details of how two of the biggest data breaches in history affected the public and private sectors.

“How far back does your information database go that was compromised?” former Utah Rep. Jason Chaffetz demanded of then-Office of Personnel Management director Katherine Archuleta at a June 2015 hearing. Chaffetz berated Archuleta for failing to secure OPM’s IT systems, from which alleged Chinese hackers extracted data on 22 million current and former federal workers.

“I just hope we get to the bottom of this…because this is a mess,” Rep. Ben Ray Luján, D-N.M., said in October after questioning former Equifax CEO Richard Smith on when he knew hackers had struck the credit-reporting firm. The breach compromised data on 148 million people.

To try to demystify future breach-related discussions on Capitol Hill, cybersecurity firm FireEye held a quiet training session for roughly 40 Senate and House staffers last month.

“There’s just so much ambiguity around what happens during these types of incidents that we wanted to highlight as an example of how complex it is,” Stacy O’Mara, FireEye’s director of government relations, told CyberScoop.

The goal of the drill was to help staffers and their bosses understand that multiple variables – from remediating malware to notifying regulators – can affect the timing of a data-breach response.

The scenario was akin to a cyber war game: A fictional brokerage firm was attacked by hackers, who stole a 700-MB email archive that compromised personally identifiable information tied to customers and employees. A panel comprised of executives from FireEye and its forensics unit Mandiant; an independent lawyer; and David Martin, who heads the FBI’s Cyber Action Team, walked through the various legal and security considerations involved in responding to the incident. (Equifax hired Mandiant to recover from its breach. However, the victim organization in the exercise did not resemble any past or present FireEye or Mandiant clients, O’Mara said.)

Christopher Long, who leads the not-for-profit Center for Public Policy Innovation, said the drill highlighted the potential tension between the victim organization, law enforcement and private forensic experts. For example, the victim may want to immediately evict the hackers from its networks, while investigators may want to observe their behavior to see if it is connected to a broader campaign.

With so many stakeholders involved, “you quickly see how complicated [responding to a breach] can be,” Long, whose group held the exercise, told CyberScoop.

In another twist, the fictional attackers pinged the company’s overseas server, according to Long, which in real life might prompt the FBI to loop its foreign counterparts into the investigation.

“The [exercise] moderators were able to explain the technical and legal challenges faced by companies who experience such incidents,” the FBI’s Martin told CyberScoop. “The level of complexity in a modern computer network is such that computer intrusions often constitute massive, virtual crime scenes that may take time to fully understand.”

The 90-minute exercise covered a month of fictional events, from when malicious activity first surfaced on the firm’s network to when executives started telling the outside world about the hack. On the seventh day, the FBI told the firm it had found the stolen cache of emails, including some from its general counsel and managing partner.

The attendees, which included staffers assigned to appropriations and homeland security committees, were encouraged to interrupt the session to ask questions. The questions and answers helped emphasize that a “single determination in an incident response does not mean that’s the end of it – that it’s continuously evolving,” O’Mara said.

One of the key takeaways was learning that an initial estimate of those impacted can balloon as breach investigations proceed. In March, six months after the Equifax breach was made public, the company updated its victim tally by 2.4 million.

Getting serious

Lawmakers have come a long way in recent years in prioritizing cybersecurity, with more staff now devoted to the issue, according to Long.

Five to 10 years ago, “there was general awareness but not a lot of action,” he told CyberScoop. The OPM breach, however, was a “catalyst” in that it “validated those [lawmakers] that were out there talking about cyber risk in government,” Long added.

Legislators today draw on a generation of young, cybersecurity-savvy staffers – some of whom participated in the exercise – to navigate technical issues.

“These [people] are young, they get it, they understand technology,” Long said. “So it is really important that, where we can provide some unique experiences for them to better understand the whole cyber environment, that we do that.”

The fallout from the OPM and Equifax breaches was messy – top officials lost their jobs, and recovery costs are in the hundreds of millions of dollars. Last month’s drill on Capitol Hill could help lawmakers next time they try to pick up the pieces after an attack.