“Not If, but When” - Reflections on the OPM Breach

In my previous lives as a special agent in the FBI and also as the CSO of major U.S. corporations, I had to undergo periodic background investigations, usually every five years. I hold government clearances, and it was simply one of the conditions under which those benefits were conveyed. These investigations involve essentially a review of personal, in-depth information about not only me, but also my peers, my family, and many others with whom I’ve had some form of connection.

If there’s anyone whose personal information was ‘out there,’ and who felt the pain of last year’s Office of Personnel Management (OPM) compromise, believe me, I was there among them. One might then ask me, being one of the archetypal victims of that breach, was I not inclined to pick up a stone and cast it when I heard the news? The short answer to that is “no.”

Why? Because of what many of you already know about the attack landscape: it’s all a bit too easy.

Detection vs. Prevention

Those of us who have spent decades in the security and cybersecurity professions know that it is painful whenever we see a peer fall. Empathy kicks in, and we hear ourselves whisper under our breath, “It can happen to anyone”. We begrudgingly find ourselves forced to accept the fate that we will, more likely than not, also be compromised someday in the near future.

Following my departure from the FBI, I went on to head up strategy and tactical operations for internal global security services at some of the largest companies in the world, including one of the biggest global IT companies. There, I fully realized the sheer enormity of the challenge that all of us in the security industry currently face—the fact that, on any given day, we could only count on a low percentage of efficacy from our antivirus partners when it came to protecting us and our data from the ‘bad guys’. In my experience, at their absolute best, even the top brands in traditional antivirus could boast only a partial ‘detection and prevention’ rate. A significant percentage of attackers continued to approach us unabated, in full force and fury, hitting us and our partners with all the assorted unpleasantries that the underground cybercriminal world could throw at us.

With that stark reality delineating our world for decades, we worked hard to manage the expectations that our upper leadership placed upon us. We thought that if we forewarned our leaders often enough about the anemic nature of our traditional, signature-based defenses - i.e. that we were likely to have a breach on any given day – then, when these kinds of adversarial events inevitably happened, we would have at least softened the blow. We wanted our leadership to be prepared for what we knew was coming, so instead of asking us, “How could this have happened?” they could instead turn their attention to more pressing and intelligent questions, such as “How efficiently and effectively have we mitigated the effects of the attack?” And “How acutely have we leveraged the lessons learned?”

That’s essentially how we managed the expectations of our leaders and drove those conversations in the past, having felt forced to accept the mantra: “It’s not if, but when.”

Sticks and Stones

I have to admit that in that effort to manage the expectations of our leaders, I was out there at the front of the pack. I had worked shoulder to shoulder for years with my security industry brothers and sisters, experiencing firsthand the impact of these unmitigated risks, ever hanging over us like the Sword of Damocles. This situation existed in large part due to our inability to rely on our front-line partners, the legacy signature-based antivirus vendors, to deflect the massive amount of malware that comes at us every day.

It always galled me professionally, having to accept that mantra: “it’s not if, but when”. However, not accepting it, and failing to adequately prepare our leaders, meant there was a good chance that one day soon, they were going to come to us and ask, “How the heck did you ever allow this to happen?”

So when I hear of a government partner affected in the way that OPM was affected by their data breaches in 2014 and 2015, I feel their pain at the most basic and personal level. It’s tempting, in part because of the trust with which we’ve endowed them, to demand of our government, partners or organizations a higher level of sophistication - a level of performance the rest of us have not been able to achieve. But at the end of the day, those of us who’ve seen and done battle with the enemy close up, have felt their prowess and do not underestimate their capabilities. That knowledge causes us to step back and be a little less inclined to cast aspersions.

Until the day I heard of Cylance, I had assumed that a better way forward was beyond our technical grasp.

Healing the Scars

There’s a phrase, common among those who practice in our industry, that if you haven’t experienced a compromise or breach yet, you either a) haven’t been in the profession long enough, b) don’t have anything worth stealing, or c) have yet to discover it. For the rest of the larger community, an appreciation of this reality may be lost as they hear the news of yet another data breach or banking compromise, and look for someone to blame.

Here at Cylance, we appreciate that our OPM partners should be commended for trying to do the right thing when the 2015 breach was discovered. As a company, we felt fortunate to have been engaged to assist them in bolstering their overall security posture. It was that joint effort that produced the shocking discovery that the personal background information of 21.5 million people had already been stolen.

While that discovery was painful, it reflected the positive fact that OPM was, as an organization, looking forward beyond its peers, embracing the new paradigm of the future: the artificially intelligent, machine learning powered capabilities of Cylance’s products and services.

Following the initial internal suspicion of a data breach, OPM made the unprecedented decision to engage with Cylance immediately and to deploy us enterprise-wide and in prevention mode in a matter of four days. OPM knew that Cylance was the only solution to detect and mitigate the attack, and concluded that if they had us deployed before the barbarians approached the gate, they would have completely prevented this particular breach. Their brave leap of faith in us and our technology to close the gap in their armor - once the exclusive role of their internal IT team - will go down as one of the boldest events in modern cybersecurity history. It was in that effort that we locked shields with them and not only discovered countless compromises beyond the initial breach, but also cleaned up a very unclean environment formerly ‘protected’ by legacy antivirus. OPM took immediate and effective action, leveraging our partnership to assist them in turning the adversary aside and protecting against future attacks.

I hold OPM’s efforts to remediate the situation in the highest regard, particularly since I yet bear what William Shakespeare described as “wounds that never felt a scar.” Most of us in the industry carry those fresh yet unhealed wounds of compromise. They leave us a little more sympathetic when it comes to an occasion where we might otherwise be inclined to hurl stones, slings and arrows at someone or something we hoped would have had greater protection in place.

At Cylance, we take no small solace in that prowess, acknowledged in this week’s very thorough report by the majority staff of the House Committee on Oversight and Government Reform, which chronicles this tale in greater detail. We are proud and honored to have served as a partner to an organization as critical to our national security as OPM. Even though the breach was a ‘bad news day’ for the security industry, we were grateful that we could bring to bear the benefits of a liberating technology: CylancePROTECT®. Our artificially intelligent endpoint security product uses machine learning and math to stop malware and cyberattacks dead, preventing everyday and advanced threats, all pre-execution. It obliterates the old way of thinking and replaces it with something completely different.

New Thinking for a New Age

Thomas Kuhn in his book The Structure of Scientific Revolutions wrote of the need for a periodic refresh of society – he recognized that every once in a while, we need a profound change in our way of thinking. As I look at the paradigm shift that we’re now asking the world to entertain, as we unveil our transformative technology, it occurs to me that what we’re up against is a formidable and entrenched way of thinking. It’s similar to what Copernicus himself faced almost six centuries ago, when he went up against his Ptolemaic predecessors, disproving their belief that the earth was the center of the universe.

The AV industry has been telling us for decades that signature-based AV is the way to go – that those signatures and the labor intensive and costly operations involved in their production are still the centers of the universe – despite mounting evidence to the contrary. Legacy vendors need us to believe that the deficiencies of the past can be overcome if they can just figure out how to create their outdated signatures more quickly. They argue that we just need to stay in step with the bad guys, despite the fact that signatures have historically always been a day late and a dollar (if not a million dollars) short.

Looking forward to a future where artificial intelligence and machine learning constitute the dawning of a new era in so many different fields, I personally believe that Cylance has launched within the AV industry a scientific revolution, the excitement of which hasn’t been felt in decades. It’s a changed age, and we look forward to applying with you this new way of doing battle as we seek to protect “everyone under the sun,” liberating and making the world a better place.

John McClurg
Cylance VP and Ambassador-at-Large


Read more about Cylance's role in detecting and mitigating the OPM breach here: Breach Prevention