OPM now has its hands full

May 20, 2024

Driving the day

— The Office of Personnel Management is racing to address a spate of federal benefits fraud that is allowing criminals to filch up to a few thousand dollars from unsuspecting U.S. government employees, MC has learned.

HAPPY MONDAY and welcome to MORNING CYBERSECURITY! It’s the John and Joseph show this week, so we’re going to have to find some new ways to divide and conquer the cyber beat. I’ll be probing for news, while John will manage our hate mail folder. Just be sure to start your communiques with “Dear John” to make his life easier.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X, formerly Twitter, at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

JOIN 5/22 FOR A TALK ON THE FUTURE OF TAXATION: With Trump-era tax breaks set to expire in 2025, whoever wins control of Congress, and the White House will have the ability to revamp the tax code and with it reshape the landscape for business and social policy. Join POLITICO on May 22 for an exploration of what is at stake in the November elections with our panel dissecting the ways presidential candidates and congressional leaders are proposing to reshape our tax rates and incentives. REGISTER HERE.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

The General Services Administration is holding a Federal Secure Cloud Advisory committee meeting to review their annual report and determine the committee’s next priorities. 11:00 a.m.

At the Agencies

EXCLUSIVE: ITS FRAUDSTERS VS OPM — OPM is responding to a burst of cyber-enabled fraud in which unknown crooks are trying to siphon off money from several hundred flexible spending accounts of federal workers, according to two people familiar with the investigation.

HealthEquity, the vendor that operates the Federal Flexible Spending Account Program, informed OPM in recent days that someone was forging accounts on behalf of U.S. government personnel — or in some cases, illegally accessing existing accounts — according to the two people. Both were granted anonymity due to the ongoing nature of the probe.

— Modest, for now: While the FSA program sponsored by OPM is widely used across government agencies, thus far the swindle appears to be somewhat modest. According to the government’s latest estimate, one of the people said, it has netted just a few hundred thousand dollars overall.

— How it works: Under the voluntary program, enrolled federal employees can use pre-tax dollars to pay for out-of-pocket health care or dependent expenses, which are then reimbursed. But the fraudsters are using fake or hacked accounts to get paid for false claims ranging from less than $30 to a few thousand dollars, according to both people.

— We’re on it: In a statement, a OPM spokesperson said it was notified by a third-party vendor — though it didn’t name HealthEquity — about a “rise in fraudulent activity” and that it is trying to address it.

“OPM is working with the vendor to secure impacted accounts, compensate impacted individuals, and implement additional anti-fraud controls,” an OPM statement reads.

— The cyber angle: The activity does not appear to be the result of a breach of internal systems at OPM or HealthEquity, although the investigation is ongoing, the two people said. That’s consistent with something OPM asserted in its statement: “At this time, there is no evidence that OPM or our vendors’ systems have been compromised in any way.”

One leading theory, the second person said, is that crooks are instead scraping federal employees’ sensitive personal data off the dark web, and using it to create HealthEquity accounts for unenrolled individuals or submit false claims on behalf of existing users whose accounts they have hacked.

— Whence 2FA: When asked a series of questions about the incident, including whether federal employees were required to use two-factor authentication to access their accounts, a standard security measure, a spokesperson for HealthEquity referred MC back to OPM.

The first individual said that the government is working with HealthEquity on a variety of measures, including ensuring they have two-factor authentication in place. They also said the government is in touch with law enforcement about it.

— It takes a village: While OPM and HealthEquity are working to address the issue, both people encouraged federal employees to double-check that none of their hard-earned money is going out the door — and if it is, to report it. For now, that means carefully reviewing FSA accounts or earnings statements for suspicious activity.

Industry Intel

AIMING AT YOUR CLOUD — Google is seizing on a major breach at Microsoft and a damning U.S. cybersecurity watchdog report to call for three steps they believe will radically improve federal cyber defenses, in what amounts to a thinly veiled criticism of its rival’s security practices.

In a strongly worded blog post today, the tech giant applauded the Cyber Safety Review Board’s recent findings, which detailed “significant security failures” at Microsoft that were exploited by state-linked hackers.

The CSRB report and breach underscore a “a long overdue, urgent need to adopt a new approach to security,” Google warns. The company adds that it shared details with the board about its own experience fending off the same hacking group over 14 years ago in the Operation Aurora incident.

— The demands three: Google is urging governments around the world to take three immediate steps to fix what it calls Microsoft’s “devastating, preventable errors.”

Procure only “secure-by-design” products that undergo rigorous security review from the outset, rather than Microsoft’s “afterthought add-on” approach.
Give security a formal seat at the table, with major incidents triggering recertification of products. They cite CISA’s exploited vulnerability list by saying contracts should hing on past security performance.
Ditch Microsoft’s “monolithic” tech stack for a multi-vendor approach to dealing with what they call a “concentration risk” that comes from a single breach devastating entire organizations

— Not exactly surprising here: Though not directly criticizing Microsoft, a senior Google Cloud executive told Morning Cyber there are real risks that come with concentrating cyber capabilities under a single vendor during the RSA Conference in San Francisco.

"There's always a risk in concentrating on one single platform across the government, no matter the company," Sandra Joyce, vice president of threat intelligence at Google Cloud told MC in an interview. "Having a choice is a very positive thing for an agency or for individuals."

— Throwing shade: Google’s combative stance tees up its latest effort to convince governments to ditch Microsoft products for its own competing cloud, email and cyber offerings under the banner of increased digital resilience.

— What’s next: Microsoft is also on the hook for a possibly forthcoming House Homeland Security hearing this week with President Brad Smith, though the timing hasn’t yet been officially confirmed.

Surveillance

FACIAL RECOGNITION LOOPHOLE — Some police departments are finding creative ways to sidestep local bans on facial recognition technology by outsourcing the controversial searches to neighboring law enforcement agencies, according to a review of police documents by The Washington Post.

Police in Austin and San Francisco have repeatedly asked cops in other towns to run facial recognition searches for them despite city bans, the Post found.

— What that looks like: Austin officers have received facial recognition results from nearby Leander police at least 13 times since Austin's 2020 ban, documents show. One Austin cop responded, "That's him! Thank you very much," after being sent matches by Leander. In San Francisco, police made at least five outside requests for facial recognition searches after the city's 2019 ban took effect.

— What it means: The result and revelations suggest a lack of enforcement and the challenges that come with reining in the long claw of the law’s use of the imperfect AI tech, which prompted bans over concerns with accuracy and bias in 21 localities.

It still remains to be seen whether that just means cities will crack down harder or come up with legislation with more teeth, or if more of the bans are simply doomed to have workarounds.

DON’T MISS POLITICO’S ENERGY SUMMIT: The future of energy faces a crossroads in 2024 as policymakers and industry leaders shape new rules, investments and technologies. Join POLITICO’s Energy Summit on June 5 as we convene top voices to examine the shifting global policy environment in a year of major elections in the U.S. and around the world. POLITICO will examine how governments are writing and rewriting new rules for the energy future and America’s own role as a major exporter. REGISTER HERE.

Tweet of the Day

We’ve come a long way in technical skill, but I’d say the motivation hasn’t moved much.

Source: https://x.com/todayininfosec/status/1792206452591104463

@todayininfosec/X

Quick Bytes

ADD A LITTLE CYBER — Cybersecurity isn't a typical wedge issue on the campaign trail, but two Democrats are gambling their cyber credentials will pay off in red territory. Check out John’s profile of two congressional candidates this election season honing in on cyber.

THE CISO SITUATION — IBM's decision to sell its QRadar cybersecurity software to Palo Alto Networks has forced security chiefs to rethink their plans as they rebuild their security operations centers, writes Jeffrey Schwartz for Dark Reading.

FREE LAUNDRY FOR ALL — Two UC Santa Cruz students discovered a security flaw in CSC laundry machines allowing free laundry — but the company hasn't fixed it. Zack Whittaker with TechCrunch has the story.

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).