Skip Navigation
BlackBerry Blog

“Not If, but When” - Reflections on the OPM Breach

NEWS / 09.07.16 / John McClurg

In my previous lives as a special agent in the FBI and also as the CSO of major U.S. corporations, I had to undergo periodic background investigations, usually every five years. I hold government clearances, and it was simply one of the conditions under which those benefits were conveyed. These investigations involve essentially a review of personal, in-depth information about not only me, but also my peers, my family, and many others with whom I’ve had some form of connection.

If there’s anyone whose personal information was ‘out there,’ and who felt the pain of last year’s Office of Personnel Management (OPM) compromise, believe me, I was there among them. One might then ask me, being one of the archetypal victims of that breach, was I not inclined to pick up a stone and cast it when I heard the news? The short answer to that is “no.”

Why? Because of what many of you already know about the attack landscape: it’s all a bit too easy.

Detection vs. Prevention

Those of us who have spent decades in the security and cybersecurity professions know that it is painful whenever we see a peer fall. Empathy kicks in, and we hear ourselves whisper under our breath, “It can happen to anyone”. We begrudgingly find ourselves forced to accept the fate that we will, more likely than not, also be compromised someday in the near future.

Following my departure from the FBI, I went on to head up strategy and tactical operations for internal global security services at some of the largest companies in the world, including one of the biggest global IT companies. There, I fully realized the sheer enormity of the challenge that all of us in the security industry currently face—the fact that, on any given day, we could only count on a low percentage of efficacy from our antivirus partners when it came to protecting us and our data from the ‘bad guys’. In my experience, at their absolute best, even the top brands in traditional antivirus could boast only a partial ‘detection and prevention’ rate. A significant percentage of attackers continued to approach us unabated, in full force and fury, hitting us and our partners with all the assorted unpleasantries that the underground cybercriminal world could throw at us.

With that stark reality delineating our world for decades, we worked hard to manage the expectations that our upper leadership placed upon us. We thought that if we forewarned our leaders often enough about the anemic nature of our traditional, signature-based defenses - i.e. that we were likely to have a breach on any given day – then, when these kinds of adversarial events inevitably happened, we would have at least softened the blow. We wanted our leadership to be prepared for what we knew was coming, so instead of asking us, “How could this have happened?” they could instead turn their attention to more pressing and intelligent questions, such as “How efficiently and effectively have we mitigated the effects of the attack?” And “How acutely have we leveraged the lessons learned?”

That’s essentially how we managed the expectations of our leaders and drove those conversations in the past, having felt forced to accept the mantra: “It’s not if, but when.”

Sticks and Stones

I have to admit that in that effort to manage the expectations of our leaders, I was out there at the front of the pack. I had worked shoulder to shoulder for years with my security industry brothers and sisters, experiencing firsthand the impact of these unmitigated risks, ever hanging over us like the Sword of Damocles. This situation existed in large part due to our inability to rely on our front-line partners, the legacy signature-based antivirus vendors, to deflect the massive amount of malware that comes at us every day.

It always galled me professionally, having to accept that mantra: “it’s not if, but when”. However, not accepting it, and failing to adequately prepare our leaders, meant there was a good chance that one day soon, they were going to come to us and ask, “How the heck did you ever allow this to happen?”

So when I hear of a government partner affected in the way that OPM was affected by their data breaches in 2014 and 2015, I feel their pain at the most basic and personal level. It’s tempting, in part because of the trust with which we’ve endowed them, to demand of our government, partners or organizations a higher level of sophistication - a level of performance the rest of us have not been able to achieve. But at the end of the day, those of us who’ve seen and done battle with the enemy close up, have felt their prowess and do not underestimate their capabilities. That knowledge causes us to step back and be a little less inclined to cast aspersions.

Until the day I heard of Cylance, I had assumed that a better way forward was beyond our technical grasp.

Healing the Scars

There’s a phrase, common among those who practice in our industry, that if you haven’t experienced a compromise or breach yet, you either a) haven’t been in the profession long enough, b) don’t have anything worth stealing, or c) have yet to discover it. For the rest of the larger community, an appreciation of this reality may be lost as they hear the news of yet another data breach or banking compromise, and look for someone to blame.

Here at Cylance, we appreciate that our OPM partners should be commended for trying to do the right thing when the 2015 breach was discovered. As a company, we felt fortunate to have been engaged to assist them in bolstering their overall security posture. It was that joint effort that produced the shocking discovery that the personal background information of 21.5 million people had already been stolen.

While that discovery was painful, it reflected the positive fact that OPM was, as an organization, looking forward beyond its peers, embracing the new paradigm of the future: the artificially intelligent, machine learning powered capabilities of Cylance’s products and services.

Following the initial internal suspicion of a data breach, OPM made the unprecedented decision to engage with Cylance immediately and to deploy us enterprise-wide and in prevention mode in a matter of four days. OPM knew that Cylance was the only solution to detect and mitigate the attack, and concluded that if they had us deployed before the barbarians approached the gate, they would have completely prevented this particular breach. Their brave leap of faith in us and our technology to close the gap in their armor - once the exclusive role of their internal IT team - will go down as one of the boldest events in modern cybersecurity history. It was in that effort that we locked shields with them and not only discovered countless compromises beyond the initial breach, but also cleaned up a very unclean environment formerly ‘protected’ by legacy antivirus. OPM took immediate and effective action, leveraging our partnership to assist them in turning the adversary aside and protecting against future attacks.

I hold OPM’s efforts to remediate the situation in the highest regard, particularly since I yet bear what William Shakespeare described as “wounds that never felt a scar.” Most of us in the industry carry those fresh yet unhealed wounds of compromise. They leave us a little more sympathetic when it comes to an occasion where we might otherwise be inclined to hurl stones, slings and arrows at someone or something we hoped would have had greater protection in place.

At Cylance, we take no small solace in that prowess, acknowledged in this week’s very thorough report by the majority staff of the House Committee on Oversight and Government Reform, which chronicles this tale in greater detail. We are proud and honored to have served as a partner to an organization as critical to our national security as OPM. Even though the breach was a ‘bad news day’ for the security industry, we were grateful that we could bring to bear the benefits of a liberating technology: CylancePROTECT®. Our artificially intelligent endpoint security product uses machine learning and math to stop malware and cyberattacks dead, preventing everyday and advanced threats, all pre-execution. It obliterates the old way of thinking and replaces it with something completely different.

New Thinking for a New Age

Thomas Kuhn in his book The Structure of Scientific Revolutions wrote of the need for a periodic refresh of society – he recognized that every once in a while, we need a profound change in our way of thinking. As I look at the paradigm shift that we’re now asking the world to entertain, as we unveil our transformative technology, it occurs to me that what we’re up against is a formidable and entrenched way of thinking. It’s similar to what Copernicus himself faced almost six centuries ago, when he went up against his Ptolemaic predecessors, disproving their belief that the earth was the center of the universe.

The AV industry has been telling us for decades that signature-based AV is the way to go – that those signatures and the labor intensive and costly operations involved in their production are still the centers of the universe – despite mounting evidence to the contrary. Legacy vendors need us to believe that the deficiencies of the past can be overcome if they can just figure out how to create their outdated signatures more quickly. They argue that we just need to stay in step with the bad guys, despite the fact that signatures have historically always been a day late and a dollar (if not a million dollars) short.

Looking forward to a future where artificial intelligence and machine learning constitute the dawning of a new era in so many different fields, I personally believe that Cylance has launched within the AV industry a scientific revolution, the excitement of which hasn’t been felt in decades. It’s a changed age, and we look forward to applying with you this new way of doing battle as we seek to protect “everyone under the sun,” liberating and making the world a better place.

-John McClurg
Cylance VP and Ambassador-at-Large

Read more about Cylance's role in detecting and mitigating the OPM breach here: Breach Prevention


John McClurg

About John McClurg

Sr. Vice President and CISO at BlackBerry.

John McClurg serves as Sr. Vice President and CISO at BlackBerry. McClurg engages the industry around the globe on the risk challenges today and how BlackBerry uniquely mitigates them with the application of machine learning and other AI supported solutions. He champions a move from a historically reactive security posture, to one focused on proactively predicting and mitigating future risks.

Before BlackBerry, McClurg served as the Ambassador-At-Large of Cylance and as Dell's CSO, where his responsibilities included the strategic focus and tactical operations of Dell’s internal global security service. He was also charged with the advocacy of business resilience and security prowess, the seamless integration of Dell’s security offerings, and with improving the effectiveness and efficiency of security initiatives.

Before Dell, McClurg served as the VP of Global Security at Honeywell International; Lucent/Bell Laboratories; and in the U.S. Intel Community, as a twice-decorated member of the FBI, where he held an assignment with the U.S. Dept of Energy (DOE) as a Branch Chief charged with establishing a Cyber-Counterintelligence program within the DOE’s newly created Office of Counterintelligence.

Prior to that, McClurg served as an FBI Supervisory Special Agent, assisting in the establishment of the FBI’s new Computer Investigations and Infrastructure Threat Assessment Center, or what is today known as the National Infrastructure Protection Center within the Dept of Homeland Security.

McClurg also served on assignment as a Deputy Branch Chief with the CIA, helping to establish the new Counterespionage Group, and was responsible for the management of complex counterespionage investigations. He additionally served as a Special Agent for the FBI in the Los Angeles Field Office, where he implemented plans to protect critical U.S. technologies targeted for unlawful acquisition by foreign powers and served on one of the nation’s first Joint Terrorism Task Forces.