The scope and length of two breaches that stole millions of records from the U.S. Government’s Office of Personnel Management (OPM) are both monumental and appalling. The OPM data hack is being called the biggest data hack of all time.
The government demands and collects a great deal of information from all American citizens, but the largest amount comes from people who work for the government directly, sometimes in highly confidential jobs.
These “requests” for private data came come in forms, some over 120 pages long, and drill for details on the person, information on his or her background and family, and identifiers like place of birth and social security number. That’s everything you need to compromise someone’s identity. If you’re a covert agent, identity theft is the least of your problems. Like many companies, however, the government doesn’t do a very good job of protecting the information they insist they need.
Not Worth the Cost
In my career I worked for a variety of cyber security companies and one of the biggest difficulties our sales reps encountered was the attitude that security software wasn’t worth the cost. “I’ll deal with it (a network or data breach) when it happens,” is what they heard. That’s like saying that you won’t bother to lock your car—and may even leave the keys inside—and then just buy a new one after it’s stolen. No problemo. The big difference, though, is that only you suffer when you car is boosted due to your own stupidity or carelessness. When it comes to the information held by companies and the government, other people are damaged by official short-sightedness and incompetence. It’s looking like 18 million–possibly 32 million–people will be affected by the OPM data breach.
It’s possible that agency heads like OPM Director Katherine Archuleta simply don’t understand the technical details and would rather focus their time and attention on areas where they have some expertise. Sure, it’s putting your head in the sand and hoping no one will whack your exposed behind but that’s human nature.
Paying attention to things like signature detection, zero-day threats, multi-factor authentication, phishing attacks, configuration changes, and admin rights can make your head hurt if you’re not technical and have no time to become an expert. But that’s why you hire actual experts to do this work. Then you—the CEO or agency director—give them the equipment they need, the budget to buy it, the authority to get things done, and your solid backing when required. Anything else is malfeasance.
When agency budget cuts are mandated, however, it’s easiest to slash the areas you don’t understand—or to just never staff them up in the first place. That’s what seems to have happened at OPM, where:
- There no dedicated IT staff was hired until November of 2014—a measly 11 people to handle millions of data records.
- The “central IT security organization” controlled only a fraction of OPM’s systems.
- There was no comprehensive inventory of network equipment such as databases, servers, and other network devices.
- There was no mature vulnerability scanning program.
- There was no control over how OPM’s systems were configured.
- Information security software wasn’t fully implemented.
- They are still using a COBOL operating system.
I guess that’s what the phrase, “good enough for government work,” really means.
Penalties for Failure
And that’s just a part of the problem. If you think this situation is limited to OPM, think again. Our government is too big, too complex, too spread out and often too compartmentalized to do a good job of implementing security equipment and software.
China, on the other hand, is very focused on extracting information from U.S. data bases. They don’t have to worry about pesky things like elections and new administrations, rewarding contributors or placating critics. The Chinese government probably does have nepotism and incompetence in some government ranks—they are human beings after all—but the penalties for failure are far greater than they are here. You don’t just get fired in China if you screw up; you get sent to a gulag in the Tibetan Himalayas for the rest of your life. And that’s best case.
Speaking of penalties for failure, there don’t seem to be any at the Office of Personnel Management. Director Archuleta has been whinging that “aging systems” are not her fault. In the hearing on the data breach being conducted by the House Committee on Oversight and Government Reform, she has said that “cybersecurity problems take decades” to develop. This is probably news to nimble Chinese hackers. She also plans to implement encryption on a database with a COBOL back end. Good luck with that.
When you screw up this big in a corporation, you’re either fired outright or you resign “to spend more time with my family.” But despite this SNAFU (Situation Normal, All “Fouled” Up) Director Archuleta hasn’t been fired. Nor has her CIO, Donna Seymour. In her Director’s Blog, @OPMDirector says, “I want to be clear that we are proactively taking this action to ensure the ongoing security of our network.” Blah, blah, blah, blah. You can’t be “proactive” after the fact. Locking the barn door after the horse has been stolen is reactive –and ineffective — any way you look at it.
Twisting in the Wind
Where does all this leave the government employees whose personal information is now most likely being analyzed in Beijing? Twisting slowly in the wind and waiting for the consequences to show up. The government wants your data but it doesn’t know how to protect it or seem to think that protecting it is an important thing to do.
In an attempt to get some accountability, The American Federation of Government Employees, or AFGE, the largest union of federal workers filed a class-action lawsuit Monday against the Office of Personnel Management for failing to provide information to current and former federal workers about how they might be affected by the data breach. It’s a good start.
Just don’t expect anyone to be fired.
Meanwhile, millions of people with clearances are now subject to blackmail; undercover agents are potentially at risk. But, hey, it’s only national security – no biggie, right?
This is incompetence approaching, if not exceeding, the threshold of treason. The appropriate punishment is a short drop and a sudden stop.
I think treason has to require intent, David, while shortsightedness and incompetence do not. I think some prison time would be warranted. But so far, no accountability at all.