The Office of Personnel Management (OPM) breach is in the news again. As you may have heard, it is much worse than originally thought, with nearly 22 million records compromised. With this news, this breach is the second one in less than three months that has hit a little too close to home for me personally.
It’s also not surprising. Our government is ridiculously lax in its cybersecurity efforts, especially when you consider the amount of personally identifiable information held in government databases. Remember, the OPM breach didn’t just have Social Security numbers and birthdates. PII revealed also included things like fingerprints and findings from security clearance investigations. The stealing of this data has created a new level of identity theft problems for the individuals affected, according to the security experts at NuData, who provided the following commentary to me in an email:
Fraudsters are learning that information coupled from various breaches can create more comprehensive 'identity bundles,' which sell for a higher value to hackers. With more complete information, more fraud can take place.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Not surprisingly, as we find out more about this breach – and I don’t think this is the end of it – and because this is Washington, D.C., there are calls for accountability and heads to roll. In fact, OPM Director Katherine Archuleta has resigned in response to this latest news.
I agree that there needs to be some outrage, but I’m not sure the resignation of an agency director is going to solve the deeper problem. The cybersecurity system in government – and in most organizations – isn’t broken; it was never functional in the first place. It’s why it is so easy to exploit.
It’s not functional because those who are responsible for fixing the problem don’t really get cybersecurity. You can’t put the tools in place if there is no budget for cybersecurity. Who is in charge of making sure there is an adequate security budget? In industry, it is the C-level decision makers. In government, it is Congress (or the state legislature or other elected officials). If there is no allocation for security within our government agencies, how is it supposed to be instituted?
There is also a serious lack of understanding of how slowly cybersecurity detection works. It takes months for breaches to be discovered, and often that happens from an outside source, not by the organization itself. A Wired article written by Senator Ben Sasse expressed outrage over how long it took to discover the OPM breach (and he prematurely blames China, even though there has been no word yet on who committed the breach – another bad habit when it comes to cybersecurity). What the senator doesn’t understand is that this is more common than he realizes, and this is not the first government agency to suffer a serious breach. Nor will it be the last until something is done.
What this latest news shows me is that not even our leaders, let alone the public, understand cybersecurity and the tools necessary to address potential threats well enough to seriously attack the problem. Until that happens, you can fire all the directors you want. That won’t fix a single vulnerability or catch a malicious insider.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba