OPM Information Breach - "Fed Up!"
I recently received a USPS-delivered “official business” letter from the US Office of Personnel Management regarding last summer’s cyber security breach at the agency.
The letter began, “As you may know, the Office of Personnel Management (OPM) was the target of a malicious cyber intrusion carried out against the US Government, which resulted in the theft of background investigation records.”
I didn’t have to read on to determine that my information had been compromised. Nonetheless, I did continue reading, only to be informed that my Social Security Number and “other personal information was included in the intrusion.” To make matters worse, because I am an individual who has been investigated for and holds a security clearance, the information that was compromised included my family members’ information, my home address, date and place of birth, my fingerprints and “various other personal data.”
As I re-read the letter in disbelief, I was thinking: “Let me get this straight. Holding a high-level US government security clearance—in which I entrust the government to secure and keep private both my as well as my family’s personal information in the same manner that I have sworn to secure the government’s classified information—is the very reason that I am vulnerable to this type of intrusion and identity theft. Wow.”
As I read on, they attempted to reassure me. First, it was explained that “federal experts” don’t believe the technology to utilize my fingerprints maliciously is “mature enough yet.” But it “could be in the future.” These are the same experts who were charged with securing my data in the first place that are making this reassuring claim.
Second, they do offer a credit and identity monitoring service that I can enroll in with a PIN number and ID where they will keep an eye on things to see if any of my information is being misused. Keep in mind that they sent me the website URL and my PIN Numbers for this service in open text in the US mail – and remember the breach included my home address as well. Brilliant! Should I further entrust them to monitor my use and activity when they are undoubtedly levering a system that can also be hacked and exploited? What would you do? And what came first anyway? This all feels surreal, like playing that child’s game asking which came first, the chicken or the egg.
The moral of the story here is short and simple. It’s no child’s game. Cyber Security within the US public sector is clearly still in its infancy. Anyone who works in federal IT, expert or not, and claims otherwise, is simply not informed.
The bad guys are leaps and bounds ahead of the good guys. Taxpayer dollars are still not being properly applied to fight the cyber war. While it has certainly improved it is nowhere near what it needs to be. Reactive measures and systems aren’t enough. Yet many agencies continue to kick the can down the road with tech refresh cycles of the same technology that has been in place for a decade or by using the same systematically successful IT integrators that provide the “lowest price technically acceptable” solutions and services. Why? Because it’s easy and because it’s a known entity. It isn’t difficult to justify and utilize a federal budget that is funded by the taxpayers by slapping a label on projects and IT integrator service expenditures which deem them to be “cyber security” or “cloud” related. In the last three years, people have reinvented these terms in scores of creative ways to meet their desired budgetary and expenditure outcomes and make little to no innovative progress in proactively fighting the war on cybercrimes. It doesn’t require a technology discussion or debate to prove or disprove this fact. The measuring stick is clearly included in the information I’ve shared above.
It is time for federal employees and contractors to step up to the plate and insist upon a new way of doing IT business. For starters, it’s time for federal IT leaders and administrators to stop talking so much and start listening. Bring in the experts and listen to them versus telling them what you want to spend on and pre-determining the solution, as we so often do in the IT space. Zero-day intrusion detection, data access governance, data-at-rest encryption and behavioral analytics tools are just a handful of solutions that simply aren’t getting enough attention or being properly vetted and implemented within the federal IT enterprise.
Out with the old, in with the new. Something has to change. As a taxpayer who has also sworn to protect the integrity of the US federal government and its classified information, I am frustrated beyond belief with the same old government IT spending and implementation antics. I have entrusted them with my now compromised personal information. I implore each and every one of them to step outside of the box and act on real change.