Every day it seems we discover more and more about an agency most of us have never heard of: the U.S. Office of Personnel Management. We learned in early June that the OPM was hacked over a year ago, when the Obama administration announced that Chinese hackers stole the information of up to 4 million federal employees.
Now, the administration has begun quietly acknowledging that the breach was much, much worse. It appears the private information of 18 million people, possibly more, has been compromised. Eighteen million; let that sink in a moment.
This is the largest data breach in U.S. history. This devastating exposure is something we all should be concerned with. Our privacy has been violated – if you are employed in any way by the federal government, have ever applied for a federal job, or were interviewed in regard to someone who applied for one, your information is at risk.
Even worse, the breach included millions of security-clearance background check files. This includes people that work in the highest levels of our government, for highly classified private defense contractors, or possibly U.S. intelligence officers overseas — a very sobering reality of just how deeply these hackers infiltrated our most secure data.
Since this massive breach was exposed, no one has been fired and no one has been held accountable. It’s as though the administration is trying to brush this under the rug. OPM Director Katherine Archuleta acknowledged at a congressional hearing last week that even she doesn’t know the extent of how many records were actually hacked.
The worst part is, the government has been warned that something like this could happen for years. Security firms and “white hat” hackers have alerted the government since the 1990 about the lack of strong cyber protections on government servers.
OPM’s Inspector General has issued warnings and recommendations on how to tighten security to create stronger firewalls, recommendations that were not properly heeded.
Furthermore, a report out this year from the Government Accountability Office found that security breaches at federal agencies grew from 5,500 in 2006 to more than 67,000 last year, and warned that they were on the rise. A new report out last week from the software security firm Veracode highlights that civilian federal agencies, such as OPM, are most at risk for security breaches – ranking government agencies “dead last in fixing security problems in the software they build and buy.”
Veracode also found that the web apps used by federal agencies fail to comply with security standards a staggering 76 percent of the time. It notes that the government isn’t fixing security flaws at the same level as private corporations because there is no “market risk” at stake and no one to hold them accountable. The government spends $13 billion on cybersecurity a year – and yet it still can’t manage to keep our data safe.
This is a serious problem.
A recent Washington Post article tells us today that many years ago, a group of young men from Boston, “friendly hackers” using pseudonyms, drove to Washington donning suits just to warn Congress that this day was coming. The group was known as L0pht, and in May 1998, when the Internet was still in its infancy, they explained to Congress how they employed hacking techniques to expose insecurities in commonly-used software. Their goal was to shame big companies like Microsoft for selling products with security flaws, exposing corporations who put profits above security. They warned that cavalier attitudes about cybersecurity would cripple us in the end. These warnings should have been heeded.
It’s crucial that we learn from the OPM hack and take action to improve cybersecurity information sharing between the government and the private sector. Congressional action is badly needed. Former Sen. Fred Thompson, R-Tennessee, recently characterized the issue succinctly, stating that Internet security is the kind of problem the government has trouble fixing because “there’s no immediate political payoff for anyone.” That pattern cannot continue.
Cybersecurity is at the crux of our national defense, and we can’t wait for a national disaster to force change. The House has passed cybersecurity enhancement legislation on three different occasions, only to see their efforts thwarted by Senate Democrats. With the number of hackers from rogue nations, international crime groups, and powerful lone wolves on the rise, America must be vigilant and work to pass strong cybersecurity reforms this year.