Inspector Finds Efforts to Assess, Fix OPM Data Breach in Disarray
In at last one case the company was located in China and was run by Chinese nationals. Chinese hackers were suspected of being behind the breach from the first day it was disclosed. Now it's clearer how Chinese hackers might have found their way in. Unfortunately, the way forward for OPM isn't clear. The current project to clear up the agency's security problems has run afoul of the IG and probably will have to be terminated. OPM's computer systems are archaic and while the systems could be encrypted, it's not clear that this would have helped. Worse, current security practices at OPM are laughable where they exist at all. While OPM is also working on a project to overhaul all of the systems, the project appears destined for failure. The audit report doesn't take its projections for completion seriously, and suggests that OPM doesn't even understand the problem, much less how to move forward. All of this is exacerbated by the fact that the OPM director has no significant IT experience and very little management experience. But even if she had the necessary experience, there is probably no chance that OPM can successfully upgrade its computer and data security system under current conditions.Worse, Congress is apparently thinking about removing more funding as a way to cut federal spending. If this happens, it will mean that OPM remains responsible for keeping federal employee records safe, but has no way to actually improve the security of government employee records. Congress, meanwhile, is holding the feet of OPM managers to the fire until the director is fired and until things are fixed. Meanwhile, OPM has no way to actually spend the money it has to improve its systems. The budget, such that it is, requires OPM to spend money on current operations. Upgrading to new, more secure, computer systems is not allowed by the current budget. Admittedly, OPM could have done a better job protecting its data from hackers. But without the money it needs from Congress, there's not really a lot that OPM can do beyond that. Because Congress doesn't want to fix the appropriations so that OPM and other agencies can secure their computers, the agency can't spend the money it needs to spend. Unfortunately, OPM now finds itself in territory that's probably familiar to many IT managers that have the responsibility to perform their function, but not the authority to carry it out. While there's plenty of blame to go around at OPM, the fact is that the ultimate blame falls to Congress. The folks on the Hill are so busy trying to cut spending so they can appeal to their voters that they can't do what's required to protect the government and the private records of its employees and citizens. But we all share part of the responsibility because we voted for our members of Congress without worrying about whether they were providing adequate funding and oversight to update computer and security systems from their obviously antiquated state.
There is no budget for upgrading data systems. Instead, individual projects are expected to take the funding from their existing budgets, which already are inadequate and are appropriated to fund operations, not upgrades.