The latest news about the massive data breach at the U.S. Office of Personnel Management indicates there may be even more personal records at risk than previously disclosed.
Even more alarming is that it appears that the OPM’s attempts to fix the problem may be adding even more risk, which suggests that federal officials don’t have a clear idea of how to improve the security of sensitive government databases.
The bad news came this week during Congressional hearings when OPM director Katherine Archuleta was asked exactly how many people were at risk because of the breach. Archuleta declined to give an exact number, although she admitted that the current best guess of 17 million could be correct, but also that the number could go higher. Note that this number has risen from estimates that circulated a week ago.
Archuleta was asked if the number could go as high as 32 million records. She declined to provide a number.
So at this point, nobody really knows just how many government employees, retired employees, former employees, military personnel and individuals with security clearances have had their records taken, but the current best guess is that it’s all of them. The reason there’s no exact number is because nobody is sure how many records there are to take.
Fortunately, someone at OPM figured out that the agency needed to install some form of security management software for its systems. Unfortunately, whoever decided what management system to get didn’t go through proper channels, didn’t select an approved system and apparently didn’t clear the software (or the acquisition process for that matter) with anyone.
If there is good news here, it’s that the software which had just been installed back in April when the breach was discovered, apparently worked well enough to find the intrusion. But the security management system only works on part of OPM’s computer systems. The rest are old, incompatible, COBOL-based mainframe computers that have never been updated.
After OPM Inspector General, Patrick McFarland, took a look at the agency’s efforts to improve its data systems security, he issued something called a “flash audit alert,” which is exceedingly rare.
A copy of the audit alert report, obtained by the Associated Press, said that the situation requires immediate action. “There is a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications,” the report said.
The IG report also said that OPM initiated the project without a complete understanding of the agency’s technical infrastructure, the scale of the project or even the projected cost. From there it gets worse.
It turns out that in addition to the two breaches that OPM has already admitted to finding, a third breach was discovered at OPM systems hosted at the Department of the Interior. That breach apparently happened due to an infected computer that was compromised at a contractor location.
During their testimony, OPM officials have reported that more than half of the work being done on those government systems was being performed by contractors. And where were those contractors located?
Inspector Finds Efforts to Assess, Fix OPM Data Breach in Disarray
In at last one case the company was located in China and was run by Chinese nationals. Chinese hackers were suspected of being behind the breach from the first day it was disclosed. Now it’s clearer how Chinese hackers might have found their way in.
Unfortunately, the way forward for OPM isn’t clear. The current project to clear up the agency’s security problems has run afoul of the IG and probably will have to be terminated. OPM’s computer systems are archaic and while the systems could be encrypted, it’s not clear that this would have helped. Worse, current security practices at OPM are laughable where they exist at all.
While OPM is also working on a project to overhaul all of the systems, the project appears destined for failure. The audit report doesn’t take its projections for completion seriously, and suggests that OPM doesn’t even understand the problem, much less how to move forward. All of this is exacerbated by the fact that the OPM director has no significant IT experience and very little management experience.
But even if she had the necessary experience, there is probably no chance that OPM can successfully upgrade its computer and data security system under current conditions.
There is no budget for upgrading data systems. Instead, individual projects are expected to take the funding from their existing budgets, which already are inadequate and are appropriated to fund operations, not upgrades.
Worse, Congress is apparently thinking about removing more funding as a way to cut federal spending. If this happens, it will mean that OPM remains responsible for keeping federal employee records safe, but has no way to actually improve the security of government employee records. Congress, meanwhile, is holding the feet of OPM managers to the fire until the director is fired and until things are fixed.
Meanwhile, OPM has no way to actually spend the money it has to improve its systems. The budget, such that it is, requires OPM to spend money on current operations. Upgrading to new, more secure, computer systems is not allowed by the current budget.
Admittedly, OPM could have done a better job protecting its data from hackers. But without the money it needs from Congress, there’s not really a lot that OPM can do beyond that. Because Congress doesn’t want to fix the appropriations so that OPM and other agencies can secure their computers, the agency can’t spend the money it needs to spend.
Unfortunately, OPM now finds itself in territory that’s probably familiar to many IT managers that have the responsibility to perform their function, but not the authority to carry it out.
While there’s plenty of blame to go around at OPM, the fact is that the ultimate blame falls to Congress. The folks on the Hill are so busy trying to cut spending so they can appeal to their voters that they can’t do what’s required to protect the government and the private records of its employees and citizens.
But we all share part of the responsibility because we voted for our members of Congress without worrying about whether they were providing adequate funding and oversight to update computer and security systems from their obviously antiquated state.