The news from the Office of Personnel Management on July 10 was something most people in Washington were looking for. The director of the office, Katherine Archuleta, announced that she was stepping aside in the wake of a series of increasingly dismaying revelations of breaches into OPM’s data systems. Initially the agency announced that as many as 4 million records had been accessed. Then another breach was announced with perhaps another 10 million records accessed.
The numbers continued to get worse. And on July 9, the agency revealed that 21.5 million background investigations had been breached, in addition to the initial 4 million records. With that announcement, any remaining support for Archuleta in Congress evaporated. At that point the outcome was inevitable, and fortunately Archuleta didn’t prolong the agony.
As refreshing as it may be to see a member of the administration accept accountability for their actions, it’s only the first step in solving OPM’s problems. And while the resignation of the director was essential, the real work remains to be done.
What’s sad about the whole affair is that the mess does not lie solely with Archuleta. While she was in charge of the department, it was President Obama who nominated a person who was totally unqualified to manage an agency that had as a primary function the operation of several massive databases. In addition, it was Congress that when faced with the job of confirming a person who was unqualified, confirmed her anyway.
In addition, I feel compelled to add that it was the same Congress that has consistently underfunded the security necessary to protect the millions of personnel records that are now breached. And yes, it’s the same Congress that will now spew forth histrionics blaming everyone but themselves as they attempt to shift the blame from where it rightly lies, which is at that body’s doorstep.
When Archuleta took office, despite her lack of experience in managing large, data-intensive organizations, she was astute enough to see that OPM was suffering from years of inadequate funding and inept management. To suggest that the old COBOL-laden mainframes were legacy systems was an understatement, but she did recognize that, and she promised to launch an effort to update those systems.
But the truth of government in the United States is that managers in the executive branch can only work with what Congress will give them, and when OPM’s budget is cut so far by a hostile Congress that the agency can barely keep the lights on, then it is Congress that must shoulder much of the blame for this breach.
OPM Director Resigns After Breaches, but the Real Work Remains
Unfortunately, OPM shares in the problem of underfunding security, and it shares in the problem of not knowing how to spend what money it does devote to controlling the problem. Much of the blame for the success of breaches in private companies lies not with the IT managers who run the data centers, but with the executives who see security as a cost to the bottom line that can be cut.
“The CEO of Home Depot told his security professionals, ‘we sell hammers’ when he was asked for money to improve security,” said Eric Chiu, president and co-founder of HyTrust, a cloud security company. Home Depot was breached shortly after the CEO refused requests to make security improvements, and the company is still battling hundreds of lawsuits that resulted.
Chiu said that there are really two problems caused by managers ignoring security. One is caused by failing to give it enough priority, and the other is caused by not protecting the things that need to be protected. “Fundamentally we have to assume that data is the target these attackers are going after,” Chiu noted. “You have to protect yourself from inside attacks.”
The fact that most major breaches are from attacks from the inside requires a significant rethinking from the ways that organizations have approached security in the past. As former U.S. cyber-security director Richard Clarke told me in April, you have to assume that the bad guys are already inside your network, and you have to protect the data that they’re after.
This means it’s crucial that companies protect that data through more than just perimeter defenses. While it’s important to protect against unauthorized access, it’s also important to protect the data once someone gains access. For this reason, critical data should be stored separately, it should be encrypted, and access should be tightly controlled.
But what’s really unfortunate is that far too many managers resist even simple steps to protect data because they’re afraid the costs will be too high. This and simple inertia are major contributors to data breaches. When the Anthem breach happened, the data that was lost was unprotected not because the managers didn’t know that, but because they were not required to encrypt it.
And yet it is that same Anthem customer data, when combined with the extremely sensitive personnel data held by OPM, that will provide the Chinese hackers who carried out both breaches with what may be the most valuable data ever taken in a series of breaches.
This massive theft of data, and the injury to millions of people that will happen as a result, could have been prevented or at least minimized with a simple combination of management and leadership. But Congress and the administration failed to provide either, and as a result you will pay the price one way or another. But you can avoid making the problem even worse by taking the steps to protect the data in your own company, even if it’s not required that you do so.