On June 18, 2015, as a retired “civil servant” whose personnel records now reside with OPM, I was notified by OPM that OPM had “recently become aware of a cybersecurity incident that may have exposed my personal information”.
Reassuringly, OPM went on to say that it immediately implemented additional security measures and will continue to improve the security of the sensitive information that it manages. Boy do I feel better! Actually, I would feel better but for that fact that OPM’s notification also included the statement that nothing in the letter should be construed as OPM or the US Government accepting liability for any of the matters covered by this matter or for any other purpose.
Beyond my personal interest in the now infamous OPM computer hack of 2015 (or was it actually 2013, 2014 and was it actually computer hacks and not “a” hack), this incident (or incidents) has predictably highlighted the good, the bad and the ugly in terms of information, misinformation and the invariable “blame game” which will always follow a major faux pas on the part of a government agency. The following are some of the more noteworthy facts (used loosely) or statements associated with the OPM Cyberscurity Heightened Incident Transparency (OCHIT) reporting for 2015.
- The number of current or former employees affected started at 4.2 million, was then increased to 18 million and now, based on some accounts, hovers at 30 million. Reassuringly no one seems to know (or wants to disclose) the number with any precision; besides, the personal information for an affected employee also contained personal information for relatives and acquaintances of that employee.
- One Senator is seeking IRS assistance (to OPM) to protect victims against identity theft; yes the same IRS which estimated that it paid out $5.8 billion in fraudulent tax refunds in 2013 related to identity theft. Coincidentally, the same IRS which estimates improper payments of approximately 25% for Earned Income Tax Credits and Additional Child Tax Credits (cumulatively $20 billion in improper payments annually).
- In the first of many Congressional Hearings on the OCHIT matter, the OPM Director took responsibility for being the Director of OPM, but went on to state the people who should be held accountable for the hack are not government officials…if there is anyone to blame it is the perpetrators”. Nice that the OPM Director sort of defended herself and her staff, but we already knew that (ultimately) the perpetrators are to blame.
- In statements to Congress on April 22, 2015, OPM’s CIO stated that OPM’s Leadership and cyber-defenses were effective at quickly resolving threats. Coincidentally a cybersecurity firm reports on April 21, 2015, while demonstrating its software, it detected months-old malware (on OPM networks). OPM claims that it had already made this discovery in April 2015.
- Immediately after OCHIT was reported by the media, it was also reported that OPM had been denied approximately $2 million in funding for additional cybersecurity funds. Soon after, media reports noted that government detection tools including the $3 billion “EINSTEIN 3” had been unable to detect the activity. Somehow the denial of $2 million seems inconsequential.
However, we will all be safe thanks to the White House initiated “30 Day Cybersecurity Sprint” requiring all government agencies to reassess cybersecurity and to detect potential intrusions. The same White House which issued an Executive Order in January 2015 to force US Corporations to timely notify consumers of data breaches (nothing new given that 46 states already have similar laws albeit with differing requirements; hence, a “federal solution” which would standardize notification requirements, but only for data breaches which might have a financial impact. In other words, the same White House best known for Executive Orders which represent nothing new, just a higher level declaration as if that ensures success.
Lastly a random observation that our government (Congress) is spending billions to obtain audited financial statements as if that goal (required by a law in 1990, yes 1990) has some urgency. Although audited financial statements might be nice to have, it would seem that those funds could have real value if diverted to cybersecurity. That or be prepared to be reading the first Audit Report on the United States Consolidated Statement of Accounts while having all of my personal and financial information up for sale on the internet.