As a follow-up to our June 2015 blog on the now really infamous OPM computer hack of 2015 (which might actually date back to 2013 based upon the fact that OPM’s story continually changes) we now know that approximately 21 million personnel records have been compromised. However, we can all sleep better at night knowing that the action was technically not a cyber-attack because there was purportedly no attempt to take over the systems; hence, “merely” infiltrating (hacking) the systems to gain access to sensitive data including that related to background investigation.
Additional good news, there has been nothing “nefarious” which has resulted from the so-called hack. How do we know? The highly trustworthy (and never self-serving) public statement of the United States Government, the FBI in this case, that there is no evidence of any nefarious activity by the unidentified hacker(s). Before concluding that all is well, one might first check the dictionary for the meaning of the chosen word, “nefarious” (extremely wicked or villainous). Public statements (by those representing the United States Government) rarely use specific words by accident; hence, the lack of any "nefarious” activity would seem to fall short of a cause for celebration. Lots of risk and exposure for the hackers to sell or to otherwise misuse highly sensitive personnel data, but apparently short of being “nefarious”.
As with virtually every failing primarily attributed to the United States Government, the most immediate fall-out has been a regulation (issued at the end of August 2015) which requires DOD (Department of Defense) contractors to timely report cyber incidents. We can’t have a regulation without definitions which include the definition of a cyber incident which is/are actions taken through the use of computer networks that result in a compromise or an actual or potential adverse effect on an information system and/or information residing within that system”. In addition to “potential” adverse effects, the interim rule also involves a definition of unauthorized disclosure which “may have occurred”. Contractor or subcontractor obligations include conducting a review for evidence of compromise (computes, services, specific data, and user accounts), analyzing the extent of the intrusion and rapidly reporting cyber incidents to DOD.
Although it remains to be seen exactly if, when and how the “hacked” OPM data will be used; the fact is that the damage is severe albeit not quite nefarious. It has been publicized that the Government will spend at least $330 million solely for credit monitoring services for the 21 million impacted by the hack. It is impossible to measure the more expansive impact in terms of Government and contractor resources re-focused on computer security. Except to the FBI (denying any nefarious activity), the “elephant in the room” in terms of the probable motivations of the perpetrators almost, but not quite nefarious motivations), is the significant and immeasurable resources which will be redirected to identify and intercept computer hacks or cyber-incidents (not to mention the costs to undo any damage caused by successful cyber-attacks). In a world of declining budgets for DOD, money spent on defensive cyber-security is money not available to be spent on traditional DOD warfighting capabilities.
Welcome to the brave new world of undeclared war.
Mike Steen is a Emeritus Advisor with Redstone Government Consulting, Inc. and a specialist in complex compliance issues to include major contractor cost accounting & business system regulations, financial compliance, resolution of DCAA audit issues, Cost Accounting Standards application, litigation support, and claims preparation. Prior to joining Redstone Government Consulting, Mike served in a number of capacities with DCAA for over thirty years, and upon his retirement, he was one of the top seven senior executives with DCAA. Mike Served as a Regional Director for two DCAA regions, and during that time was responsible for audits of approximately $25B and 800 employees. In October 2001, he was selected for the Senior Executive Service and in 2006 he received the Presidential Rank Award. During Mike’s tenure with DCAA, he was involved in conducting or managing a variety of compliance audits, to include cost proposals, billing systems, Cost Accounting Standards, claims, defective pricing, and then-evolving programs such as restructuring, financial capability and agreed-upon procedures. He directly supported the government litigation team on significant contract disputes and has prepared and presented various lectures and seminars to DCAA staff and business community leaders. Since joining Redstone Government Consulting in June 2007, Mike has developed and presented training and seminars on Government Contracts Compliance to NCMA, Federal Publications Seminars and various clients. Mike also is a prolific contributor of written articles to government contracting publications, as well as to our own Government Insights Newsletter. Mike also serves as the director of our training service offerings, with responsibilities for preparing and developing course content as well as instructing our seminars to clients and general audiences throughout the U.S. Mike also serves as a faculty instructor for the Federal Publications Seminars organization. Education Mike has a BS Degree in Business Administration from Wichita State University. He is also a graduate of the DCAA Director’s Fellowship Program in Management, and has a Masters Degree in Administration from Central Michigan University. Mr. Steen also completed a number of OPM’s management and executive development courses.