On June 18, 2015, as a retired “civil servant” whose personnel records now reside with OPM, I was notified by OPM that OPM had “recently become aware of a cybersecurity incident that may have exposed my personal information”.
Reassuringly, OPM went on to say that it immediately implemented additional security measures and will continue to improve the security of the sensitive information that it manages. Boy do I feel better! Actually, I would feel better but for that fact that OPM’s notification also included the statement that nothing in the letter should be construed as OPM or the US Government accepting liability for any of the matters covered by this matter or for any other purpose.
Beyond my personal interest in the now infamous OPM computer hack of 2015 (or was it actually 2013, 2014 and was it actually computer hacks and not “a” hack), this incident (or incidents) has predictably highlighted the good, the bad and the ugly in terms of information, misinformation and the invariable “blame game” which will always follow a major faux pas on the part of a government agency. The following are some of the more noteworthy facts (used loosely) or statements associated with the OPM Cyberscurity Heightened Incident Transparency (OCHIT) reporting for 2015.
- The number of current or former employees affected started at 4.2 million, was then increased to 18 million and now, based on some accounts, hovers at 30 million. Reassuringly no one seems to know (or wants to disclose) the number with any precision; besides, the personal information for an affected employee also contained personal information for relatives and acquaintances of that employee.
- One Senator is seeking IRS assistance (to OPM) to protect victims against identity theft; yes the same IRS which estimated that it paid out $5.8 billion in fraudulent tax refunds in 2013 related to identity theft. Coincidentally, the same IRS which estimates improper payments of approximately 25% for Earned Income Tax Credits and Additional Child Tax Credits (cumulatively $20 billion in improper payments annually).
- In the first of many Congressional Hearings on the OCHIT matter, the OPM Director took responsibility for being the Director of OPM, but went on to state the people who should be held accountable for the hack are not government officials…if there is anyone to blame it is the perpetrators”. Nice that the OPM Director sort of defended herself and her staff, but we already knew that (ultimately) the perpetrators are to blame.
- In statements to Congress on April 22, 2015, OPM’s CIO stated that OPM’s Leadership and cyber-defenses were effective at quickly resolving threats. Coincidentally a cybersecurity firm reports on April 21, 2015, while demonstrating its software, it detected months-old malware (on OPM networks). OPM claims that it had already made this discovery in April 2015.
- Immediately after OCHIT was reported by the media, it was also reported that OPM had been denied approximately $2 million in funding for additional cybersecurity funds. Soon after, media reports noted that government detection tools including the $3 billion “EINSTEIN 3” had been unable to detect the activity. Somehow the denial of $2 million seems inconsequential.
However, we will all be safe thanks to the White House initiated “30 Day Cybersecurity Sprint” requiring all government agencies to reassess cybersecurity and to detect potential intrusions. The same White House which issued an Executive Order in January 2015 to force US Corporations to timely notify consumers of data breaches (nothing new given that 46 states already have similar laws albeit with differing requirements; hence, a “federal solution” which would standardize notification requirements, but only for data breaches which might have a financial impact. In other words, the same White House best known for Executive Orders which represent nothing new, just a higher level declaration as if that ensures success.
Lastly a random observation that our government (Congress) is spending billions to obtain audited financial statements as if that goal (required by a law in 1990, yes 1990) has some urgency. Although audited financial statements might be nice to have, it would seem that those funds could have real value if diverted to cybersecurity. That or be prepared to be reading the first Audit Report on the United States Consolidated Statement of Accounts while having all of my personal and financial information up for sale on the internet.
Mike Steen is a Emeritus Advisor with Redstone Government Consulting, Inc. and a specialist in complex compliance issues to include major contractor cost accounting & business system regulations, financial compliance, resolution of DCAA audit issues, Cost Accounting Standards application, litigation support, and claims preparation. Prior to joining Redstone Government Consulting, Mike served in a number of capacities with DCAA for over thirty years, and upon his retirement, he was one of the top seven senior executives with DCAA. Mike Served as a Regional Director for two DCAA regions, and during that time was responsible for audits of approximately $25B and 800 employees. In October 2001, he was selected for the Senior Executive Service and in 2006 he received the Presidential Rank Award. During Mike’s tenure with DCAA, he was involved in conducting or managing a variety of compliance audits, to include cost proposals, billing systems, Cost Accounting Standards, claims, defective pricing, and then-evolving programs such as restructuring, financial capability and agreed-upon procedures. He directly supported the government litigation team on significant contract disputes and has prepared and presented various lectures and seminars to DCAA staff and business community leaders. Since joining Redstone Government Consulting in June 2007, Mike has developed and presented training and seminars on Government Contracts Compliance to NCMA, Federal Publications Seminars and various clients. Mike also is a prolific contributor of written articles to government contracting publications, as well as to our own Government Insights Newsletter. Mike also serves as the director of our training service offerings, with responsibilities for preparing and developing course content as well as instructing our seminars to clients and general audiences throughout the U.S. Mike also serves as a faculty instructor for the Federal Publications Seminars organization. Education Mike has a BS Degree in Business Administration from Wichita State University. He is also a graduate of the DCAA Director’s Fellowship Program in Management, and has a Masters Degree in Administration from Central Michigan University. Mr. Steen also completed a number of OPM’s management and executive development courses.