By Rep. Frank D. Lucas
Earlier this year we learned about the most extensive failure in cybersecurity by a federal agency to date. The Office of Personnel Management announced in June the personal information of roughly 4.2 million Americans was compromised by hackers who gained access to their network. A month later, a second intrusion was detected. The number of reported victims ballooned to 21.5 million.
Current, former and even prospective federal employees and contractors were among those impacted by the breach. The data OPM kept on their servers contained Social Security numbers, fingerprints, medical records and financial histories.
A substantial amount of security clearance information was also among the stolen data. This includes identifiable information about family, friends and neighbors, as well as sensitive psychological information used in background checks.
Considering that a large portion of the victims are members of the military and national security agencies, the implications of such a far-reaching data breach are staggering. In the wrong hands this information compromises the safety of these individuals and puts them at risk for blackmail, theft or identity fraud.
Subsequent investigations echoed prior warnings from OPM’s inspector general that several basic security practices were simply ignored leading up to the cyberattacks.
It took the agency an entire year to even realize the attacks occurred, let alone the extent of them. The data on the agency’s network was also not encrypted. This means anyone who could access the server could read and obtain explicit data without additional legwork.
Under OPM Director Katherine Archuleta, many of the security standards laid out for federal agencies were never implemented and went unaddressed for years. OPM leadership was neither transparent nor forthright with the extent of the cyberattacks. Instead, the 1 in 15 Americans affected by this incident learned about it through a trickle of news reports and congressional hearings. Needless to say, Archuleta resigned soon after.
Unfortunately these shortcomings are not isolated. Audits of federal agencies last year showed that 19 of 24 agencies failed to meet very basic cybersecurity standards already mandated by law. And since 2006, the number of information security incidents reported by these federal agencies has increased tenfold. This is not a matter of simply passing more laws or doling out more taxpayer dollars. We must significantly shift our perception of data security.
National security is one of our strongest governing principles, but in cybersecurity we are falling behind.
The scope and frequency of these attacks will continue, but the response from our government is what matters most. We need leaders who truly understand technology because this is not an issue that can be managed crisis to crisis.
At a July House Science subcommittee hearing, Gregory Wilshusen, Director of Information Security Issues at the U.S. Government Accountability Office, noted that “cybersecurity and implementing effective security is not a sprint, it’s a marathon.”
Wilshusen explained that there are a number of effective steps federal agencies can take to help detect or prevent these attacks, whether it is multi-factor authentication, encryption or keeping security patches up to date.
Identity theft is difficult to recognize and even harder to repair after the fact. The steps we take to protect our own personal information — online or offline — should be reflected within our government. This calls for adaptive, decisive and accountable leadership.
Until the administration can place these types of leaders in positions of power, rigorous oversight is our only tool.
The same law that outlines the security measures OPM ultimately failed to implement also mandates those affected be notified “as expeditiously as practicable.” Reports today indicate that of the 21.5 million victims, only a quarter have received a notification letter from OPM.
Rep. Frank D. Lucas, R-Okla., serves as vice chairman of the House Science, Space and Technology Committee.