OPM: One Year Later

It’s been one year since the US Office of Personnel Management (OPM) announced it had been the target of a massive data breach, and much of the discussion revisiting the incident has focused on what’s been done to plug the holes. This kind of scrutiny, while valuable, misses the larger issue. Of course the OPM breach highlighted vulnerabilities that needed addressing, but it also revealed larger, government-wide structural issues and defense strategies that have to be tackled head-on if we are to withstand similar cyberattacks in the future.

The intrusion reportedly began long before June 2015 when presumably Chinese hackers obtained a contractor’s log-in credentials. The perpetrators managed to steal records including extremely sensitive background investigation information submitted by more than 20 million individuals undergoing background checks by the US Government.

Federal authorities rushed to put Band-Aids on critical vulnerabilities after the breach was discovered. The OPM director resigned, and the US Office of Management and Budget (OMB) launched a ‘cyber sprint’ to patch glaring cybersecurity holes government-wide, such as limiting privileged users and implementing strong authentication protocols. The Obama administration is also creating a new agency equipped with Defense Department-operated IT systems to run the security clearance process.

These Band-Aids were crucial to stop the bleeding, but will have been for naught if the OPM incident does not serve as a wake-up call for lawmakers and the next administration. With the data it has obtained, Chinese government officials could link US intelligence officers to their real fingerprint record, rendering their cover and ability to operate useless. A Chinese spy with access to the health history and financial records of Americans with security clearances can more readily identify potential targets susceptible to blackmail or manipulation. This is a national security issue that goes far beyond personal privacy, and it necessitates a response far more comprehensive than two-factor authentication and social engineering seminars.

As the government spends more and more on cybersecurity for seemingly unsatisfactory results, it is evident that the underlying problem is a lack of a strategic, comprehensive approach to securing unclassified systems. To remedy this, policymakers needs to look no further than Silicon Valley. Over the past several decades, the federal government has moved away from developing its network defense solutions in-house, opting instead to rely on America’s center of innovation and disruptive technology to stay ahead of cyber threats. The FBI’s recent row with Apple over the San Bernardino shooter’s iPhone, however, and the ensuing national debate on encryption and backdoor access, have highlighted points of tension between Washington and Silicon Valley.

On the issue of securing networks, however, the technology sector and the federal government are in lock-step, and further dialogue between the two is key to both sides benefiting. In January of this year, top Obama administration national security officials including Attorney General Loretta Lynch, FBI Director James Comey, Director of National Intelligence James Clapper, and NSA Director Michael Rogers met with Silicon Valley top executives to discuss terrorism and radicalization. This comes amid numerous visits by Defense Department officials as part of Secretary Ash Carter’s push to recruit top tech talent. Government ought to continue this dialogue. This is not only to ensure that civilian agencies have access to the newest technology, but also so that the government as a whole can begin to change its perspective on cybersecurity. This means a change from a low priority sufficiently dealt with by a patchwork of security measures to a crucial national security priority given due consideration of its criticality with a comprehensive and coherent strategy.

What remains to be seen is if the breach turns out to be a watershed event in its capacity to galvanize the federal government to commit seriously to a comprehensive cybersecurity strategy. The OPM breach has already been a watershed event in at least one way: it has demonstrated the value in stealing – and therefore more diligently protecting – government data that, on its surface, has little to do with national security.

Our only limitation now is imagination. Could the IRS, which has already been breached by identity thieves, be the next target of a nation-state? With its trove of financial records of hundreds of millions of Americans – to say nothing of CEOs, industry leaders, and eight of the world’s ten richest people –, the IRS would be a similarly valuable target. Until the federal government reassesses its approach to cybersecurity, the OPM incident might just be the beginning.