Homeland Security Committee Chairman Rep. Mark Green (R-Tenn.) recently sent a letter to the Department of Homeland Security asking for it to take data security and hacking attempts by America’s enemies more seriously. Green also wrote to the Government Accountability Office (GAO), asking it to investigate the Office of Personnel Management (OPM), especially USA Staffing (the part of OPM that oversees most of the federal government’s human resources needs).
Green is right to start getting serious about data security and hacking, even if OPM, apparently, has not. The Washington Post reported last week that China’s cyber army is invading U.S. services, including public utilities, communications systems, and supply chain facilities such as seaports.
Will OPM again be a target of a China cyberattack?
The OPM 2014-2015 data breach, the most significant breach in U.S. history at the time, jeopardized nearly 22 million records. The intrusion gave China access to the personal information of federal employees, fingerprint records, and the contents of the Standard Form 86, which is used to apply for a security clearance and contains detailed information of the applicant’s background, finances, their family members, and foreign contacts.
The House Oversight and Government Reform Committee observed that the breach wasn’t a quick smash-and-grab of perishable information, stating it will have a generational impact as China may be able to monitor selected federal employees for the rest of their lives.
The committee’s report noted, “The long-standing failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the inspector general, represents a failure of culture and leadership, not technology.”
And the senior federal managers who were responsible walked away (literally) from the scene of the crime. The OPM director, a political appointee, was forced out by the White House, and the civil service Chief Information Officer retired before she was scheduled to testify to the Congress.
Richard Weitz, a senior fellow at the Hudson Institute, observed:
Despite years of congressional hearings and generous appropriations designed to strengthen its cyber defenses, the OPM still received a cyber score of F on the July 2022 Federal Information Technology Acquisition Reform Act (FITARA) scorecard. Since OPM is the Human Resources authority for much of the federal government, cyber security issues often receive insufficient attention as the Office strives to provide and implement human resources policy and guidance for myriad other issues across many federal government agencies.
Unfortunately, many other U.S. government bodies are also not well positioned to secure U.S. cyber security efforts. In May of this year, the Government Accountability Office (GAO) found that an array of government agencies have not implemented critical cloud security practices, including defined security metrics. GAO listed almost three dozen recommendations that these government bodies had to follow to fully implement these practices.
In contrast, private sector companies have a more consistent and effective track record with preserving the integrity of the U.S.’ sensitive information. They must receive FedRAMP authorization, which means they must use sophisticated cloud technologies that have modern security and protection protocols to keep federal information safe and secure. Furthermore, private sector companies focus more closely on human capital needs and data security.
As the Chinese cyber espionage threat continues unabated, it is critical that the government lean more heavily on these entities in the years to come.
Rep. Green is right. Many private sector alternatives exist to service most functions of the Office of Personnel Management, especially the HR functions performed by USA Staffing. Given the recently reported news about the extent of the China hacking threat, it’s time to consider privatizing as much of the OPM as possible; immediately adding much stricter data protection protocols to the OPM system; or ensuring the OPM employees responsible for securing the data are among the best in the federal government (and, if they aren’t, reorganizing OPM to attract the best talent, which you would think would be easy for the organization that hires people all day, every day).
If OPM fails to act, or be compelled to act, China’s spies will return to that watering hole, confident the Americans are slow learners.