By now you’ve probably heard of the cyber attack on the OPM (Office of Personnel Management). The U.S. government believes strongly that China was behind the attacks. This breach only demonstrates the shortcomings of the federal government. While one could point at the recent CareFirst BCBS or Target hacks where criminals made off with electronic information about customers, this is more concerning as the data this time was records of people who have or are filing for security clearances.
Specifically, the SF-86 forms that are used to collect information to process background checks and facilitate the clearance process or at least portions thereof were apparently stored unencrypted. The government has regulations prescribing that PII (Personally Identifyable Information) is protected, which in this case it wasn’t. It is likely that no one will have responsibility for the lack of adherence to the government regulation*. Investigations will continue but I seriously doubt if someone will lose their job over this serious breach. Some will hide behind the massive amount of bureaucracy that will get involved: the State Department, the FBI, the CIA, the OPM, etc. We should demand more competency from our government.
Furthermore, we have just allowed a target list to fall into another country’s hands. This could, and likely will, seriously compromise our ability to conduct intelligence activties and places many of these folks in terrible positions. At a minimum, they are susceptible to identity theft and worse, blackmail or endangerment on the job.
Maybe they should start with encrypting their data…it isn’t hard. And then, maybe they should consider not leaving it on systems connected to the internet.
* If federal agencies don’t adhere to regulations and no one is to blame, does it not beg the question of why have the regulation? or what regulations should be followed?