“I want to thank you for saying yes” to the OPM assignment, Colleen M. Kelley, president of the National Treasury Employees Union told Cobert during a National Council on Federal Labor-Management Relations meeting at the OPM building Wednesday morning. At the beginning of the session, Cobert presented a Theodore Roosevelt award to the retiring Kelley in honor of her service.
After the niceties were done, the Council got down to business with pointed questions about ramifications for victims of the cyber theft. Some Cobert could not answer. Some answers were not what the labor leaders wanted to hear.
The lack of information only deepens the angst, aggravation and anger of the robbed. Cobert urged feds to visit the Web site, www.opm.gov/cybersecurity, for more information.
With the first question, William R. Dougan, president of the National Federation of Federal Employees, asked why OPM is not providing the same level of remediation service to victims of the two breaches. OPM plans a “suite of comprehensive services” for the 21.5 million employees, contractors and applicants for security clearances, and their families, whose information was stolen in the breach of background investigation information announced on June 12. That includes identity restoration support, identity theft insurance, identity monitoring for minor children, continuous credit monitoring and fraud monitoring for at least three years.
Those whose personal information, including Social Security numbers, was taken in the heist announced on June 4, will get identity restoration services and identity theft insurance for 18 months. They also may enroll in credit monitoring.
“From my standpoint and the standpoint of the folks I represent, if your information is compromised it’s compromised,” Dougan said. “It seems to me a more consistent approach … makes a lot more sense.”
Cobert did not agree at the meeting to enhance services for all. The background breach involved “a richer set of information about you and your family,” she said. Dougan pushed back, saying it “should not make a difference” if a Social Security number was stolen during one breach or the other. The best he could get from Cobert was a promise to “continue to look at that.”
Kelley wanted to know when OPM would select an outside contractor to provide information and coordinate services for the background breach victims. Cobert couldn’t say, even though that breach was discovered more than a month ago.
“I have been asking since the day the second breach was announced, when we would get at least a timeline for those notifications, so I am very concerned about not getting that,” Kelley said Thursday. “Federal employees and others are rightly worried.”
Like Dougan, J. David Cox Sr., president of the American Federation of Government Employees, also was critical of the “dual standard.” His union issued a statement Monday calling the lesser protections for some victims “absolutely outrageous.”
Cox also pressed Cobert and other administration officials to push Congress for emergency funding to cover modernization of the government’s information technology systems.
“I view this as sort of a disaster,” he said.
Of course it is. But Cox wants the government to treat the cyber disaster as it would a natural disaster: “We need funding for the latest and up to date, cyber security.”
Cobert did not directly answer the request for emergency funding, but the response from Tony Scott, the U.S. chief information officer, was disturbing. “Even a ton of money” won’t solve the government’s fundamental IT problem in the short run, he said. The problem, shared by the private sector, is old technology unable to repel sophisticated cyber-attacks.
Not only is the technology old, but the government does a poor job of protecting it. A couple of hours after the OPM meeting concluded, Mary Kendall, deputy inspector general at the Interior Department, told Congress about the many problems facing the agency’s technology system, which houses OPM’s personnel files.
Three Interior bureaus “had not implemented effective defense in depth measures to protect key IT assets from Internet-based cyber-attacks,” she reported to a joint hearing called by two House Oversight and Government Reform subcommittees. “Specifically, we found nearly 3,000 critical and high-risk vulnerabilities in hundreds of publicly accessible computers operated by these three bureaus.” An attack she added, “could severely degrade or even cripple the Department’s operations, and could also result in the loss of sensitive data.”
Back at the OPM meeting, Scott was just as depressing.
“What we’re left with,” he said, “is effectively trying to bubble wrap and band-aid technology that was never designed to defend itself against the kind of threats we face today.”
With a straight face, he concluded: “I don’t want to leave you with a grim picture.”
Too late for that.