BY ANY measure, the breach of Office of Personnel Management networks this year stands apart. It represents a failure of stewardship and a serious external threat.
After the OPM suffered a cyberintrusion in 2014, its director, Katherine Archuleta, asked Congress in February for $26 million in additional funding for cybersecurity. She said the agency stores more personally identifiable information than almost any other in the government, including banking data for more than 2 million people and background investigations for more than 30 million, among them individuals being considered for military enlistment, federal job appointments and employment by federal contractors. “It is imperative,” Ms. Archuleta wrote, that “the confidentiality of this information be secured to protect the identities, lives and livelihoods of these people, and the family members and associates identified as part of these records. The threats to identity theft, financial espionage, etc., are real, dynamic and must be averted.”
They were not averted. In April, the new breach was uncovered. Intruders had stolen the names, Social Security numbers, pay history, health records and other data of some 4.2 million current and formal federal workers. The breach was announced June 4; on June 12 the agency admitted the breach was worse than initially reported and had compromised sensitive security-clearance records, forms that are filled out for positions in national security and law enforcement. Bloomberg Business quoted officials saying as many as 14 million people could be affected. U.S. officials have attributed the attack to Chinese hackers.
Now there is a lot of frantic closing of barn doors. The administration announced a “sprint” toward tighter cybersecurity measures. But how did it happen that a repository of such value and sensitivity was left vulnerable to theft in the first place? Both the Office of Personnel Management and the Department of Homeland Security, which is supposed to protect federal civilian networks, have a lot of explaining to do. The Wall Street Journal reported that the breach was in fact discovered by a private contractor demonstrating security software in April, while government officials say they found the breach. Clearly, there have been management and leadership failures.
For years, Chinese intruders, among others, have zeroed in on the U.S. government and its contractors, seeking scraps of information that could be used to pry open networks. Now the Chinese hackers must think they ha ve hit the jackpot. The stolen data and security forms could easily be leveraged to blackmail or pressure federal workers, including those who handle classified information, and might also compromise foreign nationals whose names are on those security forms.
Aside from investigating how it happened, the president and Congress ought to question the DHS’s obvious weakness at protecting civilian federal networks. The centerpiece of the DHS effort, known as Einstein, has failed to stop a series of breaches of federal agencies. If the DHS is not up to the job, perhaps it is time to call in the ambitious 6,000-strong U.S. Cyber Command being created in the military.
The breach also calls for a determined probe to identify the hackers and strike back. We don’t suggest this lightly. It seems to us that just slamming doors and building more firewalls may be an insufficient response to an assault of this magnitude. An essential aspect of deterrence is the credible threat of retaliation.