Is it Too Late to Safeguard Employee Data?

Question markThe short answer is no. Just because someone made off with data on millions of employees, retirees and others it does not give anyone a free pass on protecting employee data.

Like most people who pay attention to the goings on in government, I have been watching, reading and listening to the news about the OPM data breach. I have done a bit more than “pay attention” because I spent many years as a Federal employee. Last week I received my notice that my data had been compromised. For anyone who wonders what such a notice says, here it is:

I am writing to inform you that the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) to determine the impact to Federal personnel. OPM immediately implemented additional security measures and will continue to improve the security of the sensitive information we manage.

You are receiving this notification because we have determined that the data compromised in this incident may have included your personal information, such as your name, Social Security number, date and place of birth, and current or former address.  To help ensure your privacy, upon your next login to OPM systems, you may be required to change your password.

OPM takes very seriously its responsibility to protect your information. While we are not aware of any misuse of your information, in order to mitigate the risk of potential fraud and identity theft, we are offering you credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution.  All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months.  Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID until 12/7/16.

To access the trusted pages that will facilitate enrollment into this identity protection service, type or paste the following website into your browser:

You will need to use the PIN code at the top of this correspondence to enroll in these services. Individuals can also contact CSID with any questions about these free services by calling this toll free number, 844-777-2743 (International callers: call collect at 512-327-0705). 

Protector Plus coverage includes:

  • Credit Report and Monitoring: Includes a TransUnion® credit report and tri-bureau monitoring for credit inquiries, delinquencies, judgments and liens, bankruptcies, new loans and more
  • CyberAgent® Internet Surveillance: Monitors websites, chat rooms and bulletin boards 24/7 to identify trading or selling of your personal information
  • Identity Theft Insurance: Reimburses you for certain expenses in the event that your identity is compromised with a $1,000,000 insurance policy
  • Court and Public Records Monitoring: Know if your name, date of birth and Social Security number appear in court records for an offense that you did not commit
  • Non-Credit Loan Monitoring: Know if your personal information becomes linked to short-term, high-interest payday loans that do not require credit inquiries
  • Change of Address Monitoring: Monitor to see if someone has redirected your mail
  • Social Security Number Trace: Know if your Social Security number becomes associated with another individual’s name or address
  • Sex Offender Monitoring: Know if sex offenders reside in your zip code, and ensure that your identity isn’t being used fraudulently in the sex offender registry
  • Full-Service Identity Restoration: Work with a certified identity theft restoration specialist to restore your ID if you experience any fraud associated with your personal information
These services are offered as a convenience to you. However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law. Please note that these services are offered to the specific addressee of this letter and are not available to anyone other than the individual who received this notification.
We regret this incident. Please be assured that OPM remains deeply committed to protecting the privacy and security of information and has taken appropriate steps to respond to this intrusion. The incident was uncovered as a result of OPM’s aggressive effort to update its cybersecurity posture over the past year, including the addition of numerous tools and capabilities to its networks that both help detect and deter a cyber-attack.
Please note that neither OPM nor any company acting on OPM’s behalf will contact you to confirm any personal information. If you are contacted by anyone purporting to represent OPM and asking for your personal information, do not provide it.
To learn more and enroll, visit CSID’s website at
Sincerely, Donna K. Seymour
Chief Information Officer
U.S. Office of Personnel Management

We still do not know everything we need to know about the breach. I am particularly concerned by news reports (not confirmed by OPM) that it may include both data and images from the Electronic OPF (EOPF). The many forms in the EOPF include some that are created as hard copy forms for a pen and ink signature, then scanned into EOPF. Among the most worrisome of those forms is the Federal Employees Group Life Insurance Designation of Beneficiary (SF-2823). That form not only has an employee or retiree’s personal information, it also includes the name, address and social security number of all of their beneficiaries. If EOPF is among the systems that were hacked, the problem becomes much messier. It is easy to identify the Personally Identifiable Information (PII) in most systems. It is simply a matter of looking at data elements to see which contain PII. For data stored as images, it is a bit more difficult to identify all of the PII they contain, but it is possible. The good news is that is also a bit harder for the people who stole the information to extract it.

Another bit of good news is that critical employee information is now being viewed differently. We must guard though against the bureaucratic tendency to pay attention to an issue only while the press, the White House and the Congress are asking questions. It is easy to slip back into complacency after the noise dies down. We cannot let that happen.

As bad as this breach is, it is far from the end of the story. Agencies continue to hire new employees whose data has not been stolen. The people who committed this breach will want to continue gathering information. There are still criminals who want employee PII for fraud and identity theft. The people who want to get this type of information will continue attempting to hack government systems every day, just as they have for many years.  Because they are not going to stop, agencies have to start treating HR systems as mission critical and safeguarding them as though their mission success depends on it – because it does.

Protect Federal Workers from the Consequences of Data Theft

dreamstime_xs_50784774The Office of Personnel Management’s recent disclosure of a massive cyber breach highlights the risks of systems that contain Personally Identifiable Information (PII). OPM is a target for these types of attacks because it houses enormous amounts of PII. The nature of OPM’s work is such that it is impossible for them to avoid storing PII on everyone in the Federal government and on all Federal retirees. OPM maintains health and life insurance and retirement systems, along with a massive database of background investigation data. Their mission ensures they are always going to be a target.

OPM is not the only Federal agency that maintains large stores of PII. Every agency has to have records on its employees. Those records include name, address, date of birth, social security number, names of their immediate family members (on beneficiary forms), places they have previously lived (in investigative records and payroll/personnel history files), and much more private information. In fact, virtually every bit of information someone needs to steal the identity of a Federal employee, ruin their credit and cause massive disruption to their lives is sitting in Federal human resources systems.

The amount of PII housed by human resources organizations might lead one to think – “How many cybersecurity employees do most HR organizations have?” The answer might surprise most readers, because it is none. Agencies typically rely on their Chief  Information Officer and security staff, along with the Federal Bureau of Investigation and The Department of Homeland Security, to provide services needed to protect data and recover from breaches. They generally assume the providers of systems they buy will ensure those systems are secure. While it is clearly not the mission of HR to provide cybersecurity services, it is their mission to guard the PII they obtain from employees. We should rethink how HR approaches this responsibility and consider placing assets from the Chief Information Officer’s team (or whichever organization the agency assigns cybersecurity to) in the HR office. Embedding some of those resources in the HR team (while organizationally remaining attached to the CIO) will give them a far better picture of the types of data being gathered, how it is used, and what is happening to it.

We have to accept the fact that the cyber realm is the next great battlefield. So much of our world is now driven by information technology that it has become a highly effective method of attack. Bad actors, whether they be states or criminals, are going to continue to find ways to exploit weaknesses in systems. There is no way to avoid having large stores of data, and there is no way to guarantee they will never be hacked. We cannot have perfect cybersecurity, but we can have effective cybersecurity. Agencies that view cyber security as nothing more than a compliance exercise, where they make certain their employees complete a few minutes of annual training and they install updates as vendors provide them, are putting themselves and their workforce at risk.

That workforce risk is substantial. Although agencies generally worry more about mission systems than workforce data, the harm that can be caused to employees is a mission risk. If employees are worried about their financial and personal information being disclosed, they may be less productive or unwilling to remain in government. If deeply personal information included in security questionnaires is stolen, they may be subject to blackmail. If their identities are stolen or they suffer financial harm, they may be more susceptible to being lured into disclosing agency information for money. Disrupting the workforce could be a very effective means of disrupting an agency’s operations. The OPM breach highlights the risk of HR systems and may encourage others to go after employee data. The number of HR systems is mind-boggling. In DHS alone, in 2011 we had almost 400 different HR systems. While not all of them contained PII, many do. Agencies must ensure they are using the most current tools and practices for intrusion detection and response, identity management, credentialing and access management for any HR system that includes PII. HR systems need to be treated as the mission critical systems they are.

If we recognize the certainty of continued cyber attacks and the likelihood of another breach, what can we do to reduce the risk of personal harm? Obviously better cybersecurity is the first step. Agencies have to do a better job of protecting the information they gather and produce. Because we know breaches will still occur, we need to do more help employees be prepared. That means securing employee data and providing employees with the training and tools they need to protect themselves. Here are three steps that would move us in the right direction:

  • Disclose breaches as soon as it is operationally possible to do so. The breach at OPM occurred in December 2014, was discovered in April 2015 and was disclosed in June 2015. Agencies may have legitimate security reasons for not immediately disclosing a breach, but delays in disclosure must be based on security risks and not on political and public relations concerns.
  • Provide better training to employees to protect their own data and to recognize threats that may occur when their PII is stolen. For example, most people use simple passwords and use the same password repeatedly in every system they access. If their information is stolen from one system, the thieves have a head start on accessing other systems because they already have the employee’s overused password. Bad actors will continue refining their approaches, but that does not mean we have to hand our information to them on a silver platter.
  • Provide ongoing credit monitoring services for all Federal employees. Because they work for the United States government, Federal workers will always be in the crosshairs of our enemies. They cannot refuse to provide PII to their employer, and the steps they can take on their own to protect data are limited. Credit monitoring does not protect data, but it does help employees to discover the threats to their financial security that data theft can produce, even when a breach has not been discovered or disclosed.

Cybersecurity is an ongoing concern that will never go away. As our dependence on technology grows, so will the efforts of people with bad intent. Federal workers need to know that their employer is doing everything that it can to protect their information and has taken steps to protect them from data theft even when the government does not know it has happened.

Competition for Cyber and Digital Services Talent Requires a New Approach to Hiring

Fedgrid-725269_1280eral agencies are struggling to compete for talent in Cybersecurity and Digital Services. The Office of Personnel Management’s recent move to offer a short-term excepted service hiring authority for digital services experts indicates OPM recognizes the need, but does not go far enough to address the government’s growing inability to compete for talent in critical cybersecurity and digital services careers.

Why does government not compete effectively? Can we address the problems? Or is government never going to be able to compete?

I believe the fundamental problem is that government competes for high-tech talent the same way it competes for everything else. We have done little to recognize and deal with the demands of a talent pool that is highly mobile, in demand, and constantly evolving. Competing for that kind of talent with a federal personnel system that is still rooted in the 1950s would be laughable if the potential consequences were not so significant. It is no laughing matter.

OPM’s decision to grant short-term excepted service hiring authority for digital services is a welcome move, but inadequate to meet the government’s long-term talent needs. In this case, OPM gave authority to make appointments in one-year increments, not to exceed September 30, 2017. The appointments must be for one of a list of Smarter IT Delivery Initiative programs.

In addition to the recent OPM initiative, some Departments and Agencies have excepted service authority for some or all of their cybersecurity positions. That piecemeal approach is part of the problem. I had discussions about this issue with OPM, members of Congress, GAO and OMB in 2009 when I Chief Human Capital Officer at the Department of Homeland Security. There is virtually no one who would argue that cybersecurity jobs are easy to fill. There is no one who would argue the government does not have a critical need for such talent. And there is certainly no one who would argue that the government is the employer of choice for most cyber professionals. After 6 years, where are we? Marginally better off than we were, but certainly not on the way to having this problem solved.

The issue is complicated by the nature of the cybersecurity and digital services occupations. Problem number 1 is that neither is a single occupation. In DHS alone, we identified almost 20 different job series that made up the cybersecurity workforce. The same is happening with the digital services workforce. Rather than a single occupation, we have collections of jobs that fit into one of the hundreds of job series that are included in the General Schedule. If we want to fix this problem, we have to recognize that force-fitting jobs into an outmoded classification system is not going to work. When I have raised this issue in the past, defenders of the status quo say we should not “Balkanize” the civil service by solving problems one agency or occupation at a time. So what have we done? We have different approaches for different agencies, for different occupations, and even for different line items in the budget. The only difference in the approach we are taking now is that the Balkanization is happening with no clear end in mind. How is that good for anyone?

If we want to begin addressing this problem, we do not have to wait for Congress to act. There are several steps that can be taken without the need for Congressional action.

  • Immediately move all cybersecurity and digital services jobs into the excepted service. Doing so will allow a streamlined hiring process that is not a talent barrier. Although some highly desirable jobs have difficulty competing on the pay front, for the most part the big barrier is the government’s hiring process. It is simply not suitable for these occupations and repels much of the available talent.
  • Develop a new job group for all such positions. Trying to force-fit these positions into the existing General Schedule presents another barrier, both to hiring and to moving people around once they are in government.
  • Within the group, establish job series for key types of occupations. A small number of series that address the major types of occupations would simplify classification, hiring and ongoing talent management.
  • Issue dramatically simplified job classification guidance for the new occupations. The current job classification process is a mess. We do not need hundreds of series with classification standards that become obsolete by the time they are published. It is bad enough for work that does not change rapidly. It is unacceptable for dynamic occupations like these, where the technology is constantly changing.
  • Establish a government-wide steering group of cybersecurity, digital services and human capital professionals to work with OMB and OPM on issues related to these critical occupations. One problem with many excepted service jobs is that they are administered differently by every agency. Because these are positions most agencies have, the overall structure should be governed by a steering group that ensures a reasonable degree of consistency, but allows agency-specific rules where needed. Having some degree of consistency would make moving among agencies easier and might help the government retain the talent longer. The steering group should strive to develop a process that can reduce the time from initial contact to job offer to days, rather than the weeks or months it now takes. Using a steering group to drive the process should also make it possible to make progress much more rapidly. It currently takes OPM 2 to 3 years to write a classification standard.
  • Develop more modern screening methods for applicants. The current questionnaire process produces a lot of useless questionnaires that turn off applicants and produce poor results for agencies. Better assessments, including approaches such as serious games that evaluate an applicant’s problem-solving abilities, would improve the process and not be such a deterrent to applying for a Federal job.

We have been talking about these problems for far too long. While we have debated what to do and made, at best, baby steps toward a solution, the private sector has focused on recruiting cybersecurity and digital services talent. The government is not only not the employer of choice for these folks, it is not even a consideration for many of them. That has to change and change soon.

Remaking Government

PuzzlePieceMore than 3 years ago the Administration proposed that Congress grant the President authority to reorganize government agencies. The plan intended the authority to be used for “rethinking, reforming and remaking our government so that it can meet the challenges of our time.” When the proposal was made, the plan was to begin with 6 trade-related agencies (U.S. Department of Commerce’s core business and trade functions, the Small Business Administration, the Office of the U.S. Trade Representative, the Export-Import Bank, the Overseas Private Investment Corporation, and the U.S. Trade and Development Agency) and consolidate them into a single Department focused on helping American business succeed. The proposal went nowhere. The President revived the proposal in his 2016 budget plan.

The idea of restructuring the government is not partisan – it is simply good management. The federal government, like any large bureaucracy, has developed over many decades. Agencies have lost aspects of their missions and gained others. Like any good bureaucracy, agencies tend to focus a lot on self-preservation. When anyone proposes cutting their budget or diminishing their scope in any way, they respond by justifying their existence as though the world would end if they did not exist exactly the way they are now. So what we end up with is a collection of Departments and Agencies that are not quite what they were intended to be and that have evolved over time to be something that perhaps was never intended. The trade proposal was a great example of the overlap that exists in agencies today. Overlapping and conflicting missions generate more bureaucracy and more cost, but rarely result in anything that is better for the taxpayers.

If we are going to continue reducing the deficit, we have to find ways to cut costs that do not require cutting services. Even though most Americans agree we should cut federal spending, there is no agreement on what to cut. In fact, the majority of Americans polled on the subject did not want to cut any major programs other than foreign aid.  When we get down from the macro whole-of-government level to the agency level, there is still little agreement. For example, when we talk about saving money on Defense spending, it appears the majority of people do not want to close bases or cut weapons systems. That does not leave much room to find the billions of dollars that need to be saved. The same thing happens across government.

If we really want to cut spending, we need to substantially rethink how government is organized. Every Department has bureaus, agencies, administrations or components that each have their own management and support structures that generate overhead costs. The more organizations we have, the higher the cost. Giving this or the next President the authority to restructure and combine programs and agencies has the potential to generate better results of the taxpayers, lower costs, generate a wealth of new ideas and give us a government that works better for fewer dollars. It is not a Republican idea, a Democratic idea or any other party’s idea. It just makes sense.

Memorial Day – Remembering Those Who Died

memorialday_cemeteryMemorial Day is one of those holidays that does not seem to be fully understood by some folks. For some it is the unofficial start of the the summer vacation season; for others it is the day when traffic in Washington, DC begins to lighten up for a few days. Some think of it as the day the Indianapolis 500 is run. Others think of it as a time to thank veterans for their service.

It may be all of those things, but Memorial Day has a greater and far more important purpose. At the end of the Civil War, families, friends and grateful citizens began decorating the graves of fallen soldiers. The commemoration of their sacrifice evolved into what we know today as Memorial Day. The act of decorating the graves with flowers and flags is so central to the day that in many parts of the country Memorial Day is still called “Decoration Day.” Whatever you call it, Memorial Day is intended as a time to recognize the sacrifice of military personnel who died in service to our country.

The original Memorial Day Order, signed by the Commander in Chief of the Grand Army of the Republic in 1868 says it best:

“We should guard their graves with sacred vigilance. All that the consecrated wealth and taste of the nation can add to their adornment and security is but a fitting tribute to the memory of her slain defenders. Let no wanton foot tread rudely on such hallowed grounds. Let pleasant paths invite the coming and going of reverent visitors and fond mourners. Let no vandalism of avarice or neglect, no ravages of time, testify to the present or to the coming generations that we have forgotten, as a people, the cost of a free and undivided republic.

If other eyes grow dull and other hands slack, and other hearts cold in the solemn trust, ours shall keep it well as long as the light and warmth of life remains in us.

Let us, then, at the time appointed, gather around their sacred remains and garland the passionless mounds above them with choicest flowers of springtime; let us raise above them the dear old flag they saved from dishonor; let us in this solemn presence renew our pledges to aid and assist those whom they have left among us as sacred charges upon the nation’s gratitude—the soldier’s and sailor’s widow and orphan.

While we spend time this holiday weekend with our friends and family, let us not forget what Memorial Day is all about and the supreme sacrifice made by those men and women who are no longer among us.

The muffled drum's sad roll has beat
The soldier's last tattoo;
No more on life's parade shall meet
The brave and daring few.
On Fame's eternal camping-ground
Their silent tents are spread,
And Glory guards with solemn round
The bivouac of the dead.

The Bivouac of the Dead
Theodore O'Hara

Get every new post delivered to your Inbox.

Join 922 other followers

%d bloggers like this: