What’s Next for OPM?

3d human with a red question markThe OPM data breach has put the government’s personnel agency in a deep hole. Critics are accusing OPM of an inadequate response and poor communications and questioning how the agency can continue to operate effectively. That is not a surprise. Something as big and as shocking as this can be a credibility killer for any organization. Even so, I have been surprised by the number of people who have told me OPM should be shut down and its mission transferred to other agencies. Others have told me the agency just has to “hunker down” and take its lumps before returning to business as usual. Neither approach is productive.

When an organization finds itself in a security, morale and public relations nightmare, it has to act or be damaged beyond recovery. Like Sony, Target, Anthem and others, OPM can recover from this mess, but it will have to take a number of deliberate steps to begin moving forward and eventually emerge as a better and more effective agency. In this post I am going to address some steps OPM should take to get started. I believe OPM has a vital mission and it certainly should not be shut down, but there are structural changes that OPM should make to refocus and ensure it does not find itself here again. I will address those in my next post.

The Rest of the Story

Every story has a beginning, middle and end. We already know the beginning of this story. Two cyber security breaches exposed vital records of more than 20 million people. We are in the middle of the story now, and it is very personal. Rather than being an abstract tale about someone else’s misfortune, this one directly affected virtually every Federal employee (including members of Congress), cleared employees of government contractors, and 1.8 million family members and associates. We/they are angry. We still do not know everything we want to know. We saw an agency that was slow to respond, did not want to say ‘we are profoundly sorry for this failure,” did not maintain clear and open communications, and did not appear to know what to do next. Given the scope and long-term impact of the breach, that reaction was infuriating, but not surprising. Few organizations take the necessary steps to prepare for a crisis of this scale.

OPM has the opportunity to help define the arc of this story and influence how it ends. If OPM is going to emerge from the breach successfully, it needs to address the anger and fear and demonstrate that it knows what to do. Here are some suggestions on how to begin:

Get the Credit Monitoring/Identity Protection Issue Off the Table. Because this is such a personal issue and the fear of identity theft is so strong, the government needs to offer long-term credit monitoring and identity theft protection to everyone who was affected by both breaches. This one will require help. I know a lot of people say OPM should pay for what happened, but that is not the way Federal budgets work. It is unlikely OPM’s appropriated dollars can be used without violating the Anti-Deficiency Act and their revolving fund does not have the money to pay for it. That means, as distasteful as it seems, it will require either a new appropriation or money from other agencies. OPM has already advised agencies that it is raising fees for background investigation services to cover the coverage they have already offered. Any long-term protection contract should be awarded competitively after rigorous competition and price negotiations.

Communicate. It is no secret that everyone wants more information. They want to know what happened, they want to know what will be done to make certain it will not happen again, and they want to know what will be done to protect them and their families from the consequences of this breach. Perhaps early communications were poor because of security concerns, but we are at a point where OPM must share more information, answer questions, and start reassuring people. They need crisp messaging that does just that. They need to be out in public talking about it. Acting Director Beth Cobert addressed the breach at the July 15, 2015 meeting of the National Council on Federal Labor Management Relations. OPM also participated in a July 16, 2015 event hosted by Maryland representative John Delaney. Those were a good start, but they reached only a few hundred people. Because people get their information from many different sources, OPM should use multiple forms of communications, including social media (the OPM Facebook page has been virtually silent on the breach), press releases, interviews with the media, and more information on OPM’s website. As my new colleague, Jeff Hunt, an international expert in crisis communications with ICF’s PulsePoint Group noted: “Everyone looks for the villain, the victim, the hero and the moral to the story during situations like this. There is a natural vacuum created as these roles get cast. It may be unreasonable to expect OPM to ever achieve ‘hero’ status, but they should be making sure everyone knows who the real villain is. That would be the hackers and not OPM.”

Engage the OPM workforce. The OPM workforce should become a part of the communications strategy. OPM should give their workforce information that they can share with colleagues in other agencies, their families and friends. Those folks are talking with OPM employees anyway. If the OPM workers have nothing to say but “I don’t know anything and am not allowed to talk about it” their opinions of their employer will suffer, they will feel isolated, and the best may look elsewhere for jobs. While the breach certainly was not the responsibility of just one person, likewise it was not the fault of every OPM employee. Many of them have been doing their jobs and doing them well. If OPM employees are empowered with some useful information that the ability to share it, they will be more engaged and will help share information that is accurate and beneficial.

Share the Learning. The learning is important to the healing. As OPM progresses through the fallout of the breach, it will no doubt learn many lessons. An important part of recovery is sharing that learning so the people who were harmed by the breach know that the learning is taking place. We can be remarkably forgiving people when we believe people and organizations who have had failures have accepted responsibility, learned from their mistakes, and taken steps to avoid another failure. OPM should begin communicating what is has learned and how it will incorporate that learning into how it conducts business.
Identify Metrics that Show Progress. OPM will have to make changes as a result of the breach. That may include how it manages technology programs, the types of oversight managers will receive, how it responds to reports from its Inspector General, how it addresses updates to software and operating systems, and many others. Most agencies do not have public metrics about such “weedy” internal operations, but most agencies have not lost the personal data of 20+ million people. OPM will have to go above and beyond the norm to regain its credibility. Publicly reported metrics, based on what the agency has learned from the aftermath of the breach, will provide the transparency that is needed to “trust, but verify” that the agency is taking the learning and applying it in a meaningful way.
Recovery from the breach is going to take a long time, but beginning to regain the trust of Federal employees, the Congress and the public can begin immediately. We need to see visible signs of change and we need them now.

The Culture of Cyber Insecurity

Data breaches at OPM, Target, Sony and others have gotten everyone’s attention on the issue of cybersecurity and the challenge of securing Personally Identifiable Information. Agencies are reviewing systems, the White House, DoD, OPM, the FBI and others are investigating the OPM breach, and Congress is holding hearings. There will be requests for money for better technology, and agency leaders are making promises about securing employee data. All good. Right?

Not necessarily. The OPM breach exemplifies the cultural problem that besets the cybersecurity of the government and the private sector – the failure to recognize that cybersecurity is a challenge that must be owned by the entire enterprise.  Everyone – CIO, CISO, CFO, COO, communications, human resources – must be part of plans and programs necessary for effective cybersecurity. It is a massive technology challenge that requires the best tools and talent. I am not a technologist, so I will leave the technical aspects of the issue to my ICF colleague, Sam Visner. His paper on Whole of Enterprise Cybersecurity Planning and Recovery is a great read and it makes the point – effective cybersecurity requires programs that are end-to-end (from plans through incident response) and involve the entirety of an enterprise.

At the same time we are using the best available security tools, we must also address the culture issues that contribute to vulnerabilities or the technology cannot protect us. This culture reduces cybersecurity to “merely” a technical challenge. 

Read the rest of this post at the Washington Post 

Tagged ,

Is it Too Late to Safeguard Employee Data?

Question markThe short answer is no. Just because someone made off with data on millions of employees, retirees and others it does not give anyone a free pass on protecting employee data.

Like most people who pay attention to the goings on in government, I have been watching, reading and listening to the news about the OPM data breach. I have done a bit more than “pay attention” because I spent many years as a Federal employee. Last week I received my notice that my data had been compromised. For anyone who wonders what such a notice says, here it is:

I am writing to inform you that the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) to determine the impact to Federal personnel. OPM immediately implemented additional security measures and will continue to improve the security of the sensitive information we manage.

You are receiving this notification because we have determined that the data compromised in this incident may have included your personal information, such as your name, Social Security number, date and place of birth, and current or former address.  To help ensure your privacy, upon your next login to OPM systems, you may be required to change your password.

OPM takes very seriously its responsibility to protect your information. While we are not aware of any misuse of your information, in order to mitigate the risk of potential fraud and identity theft, we are offering you credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution.  All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months.  Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID until 12/7/16.

To access the trusted pages that will facilitate enrollment into this identity protection service, type or paste the following website into your browser: https://www.csid.com/opm

You will need to use the PIN code at the top of this correspondence to enroll in these services. Individuals can also contact CSID with any questions about these free services by calling this toll free number, 844-777-2743 (International callers: call collect at 512-327-0705). 

Protector Plus coverage includes:

  • Credit Report and Monitoring: Includes a TransUnion® credit report and tri-bureau monitoring for credit inquiries, delinquencies, judgments and liens, bankruptcies, new loans and more
  • CyberAgent® Internet Surveillance: Monitors websites, chat rooms and bulletin boards 24/7 to identify trading or selling of your personal information
  • Identity Theft Insurance: Reimburses you for certain expenses in the event that your identity is compromised with a $1,000,000 insurance policy
  • Court and Public Records Monitoring: Know if your name, date of birth and Social Security number appear in court records for an offense that you did not commit
  • Non-Credit Loan Monitoring: Know if your personal information becomes linked to short-term, high-interest payday loans that do not require credit inquiries
  • Change of Address Monitoring: Monitor to see if someone has redirected your mail
  • Social Security Number Trace: Know if your Social Security number becomes associated with another individual’s name or address
  • Sex Offender Monitoring: Know if sex offenders reside in your zip code, and ensure that your identity isn’t being used fraudulently in the sex offender registry
  • Full-Service Identity Restoration: Work with a certified identity theft restoration specialist to restore your ID if you experience any fraud associated with your personal information
These services are offered as a convenience to you. However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law. Please note that these services are offered to the specific addressee of this letter and are not available to anyone other than the individual who received this notification.
We regret this incident. Please be assured that OPM remains deeply committed to protecting the privacy and security of information and has taken appropriate steps to respond to this intrusion. The incident was uncovered as a result of OPM’s aggressive effort to update its cybersecurity posture over the past year, including the addition of numerous tools and capabilities to its networks that both help detect and deter a cyber-attack.
Please note that neither OPM nor any company acting on OPM’s behalf will contact you to confirm any personal information. If you are contacted by anyone purporting to represent OPM and asking for your personal information, do not provide it.
To learn more and enroll, visit CSID’s website at https://www.csid.com/opm
Sincerely, Donna K. Seymour
Chief Information Officer
U.S. Office of Personnel Management

We still do not know everything we need to know about the breach. I am particularly concerned by news reports (not confirmed by OPM) that it may include both data and images from the Electronic OPF (EOPF). The many forms in the EOPF include some that are created as hard copy forms for a pen and ink signature, then scanned into EOPF. Among the most worrisome of those forms is the Federal Employees Group Life Insurance Designation of Beneficiary (SF-2823). That form not only has an employee or retiree’s personal information, it also includes the name, address and social security number of all of their beneficiaries. If EOPF is among the systems that were hacked, the problem becomes much messier. It is easy to identify the Personally Identifiable Information (PII) in most systems. It is simply a matter of looking at data elements to see which contain PII. For data stored as images, it is a bit more difficult to identify all of the PII they contain, but it is possible. The good news is that is also a bit harder for the people who stole the information to extract it.

Another bit of good news is that critical employee information is now being viewed differently. We must guard though against the bureaucratic tendency to pay attention to an issue only while the press, the White House and the Congress are asking questions. It is easy to slip back into complacency after the noise dies down. We cannot let that happen.

As bad as this breach is, it is far from the end of the story. Agencies continue to hire new employees whose data has not been stolen. The people who committed this breach will want to continue gathering information. There are still criminals who want employee PII for fraud and identity theft. The people who want to get this type of information will continue attempting to hack government systems every day, just as they have for many years.  Because they are not going to stop, agencies have to start treating HR systems as mission critical and safeguarding them as though their mission success depends on it – because it does.

Protect Federal Workers from the Consequences of Data Theft

dreamstime_xs_50784774The Office of Personnel Management’s recent disclosure of a massive cyber breach highlights the risks of systems that contain Personally Identifiable Information (PII). OPM is a target for these types of attacks because it houses enormous amounts of PII. The nature of OPM’s work is such that it is impossible for them to avoid storing PII on everyone in the Federal government and on all Federal retirees. OPM maintains health and life insurance and retirement systems, along with a massive database of background investigation data. Their mission ensures they are always going to be a target.

OPM is not the only Federal agency that maintains large stores of PII. Every agency has to have records on its employees. Those records include name, address, date of birth, social security number, names of their immediate family members (on beneficiary forms), places they have previously lived (in investigative records and payroll/personnel history files), and much more private information. In fact, virtually every bit of information someone needs to steal the identity of a Federal employee, ruin their credit and cause massive disruption to their lives is sitting in Federal human resources systems.

The amount of PII housed by human resources organizations might lead one to think – “How many cybersecurity employees do most HR organizations have?” The answer might surprise most readers, because it is none. Agencies typically rely on their Chief  Information Officer and security staff, along with the Federal Bureau of Investigation and The Department of Homeland Security, to provide services needed to protect data and recover from breaches. They generally assume the providers of systems they buy will ensure those systems are secure. While it is clearly not the mission of HR to provide cybersecurity services, it is their mission to guard the PII they obtain from employees. We should rethink how HR approaches this responsibility and consider placing assets from the Chief Information Officer’s team (or whichever organization the agency assigns cybersecurity to) in the HR office. Embedding some of those resources in the HR team (while organizationally remaining attached to the CIO) will give them a far better picture of the types of data being gathered, how it is used, and what is happening to it.

We have to accept the fact that the cyber realm is the next great battlefield. So much of our world is now driven by information technology that it has become a highly effective method of attack. Bad actors, whether they be states or criminals, are going to continue to find ways to exploit weaknesses in systems. There is no way to avoid having large stores of data, and there is no way to guarantee they will never be hacked. We cannot have perfect cybersecurity, but we can have effective cybersecurity. Agencies that view cyber security as nothing more than a compliance exercise, where they make certain their employees complete a few minutes of annual training and they install updates as vendors provide them, are putting themselves and their workforce at risk.

That workforce risk is substantial. Although agencies generally worry more about mission systems than workforce data, the harm that can be caused to employees is a mission risk. If employees are worried about their financial and personal information being disclosed, they may be less productive or unwilling to remain in government. If deeply personal information included in security questionnaires is stolen, they may be subject to blackmail. If their identities are stolen or they suffer financial harm, they may be more susceptible to being lured into disclosing agency information for money. Disrupting the workforce could be a very effective means of disrupting an agency’s operations. The OPM breach highlights the risk of HR systems and may encourage others to go after employee data. The number of HR systems is mind-boggling. In DHS alone, in 2011 we had almost 400 different HR systems. While not all of them contained PII, many do. Agencies must ensure they are using the most current tools and practices for intrusion detection and response, identity management, credentialing and access management for any HR system that includes PII. HR systems need to be treated as the mission critical systems they are.

If we recognize the certainty of continued cyber attacks and the likelihood of another breach, what can we do to reduce the risk of personal harm? Obviously better cybersecurity is the first step. Agencies have to do a better job of protecting the information they gather and produce. Because we know breaches will still occur, we need to do more help employees be prepared. That means securing employee data and providing employees with the training and tools they need to protect themselves. Here are three steps that would move us in the right direction:

  • Disclose breaches as soon as it is operationally possible to do so. The breach at OPM occurred in December 2014, was discovered in April 2015 and was disclosed in June 2015. Agencies may have legitimate security reasons for not immediately disclosing a breach, but delays in disclosure must be based on security risks and not on political and public relations concerns.
  • Provide better training to employees to protect their own data and to recognize threats that may occur when their PII is stolen. For example, most people use simple passwords and use the same password repeatedly in every system they access. If their information is stolen from one system, the thieves have a head start on accessing other systems because they already have the employee’s overused password. Bad actors will continue refining their approaches, but that does not mean we have to hand our information to them on a silver platter.
  • Provide ongoing credit monitoring services for all Federal employees. Because they work for the United States government, Federal workers will always be in the crosshairs of our enemies. They cannot refuse to provide PII to their employer, and the steps they can take on their own to protect data are limited. Credit monitoring does not protect data, but it does help employees to discover the threats to their financial security that data theft can produce, even when a breach has not been discovered or disclosed.

Cybersecurity is an ongoing concern that will never go away. As our dependence on technology grows, so will the efforts of people with bad intent. Federal workers need to know that their employer is doing everything that it can to protect their information and has taken steps to protect them from data theft even when the government does not know it has happened.

Competition for Cyber and Digital Services Talent Requires a New Approach to Hiring

Fedgrid-725269_1280eral agencies are struggling to compete for talent in Cybersecurity and Digital Services. The Office of Personnel Management’s recent move to offer a short-term excepted service hiring authority for digital services experts indicates OPM recognizes the need, but does not go far enough to address the government’s growing inability to compete for talent in critical cybersecurity and digital services careers.

Why does government not compete effectively? Can we address the problems? Or is government never going to be able to compete?

I believe the fundamental problem is that government competes for high-tech talent the same way it competes for everything else. We have done little to recognize and deal with the demands of a talent pool that is highly mobile, in demand, and constantly evolving. Competing for that kind of talent with a federal personnel system that is still rooted in the 1950s would be laughable if the potential consequences were not so significant. It is no laughing matter.

OPM’s decision to grant short-term excepted service hiring authority for digital services is a welcome move, but inadequate to meet the government’s long-term talent needs. In this case, OPM gave authority to make appointments in one-year increments, not to exceed September 30, 2017. The appointments must be for one of a list of Smarter IT Delivery Initiative programs.

In addition to the recent OPM initiative, some Departments and Agencies have excepted service authority for some or all of their cybersecurity positions. That piecemeal approach is part of the problem. I had discussions about this issue with OPM, members of Congress, GAO and OMB in 2009 when I Chief Human Capital Officer at the Department of Homeland Security. There is virtually no one who would argue that cybersecurity jobs are easy to fill. There is no one who would argue the government does not have a critical need for such talent. And there is certainly no one who would argue that the government is the employer of choice for most cyber professionals. After 6 years, where are we? Marginally better off than we were, but certainly not on the way to having this problem solved.

The issue is complicated by the nature of the cybersecurity and digital services occupations. Problem number 1 is that neither is a single occupation. In DHS alone, we identified almost 20 different job series that made up the cybersecurity workforce. The same is happening with the digital services workforce. Rather than a single occupation, we have collections of jobs that fit into one of the hundreds of job series that are included in the General Schedule. If we want to fix this problem, we have to recognize that force-fitting jobs into an outmoded classification system is not going to work. When I have raised this issue in the past, defenders of the status quo say we should not “Balkanize” the civil service by solving problems one agency or occupation at a time. So what have we done? We have different approaches for different agencies, for different occupations, and even for different line items in the budget. The only difference in the approach we are taking now is that the Balkanization is happening with no clear end in mind. How is that good for anyone?

If we want to begin addressing this problem, we do not have to wait for Congress to act. There are several steps that can be taken without the need for Congressional action.

  • Immediately move all cybersecurity and digital services jobs into the excepted service. Doing so will allow a streamlined hiring process that is not a talent barrier. Although some highly desirable jobs have difficulty competing on the pay front, for the most part the big barrier is the government’s hiring process. It is simply not suitable for these occupations and repels much of the available talent.
  • Develop a new job group for all such positions. Trying to force-fit these positions into the existing General Schedule presents another barrier, both to hiring and to moving people around once they are in government.
  • Within the group, establish job series for key types of occupations. A small number of series that address the major types of occupations would simplify classification, hiring and ongoing talent management.
  • Issue dramatically simplified job classification guidance for the new occupations. The current job classification process is a mess. We do not need hundreds of series with classification standards that become obsolete by the time they are published. It is bad enough for work that does not change rapidly. It is unacceptable for dynamic occupations like these, where the technology is constantly changing.
  • Establish a government-wide steering group of cybersecurity, digital services and human capital professionals to work with OMB and OPM on issues related to these critical occupations. One problem with many excepted service jobs is that they are administered differently by every agency. Because these are positions most agencies have, the overall structure should be governed by a steering group that ensures a reasonable degree of consistency, but allows agency-specific rules where needed. Having some degree of consistency would make moving among agencies easier and might help the government retain the talent longer. The steering group should strive to develop a process that can reduce the time from initial contact to job offer to days, rather than the weeks or months it now takes. Using a steering group to drive the process should also make it possible to make progress much more rapidly. It currently takes OPM 2 to 3 years to write a classification standard.
  • Develop more modern screening methods for applicants. The current questionnaire process produces a lot of useless questionnaires that turn off applicants and produce poor results for agencies. Better assessments, including approaches such as serious games that evaluate an applicant’s problem-solving abilities, would improve the process and not be such a deterrent to applying for a Federal job.

We have been talking about these problems for far too long. While we have debated what to do and made, at best, baby steps toward a solution, the private sector has focused on recruiting cybersecurity and digital services talent. The government is not only not the employer of choice for these folks, it is not even a consideration for many of them. That has to change and change soon.


Get every new post delivered to your Inbox.

Join 929 other followers

%d bloggers like this: