The Office of Personnel Management’s recent disclosure of a massive cyber breach highlights the risks of systems that contain Personally Identifiable Information (PII). OPM is a target for these types of attacks because it houses enormous amounts of PII. The nature of OPM’s work is such that it is impossible for them to avoid storing PII on everyone in the Federal government and on all Federal retirees. OPM maintains health and life insurance and retirement systems, along with a massive database of background investigation data. Their mission ensures they are always going to be a target.
OPM is not the only Federal agency that maintains large stores of PII. Every agency has to have records on its employees. Those records include name, address, date of birth, social security number, names of their immediate family members (on beneficiary forms), places they have previously lived (in investigative records and payroll/personnel history files), and much more private information. In fact, virtually every bit of information someone needs to steal the identity of a Federal employee, ruin their credit and cause massive disruption to their lives is sitting in Federal human resources systems.
The amount of PII housed by human resources organizations might lead one to think – “How many cybersecurity employees do most HR organizations have?” The answer might surprise most readers, because it is none. Agencies typically rely on their Chief Information Officer and security staff, along with the Federal Bureau of Investigation and The Department of Homeland Security, to provide services needed to protect data and recover from breaches. They generally assume the providers of systems they buy will ensure those systems are secure. While it is clearly not the mission of HR to provide cybersecurity services, it is their mission to guard the PII they obtain from employees. We should rethink how HR approaches this responsibility and consider placing assets from the Chief Information Officer’s team (or whichever organization the agency assigns cybersecurity to) in the HR office. Embedding some of those resources in the HR team (while organizationally remaining attached to the CIO) will give them a far better picture of the types of data being gathered, how it is used, and what is happening to it.
We have to accept the fact that the cyber realm is the next great battlefield. So much of our world is now driven by information technology that it has become a highly effective method of attack. Bad actors, whether they be states or criminals, are going to continue to find ways to exploit weaknesses in systems. There is no way to avoid having large stores of data, and there is no way to guarantee they will never be hacked. We cannot have perfect cybersecurity, but we can have effective cybersecurity. Agencies that view cyber security as nothing more than a compliance exercise, where they make certain their employees complete a few minutes of annual training and they install updates as vendors provide them, are putting themselves and their workforce at risk.
That workforce risk is substantial. Although agencies generally worry more about mission systems than workforce data, the harm that can be caused to employees is a mission risk. If employees are worried about their financial and personal information being disclosed, they may be less productive or unwilling to remain in government. If deeply personal information included in security questionnaires is stolen, they may be subject to blackmail. If their identities are stolen or they suffer financial harm, they may be more susceptible to being lured into disclosing agency information for money. Disrupting the workforce could be a very effective means of disrupting an agency’s operations. The OPM breach highlights the risk of HR systems and may encourage others to go after employee data. The number of HR systems is mind-boggling. In DHS alone, in 2011 we had almost 400 different HR systems. While not all of them contained PII, many do. Agencies must ensure they are using the most current tools and practices for intrusion detection and response, identity management, credentialing and access management for any HR system that includes PII. HR systems need to be treated as the mission critical systems they are.
If we recognize the certainty of continued cyber attacks and the likelihood of another breach, what can we do to reduce the risk of personal harm? Obviously better cybersecurity is the first step. Agencies have to do a better job of protecting the information they gather and produce. Because we know breaches will still occur, we need to do more help employees be prepared. That means securing employee data and providing employees with the training and tools they need to protect themselves. Here are three steps that would move us in the right direction:
- Disclose breaches as soon as it is operationally possible to do so. The breach at OPM occurred in December 2014, was discovered in April 2015 and was disclosed in June 2015. Agencies may have legitimate security reasons for not immediately disclosing a breach, but delays in disclosure must be based on security risks and not on political and public relations concerns.
- Provide better training to employees to protect their own data and to recognize threats that may occur when their PII is stolen. For example, most people use simple passwords and use the same password repeatedly in every system they access. If their information is stolen from one system, the thieves have a head start on accessing other systems because they already have the employee’s overused password. Bad actors will continue refining their approaches, but that does not mean we have to hand our information to them on a silver platter.
- Provide ongoing credit monitoring services for all Federal employees. Because they work for the United States government, Federal workers will always be in the crosshairs of our enemies. They cannot refuse to provide PII to their employer, and the steps they can take on their own to protect data are limited. Credit monitoring does not protect data, but it does help employees to discover the threats to their financial security that data theft can produce, even when a breach has not been discovered or disclosed.
Cybersecurity is an ongoing concern that will never go away. As our dependence on technology grows, so will the efforts of people with bad intent. Federal workers need to know that their employer is doing everything that it can to protect their information and has taken steps to protect them from data theft even when the government does not know it has happened.