Unions play watchdog – and roadblock? – roles in OPM disaster

One set of voices has emerged as loud as any on Capitol Hill in the aftermath of the Office of Personnel Management breaches: the voices of union leadership.

Federal employee labor unions have taken up the role of Uncle Sam’s watchdog, grilling OPM leadership and demanding improved protections for the millions in the federal workforce whose personal information was exposed in the hacks.

But as unions rip OPM for its cybersecurity failing, another question remains: Has the threat of collective bargaining handicapped federal agencies’ ability to protect their networks?

Holding OPM accountable

The chorus of union challenges may have been loudest one week after the first OPM breach was made public.

On June 11, American Federation of Government Employees President J. David Cox penned a scathing letter to OPM Director Katherine Archuleta accusing the agency of "abysmal failure" and skewering OPM’s proposed credit monitoring offering through contractor CSID as “entirely inadequate” and a “half-measure.”

Colleen Kelley, president of the National Treasury Employees Union, chimed in before the House Committee on Oversight and Government Reform, testifying about the scope of the possible damage done to the federal workforce.

She noted that some union requests – such as allowing federal workers to use government computers to set up their credit-monitoring service – have been granted by OPM. But she told FCW that other requests, including having CSID cover every account for every affected fed -- rather than the current limit of five accounts -- have gone unheeded.

“NTEU has a critical role to play in ensuring that employees are protected and that they are receiving the maximum amount of information, consideration and protection possible from OPM and their agencies,” Kelley said in a statement to FCW. “Federal employees are required to provide their employer with a significant amount of personal information and the employer should do everything within its power to guarantee that information is protected.”

Federal unions have also played a substantial role in publicizing actionable information about credit monitoring and the breaches’ scope to federal workers.

The trouble with bargaining

When it comes to the OPM breaches, federal employee unions are doing “exactly what unions are supposed to do,” said Bill Wiley, president of the Federal Employment Law Training Group: “Publicizing things that are harming federal employees, and promoting things that would help.”

But could unions bear some responsibility for poor federal cybersecurity?

Typically, internal security falls under the umbrella of “management rights,” meaning management can alter security without going through the unions, Wiley noted. If, however, unions can identify ways in which security changes affect “working conditions” – having to train on new computers, for example – then the bargaining door gets opened up and it might not close for a while.

“There’s not an automatic outside limit on how long you have to bargain,” Wiley noted. In many cases, “Bargaining goes on for freaking ever.”

Immigration and Customs Enforcement  officials said ICE experienced union obstruction of cybersecurity initiatives firsthand.

In February 2011 ICE noticed an “uptick in mail infections and privacy spills,” which it soon traced to ICE employees accessing personal email services on their government computers.

ICE promptly banned personal email access from work computers, but AFGE filed a grievance and the case made its way to the Federal Labor Relations Authority.

In their July 2014 decision, two of the three members of the FLRA determined that ICE had erred: Union bargaining should have preceded the personal email ban. “Collective bargaining is wholly compatible with management’s right to determine internal-security practices” despite the “time-sensitive information-security threats” agencies face.

FLRA member Patrick Pizzella dissented strongly, arguing that the majority’s decision “effectively undermines a key component of the Federal Information Security Management Act (FISMA) – the responsibility for senior agency leaders ‘to secure their information and systems, identify and resolve current [information technology (IT)] security weaknesses and risks, as well as protect against future vulnerabilities and threats.’”

A history of government breaches, Pizzella said, spoke to the need for quick, flexible cybersecurity postures.

“It is obvious to me (after having served for seven and a half years as the CIO at the U.S. Department of Labor) that neither the [FLRA] nor the [arbitrator who initially sided with the union] possesses the specialized knowledge or expertise that would permit us to decide when a federal agency ought to address specific security risks or permit us to second guess how that agency should exercise those responsibilities,” Pizzella wrote.

Pizzella declined to be interviewed for this story, but his dissent speaks plainly enough: “Imposing on the Agency an obligation to bargain, under these circumstances, is akin to applying the trouble-shooting guidelines from the owner’s manual of a 1978 IBM desktop PC to a 2012 Apple MacBook Pro.”

Bargaining into the breach                                                                                                   

Collective bargaining “really is a competition,” Wiley noted. “Unions are fighting for the interest of federal employees, they’re not particularly concerned with the running of federal agencies.”

Unions will seize any chance they can to bargain, Wiley said, and the dynamics of private sector bargaining that could speed negotiations are lacking; with public sector unions, “they can’t strike, and management can’t lock them out.”

OPM spokesman Sam Schumach would not specifically comment on whether unions help or hurt agencies’ cybersecurity posture.

“OPM continues to have very strong relationships with the unions that represent our federal workforce,” Schumach told FCW, promising to continue to work with unions throughout the breaches’ aftermath.

While unions have been outspoken about OPM’s failings, they are not jumping at the chance to discuss their own role in cybersecurity arrangements.

NTEU’s Kelley initially declined to address the question of whether union bargaining could hinder cybersecurity measures.

When asked a second time about the potential problem, she responded, “Union activities have not stood in the way of cybersecurity improvements.”

A National Federation of Federal Employees spokesman said no one at his union was available to comment, and AFGE, despite Cox’s outspoken letter, did not respond to multiple requests for comment.

But Cox’s June 11 letter specifically mentioned the issue at hand – using work computers to access personal email -- and contained a promise for the future.

“[I]t is crucial that all agencies be instructed to meet their collective bargaining obligations related to this breach,” Cox told OPM’s Archuleta. “AFGE will issue demands to bargain for represented workers, and we ask that you make certain that management is apprised of its responsibility to respond appropriately.”