The massive data breach at the Office of Personnel Management, in which hackers stole personal information on nearly 22 million federal employees, retirees and contractors has already been called one of the largest cybercrimes ever carried out against the U.S. government.
So it may come as no surprise the hack -- and OPM’s managing of IT security both before and after -- has now ended up in a new compilation, “Federal Fumbles: 100 Ways the Government Dropped the Ball.”
The report, issued by Sen. James Lankford, R-Okla., aims to take on what his office characterizes as government waste, frivolous spending and other federal management mishaps. For many years, Lankford’s predecessor, Sen. Tom Coburn, released his own annual report tallying up purported evidence of Washington profligacy.
On the OPM breach, Lankford’s report cited the far-reaching impact of the stolen information.
“The federal government still does not know -- and may not know for years to come -- the extent of the damage done by the massive OPM breach,” the report stated.
Beyond monetary costs, “Perhaps even more troubling has been OPM’s failure to heed multiple warnings to fortify its security systems that house federal workers’ personal information, which demonstrates a fundamental failure by the federal government to protect the identities of its own workers and their families,” the report stated.
OPM has spent upward of $150 million in the wake of the breaches to provide identity-theft protection services to affected employees. But Lankford’s report says that may still not be enough.
“It is too early to say whether these measures were sufficient to protect federal workers from identity theft as a result of the breach -- after all, the attack’s perpetrators could use, sell, or dump the stolen information at any time," the report stated.
Every fumble listed in the report also comes with a set of recommendations or steps agencies should take to “recover the ball.” For example, last month, the Senate passed comprehensive cybersecurity legislation, designed to make it easier for private companies to share cyberthreat information with the government.
Lankford’s report also says OPM should direct its employees to change passwords more frequently and require more stringent authentication standards, steps the Obama administration has already initiated governmentwide with its 30-day cybersecurity sprint. During the exercise, OPM increased the percentage of employees required to use multifactor authentication to log on to agency networks to 97 percent.
But should any of the blame for the fumble be shared with penny-pinching lawmakers?
In the aftermath of the OPM hack, Republicans on the Senate Appropriations subcommittee with oversight of OPM’s budget blocked an extra $16 million “emergency” funding measure that would have allowed the agency to accelerate a top-to-bottom IT modernization and to migrate outdated, vulnerable computer systems to a more secure architecture.