In 2014, the IT infrastructure at the Federal government’s Office of Personnel Management (OPM) was upgraded from a security rating of "material weakness" to one of "significant deficiency," according to The Wall Street Journal's CIO Report. Which means that the OPM, even after upgrading to mitigate software risk, wasn’t up to snuff. That is - to put simply - unacceptable. It is also both a dismal and infuriating fact to learn - especially for those who were among the 21 million present and past Federal employees, revealed last week, to have had their Social Security numbers and other personal information stolen in the recent data breach.
Add onto this story of incredible technology mismanagement that in 2008, the government’s Inspector General recommended that OPM eliminate the unnecessary use of Social Security numbers. And yet those numbers remained on file, putting the personal information of millions of Federal workers at unnecessary risk.
There is a long trail at the OPM of management falling behind on best practices for technology, of falling behind on security measures, and of falling behind on implementing adequate resources for these IT efforts. Check out this laundry list, and shake your head as you do:
- A 2007 audit rated the government agency's security as one of "material weakness."
- OPM lacked basic security measures for its networks - like two-step authentication that is de rigeur for online banking sites. While 95% of OPM’s workstations employed multi-factor identification measures, guess how many of its 47 major applications used it? Zip. Squat. Nada.
- OPM failed to install VPN requirements that automatically logged users out after a period of inactivity. Not installing an automatic time out feature left the OPM network painfully vulnerable to hackers.
- A 2013 audit revealed a memo from the then-director, calling for the centralization of IT security duties. This had only been partially implemented by the end of the fiscal year. Budget restrictions were blamed.
- The following year, 11 of OPM’s 21 major systems due for security certification and authorization were running without either. These systems included key departments like human resources, finance, and investigative services. OPM was told to shut down these systems pending authorization, but they kept running.
To sum up these findings of mismanagement: they are the result of a tendency to push aside the importance to information technology security. We mentioned this trend in a previous post on the breach of electronic health records - health insurance companies spend on average only 3% of IT budgets on security, when they should be spending between 10% - 40%. Clearly, private and public sector organizations alike struggle with the pressures of security and technology.
What seems like pure negligence and incompetence at the OPM, signals to a deeper need that is not being addressed at many organizations: checking on the health of your applications. The OPM was given fair warning on their many failings. However, at other organizations, they may not have the visibility or measurement capacity to draw conclusions like those that the yearly audits at the OPM did. Looking back at the technical failures of last week, it would seem that neither the NYSE, UAL, nor the WSJ knew they had issues that could result in a freeze of their systems. Let’s say that those cases weren’t just computer glitches but the result of a coordinated attack on their systems – they wouldn’t have known what their vulnerabilities were because they had never stopped to look at what was going on in their applications.
This sort of blindness is dangerous – it threatens profits and it can even threaten people’s lives. As technology and business intersect, the livelihoods of more and more people are at stake: the government is currently examining how the personal information stolen from OPM computers could potentially be used to blackmail Federal workers.
You'd like to think that your government is taking more precautions to keep their own employees information from the wrong hands. Putting technology risk and visibility at the forefront of concerns would be the first step to improve the quality of business and government operations.
To read the full article from the WSJ CIO Report, visit here.