Editorial: The feds’ hacking hypocrisy is glaring
The federal government’s criticism of private companies’ cyber security is glaringly hypocritical in light of the recent data breach at the Office of Personnel Management that compromised the personal data of millions of federal workers.
The federal government likes to talk tough about the cyber security of private corporations. In 2012 the Federal Trade Commission sued the Wyndham hotel chain for “unfair business practice” because it considered its security of customer data to be neglectfully poor, part of a string of such prosecutions over cyber security practices.
But the security within OPM’s computer systems were also egregious, and if it were a private company instead of a government agency, the FTC would have targeted the agency as well.
A 2007 report by OPM’s investigator general warned that its computer systems had serious vulnerabilities. Last year, the inspector general urged OPM to shut down a number of systems that still didn’t meet current security protocols. OPM ignored the inspector general’s warnings and kept the vulnerable systems running.
According to OPM, its systems were first breached in December 2014, but it didn’t become aware of the problem until April of this year. The hacker, believed to be the Chinese government, stole the personal information of current and former federal employees. including social security numbers and security clearance status.
With this information hackers could pose as federal employees to break into government systems. This data breach could also endanger American diplomats stationed abroad.
Currently, official numbers indicate 4.2 million employees were affected, but a House Oversight Committee aide says the number could potential be much larger.
In a hearing before the oversight committee, OPM Director Katherine Archuleta said that in the past year the agency had taken “an aggressive posture to update cyber security.” But this claim falls flat considering the office hadn’t encrypted the personal information of federal workers. Encryption is completely addressable even on computers as old as the ones used by OPM.
The missteps at the personnel office clearly indicate the government is little better at protecting sensitive data than are the companies it is prosecuting for non-compliance.
Cybercrime is a serious threat, and the federal government is right to set standards for the protection of sensitive data in the private sector.
But it should also make sure it is meeting those standards itself.