Abstract
One of the national challenges facing the US is protecting its federal network, systems, as well as information. The Federal Government has been a victim to several intricate, properly financed, and persistent cyber intrusions. OPM, which forms the basis of discussion for this paper, is the president’s manager and consultant for issues pertaining to human capital. It manages the country’s most crucial asset, that is, the citizens.
Although the government has highlighted the need to eliminate invasion, various setbacks tamper with its efforts towards averting cyber threats. In fact, the recent intrusion is a clear indication of how much a disaster cyber intrusion is to America. Therefore, to guarantee the security of data, there is the need for the initiation of change process to ensure the adoption of up-to-date information technology approaches and best practices.
Introduction
On June 4, 2015, OPM disclosed that it had been a victim of cyber invasion (Pacifici, 2015). More than 4.2 million federal employees were affected by the data breach with private information such as health information, username, and passwords being compromised. OPM further revealed an isolated cyber intrusion later in June where confidential information of about 21.5 million people was stolen, particularly in relation to housing background investigation (Finklea, Christensen, Fischer, Lawrence, & Theohary, 2015). Moreover, intrusion is part of a long list of cyber invasion against OPM and information and network systems whose infrastructure must be renovated to not only protect data for personal protection, but also national security.
OPM ensures that institutions that deal with human capital shape them in a manner that people can provide and utilize their skills and understanding to meet the needs of Americans and the government. Other than ensuring submission to the personal rules and regulations, it also offers retirement and medical benefit. The agency is of great significance to Americans. Hence, any interruptions in its systems are bound to cause serious setbacks for the country.
Yet, the OPM breach was the largest cyber intrusion into government data systems (Fowler, 2016). News concerning the breach account that the intruders accessed confidential data such as Social Security Numbers and job details. The second attack saw the hackers access even more sensitive data such as fingerprints. This tragic attack follows a backdrop of cyber assaults aimed at OPM databases. In fact, in 2014, a similar attack had been targeted to systems that contained clandestine security approvals (Finklea et al., 2015).
The OPM cyber intrusion was discovered by the Department of Homeland Security (DHS) Einstein system, which is designed to detect potential internet attacks. Investigations disclosed that the perpetrators used forged security passes to access the OPM systems (Pacifici, 2015). Officials who are in charge of investigating the matter have been reluctant to name the perpetrators. Influential leaders have associated the assault with China. It may turn such a security into a political exchange (Fowler, 2016). As expected, China has not overtly refuted the claims but has encouraged the joining of forces with other international communities to overcome the vice.
The intentions of the attackers are still blurred. However, if China was responsible for the OPM breach, then possibly it could be intending to launch a huge database of the US human capital that can detect the US authorities and their responsibilities (Pacifici, 2015). Furthermore, the data may be used to send emails to fool several targeted victims in an attempt to lead them to a particular link. The stolen Social Security codes may be used for fake identities. Biometric data such as fingerprints may also be used for criminal purposes. A more exacerbating reality is that they cannot be reissued (Fowler, 2016). Succinctly, the implications of the OPM breach are massive. Indeed, the resignation of the director of the agency was a clear signal of reforms and infrastructural developments that OPM requires to fortify cyber security.
Challenges Experienced by the OPM
The two recent cases of cyber invasion at OPM imply that indeed the agency faces serious challenges with respect to securing data systems. The current challenges stem from the setbacks the federal government suffers with its cyber security strategy (Government Accountability Office, 2015). The primary challenges that it experiences as an agency in the federal government are outlined in the subsequent paragraphs.
Foremost, there are faults in how risks are assessed, including the designing of an executing cyber-security control, as well as evaluating results. In particular, it is reported that material flaws or a notable deficits in internal controls with respect to monetary reporting caused shortcomings in data security systems (Government Accountability Office, 2014).
Secondly, no proper strategy has been established for angling cyber treats that affect building and access computers. There is the need for OPM to initiate efforts towards monitoring the treats that cyber intrusion poses on building control systems. There are also laxity-supervising contractors offering IT services (Pacifici, 2015). The inconsistency in overseeing the IT contractors creates loopholes that hackers can exploit.
Another major shortcoming is the lethargy in responding to cyber incidents. OPM currently lacks the ability and infrastructure to s respond to cyber incidents. Subsequently, the shortfall implies that intruders have ample time to gain access and/or exploit sensitive information before such that by the time the invasion is dictated, the damage is irreparable (Fowler, 2016). The OPM data breach lasted for about four months before it was detected.
Equally, the agency has been erratic in adhering to the guidelines for securing Personally Identifiable Information (PII) as provided by OMB. There is the need for OPM to reconsider how it handles PII. When the Research and Technology Subcommittee and the Oversight Subcommittee conducted a joint hearing, a witness alluded that OPM disregarded policies that guide the protection of PII (Finklea et al., 2015). Consequently, it exposed sensitive data belonging to every non-military federal worker. Indeed, as a federal agency, the failure to handle the mentioned challenges has increased its vulnerability to cyber security incidents.
Federal Data Intrusions of 2015
Fraud and Criminal Consequences
Cybercrime is condemned both nationally and internationally. Various international legislations and conventions have been assented to help in the fight against cyber-attacks. The United Nations General Assembly has approved a number of resolutions with respect to cybercrimes (Federal Bureau of Investigation, 2015). The US and China have also held top-notch meetings to discuss how to curtail cybercrimes.
The meeting ended with the drafting of a document that offers guidelines that respond to cyber assault cases (Pacifici, 2015). At the national level, the US also has the Computer Fraud Abuse Act (CFAA), which protects federal control systems from intrusion or committing fraudulent objectives. However, since most cyber assaults are likely to be perpetuated by foreign criminals, cooperation from the country hosting the criminals is paramount.
Investigations of OPM data breach reported that the suspected intruders were from China. Initially, although China did not explicitly refute the accusations, it also disregarded it and further affirmed its commitment to cooperating with other states in eliminating cybercrime. The Chinese government reported that it arrested hackers suspected to have been involved in the OPM data breach. The suspects were apprehended prior to President Xi Jinxing of China visited the US in September (Fowler, 2016).
This case came amid the building tension between the two strong economies as the US issued threats of economic sanctions against Chinese businesses, which benefited from the vice. The names of the accused were however withheld. The US government remains uncertain whether the suspects could have been sponsored by the Chinese authorities (Pacifici, 2015). It is believed that when the Chinese officials met with the US Attorney General and Homeland Security secretary, among the agenda of the meeting was how to develop a guideline for probing mischievous cyber incidents and reprimanding offenders, OPM being one of such occurrences.
If the suspects are eventually detained, it will be first sin of accountability from the intrusion, which exposed millions of PII (Fowler, 2016). Nonetheless, the report issued by the Chinese authorities is imprecise with respect to the hacktivists arrested and whether they were indeed the perpetrators involved in the largest cyber intrusion in the US history (Finklea et al., 2015). Keeping identity of the suspect anonymous has increased the suspicion that the Chinese government, particularly the Ministry of State Security, might have been involved in the data breach.
Meanwhile, as the investigations of OPM data breach suspects proceeded, the Federal Bureau of Investigations (FBI) was cracking down on a notorious shopping center for cyber criminals known as Darkode (Federal Bureau of Investigation, 2015). Several other federal agencies struggle with protecting their databases from malicious intruders. The FBI successfully infiltrated and arrested the culprits dealing with Darkode and eventually taking over its domain and servers. About twelve suspected individuals were indicted for involvement in the crime as other suspects from other countries were prosecuted in their local justice system (Government Accountability Office, 2014).
The achievement of the mission tagged Operation Shrouded Horizon was a notable effort towards averting federal cyber intrusions. However, the existence of law to reprimand offenders is not likely to be the most favorable means for fighting cyber criminals. Instituting strong infrastructure supervised skills managers would be effective in dealing with persistent malicious cyber assaults (Federal Bureau of Investigation, 2015). In fact, although legal proceedings may be filed against offenders, agencies that expose themselves to cyber attackers are likely to suffer if they lose class actions brought to court on the grounds of negligence.
Effects on Federal Employees Who Were Affected Both in Past and Present Confidence
One of the most significant consequences of cybercrimes relates to the loss of sensitive information to malicious individuals. In the case of the Office of Personnel Management, the federal employees’ sensitive information such as Social Security Numbers, Birthdates, and addresses of current and former federal employees was lost. Such information can be used to create fake profiles that the hackers can use to replicate credit cards and other documents that can be easily used to commit crimes implicating the federal employees (Finklea et al., 2015).
Further, such information can be used to commit crimes locally and internationally. However, in most instances, cybercrimes always cause more damages than initially thought when it were discovered (Fowler, 2016). For instance, the case OPM is an important case study into this phenomenon. Although it was initially thought that only the basic information had been lost, it was later discovered that the hackers had also gained access to the highly confidential SF-86 forms, which are documents that contain confidential background checks for the security clearances of federal workers (Finklea et al., 2015).
The documents contain a wealth of information such as fingerprints, as well as information of spouses, relatives, close business associates, and friends among others. Such information is highly classified. It can be used to create strong fake profiles of the affected federal workers for committing crimes. In addition, the information can be used to target the family members and friends in the United States and across the world.
The breach of confidentiality also poses the state and the federal workers to the risk of blackmail. For instance, with the accessibility to highly confidential information contained in SF-86 Forms such as past criminal, sexual, and contacts with diplomats and other people both within and outside the country, the risk of blackmail is very high (Pacifici, 2015). It can be very easy for criminals to blackmail federal workers for ransom or for release of confidential information (Fowler, 2016).
For example, since the federal workers have access to highly confidential information of the government, they can be blackmailed with threats to their spouses, children, or friends into releasing such information. In addition, the information can be used for extortion purposes where employees are blackmailed with highly secretive information about themselves and the threat of such information being released to the public or to their family members.
The information can also put foreigners who have worked with the government confidently on jeopardy (Fowler, 2016). For example, if the Chinese government gains access to some Chinese diplomats who have secretively worked with the federal workers, such information can be used for purposes of punishing the diplomats in their home countries (Federal Bureau of Investigation, 2015). As such, the loss of confidentiality and the risk associated with the loss of sensitive information is the major effect that has faced federal workers at the Office of Personnel Management.
Legal Suits and Effects on OPM and OPM Employees’ Images
The loss of massive confidential data was a major blow and a breach of contract on the part of the government on its mandate to protect such data from unauthorized access. The role of the OPM was to ensure that all the confidential information that employees provided was kept confident and securely. Following the breach, more than seven legal suits by employees and employees’ representative organizations have followed demanding damages for the loss of such confidential data.
Indeed, according to legal experts, the affected parties have a legal basis for suing the government for breach of contract (Fowler, 2016). The Privacy Act of 1974 places an obligation on the federal agencies to safeguard the information that they collect. Further, it also provides legal avenues for people to use the institutions that fail to protect information in their hands.
However, the effects of such legal suits raise controversies on whether they have any significant effect on the Office of the Personnel Management from a legal standpoint. Firstly, the OPM has not accepted any liability for the breach of contract. This case may spell doom on the lawsuits. The reason is that the 1974 Act is silent on how to handle cyber-attacks since at the time of its inception, cyber threats were not significant (Government Accountability Office, 2015). The Act only prohibits the deliberate revealing of the information by the government to unauthorized individuals (Federal Bureau of Investigation, 2015). Since hacking is not a deliberate revelation of confidential information, then it is a major challenge to prove that the OPM was liable for the loss of such information to hackers.
On the other hand, the consequences of the hacking to the OPM and the employees are likely to be very adverse. For instance, the confidence that had been placed on federal institutions and their ability has been eroded, thus ushering in a new era where there is more debate on the security of confidential information in the hands of government agencies (Fowler, 2016). However, the debate is likely to lead to massive changes on the Privacy Act of 1974, which falls short of addressing emerging issues relating to the protection of sensitive data by the government in the light of the cyber technology of the 21st century.
Such discussions and reforms are therefore going to make the protection of data a more central tenet of any government agency (Pacifici, 2015). Further, it will make it easier for federal employees to place lawsuits on the government in the event of breach of confidentiality. On the employees, they can do little on this matter. The effects of losing their confidential information will last them a lifetime (Government Accountability Office, 2014). In other words, nothing can be done to undo the damage that has occurred apart from taking more precautionary measures to ensure that such information is not used to perpetrate fraud and other crimes.
Recurrent Cyber Breaches throughout the Government due to faulty Security Measures
The attacks on the Office of Personnel Management were the most significant on a federal agency in the United States. With data of more than 21.5 million compromised, it highlighted the dangers of cybercrimes and the risk it poses to the government, private institutions, and individuals. However, it is worth noting that the attack on OPM was not the first attack on the US Federal Agencies (Fowler, 2016).
Further, it only highlighted the slow action on the government to take protective measures against a backdrop of cyber-attacks targeted at government institutions. In other words, the incident was not without precedence. Indeed, there have been numerous cyber security breaches not only from China but also from across the world, a fact that the government is fully aware (Government Accountability Office, 2015). Indeed, the security vulnerabilities for the system at the agency had been noted since 2007, yet no considerable action had been done to rectify the weaknesses (Fowler, 2016).
There have been many incidents of hacking targeted at government agencies, especially in the 2013 to 2015 period. Some of the attacks have been successful while others have not. Regardless of the outcomes of such attacks, it forms a strong case for the government to take a proactive role in improving the security of its systems, thus protecting data held by such institutions in confidence (Pacifici, 2015). For instance, between 201-2014, unknown hackers gained access to the computer systems of the US Nuclear Regulatory Commission (NRC).
However, it was never revealed whether any classified information was stolen (Fowler, 2016). In January 2011, two or three hackers infiltrated the Department of Defense (DOD) Pharmacy’s Pharmaco Economic Center (the prescription drug database). The hackers managed to bring down the system for a whole day and even tried to sell the root access to the domain for $400. In May 2012, the US Army Corps of Engineers’ National Inventory Dams Database was hacked by Xiafen ‘Sherry’ Chen, an employee of the National Oceanic and Atmospheric Administration (NOAA) (Government Accountability Office, 2014).
The hacker accessed and downloaded restricted and sensitive files from the National Inventory of Dams. In September 2013, Iranian Hackers breached the unclassified intranet of the US Navy Marine Corps. The intranet was used to host websites and store non-sensitive data, information, and communication for the Department of Navy. The hackers managed to make surveillance on the system, although it is not known whether any information was lost (Finklea et al., 2015). It took more than four months to deter the hackers, which is evidence of the weaknesses of the system at the time.
Other major hacking cases were evident during the time. They clearly show the government’s laxity in addressing the security weaknesses in its systems. For example, despite the previous attack on the DOD’s Pharmacy systems in 2011, the necessary actions were not adequately taken. The main DOD system fell to hackers between October 2012 and January 2013 (Finklea et al., 2015). During the attack, the anonymous group infiltrated the Multiple Army Systems such as the Army Network Enterprise Technology Command Center and made away with confidential information of over 1,000 individuals (Fowler, 2016).
They also accessed the Army Material Command where they accessed non-public data. The Army Corps Engineers server was also hacked having a non-public data on natural resource management and information of thousands of Corps employees in Vicksburg, Mississippi. Other areas that were breached at the DOD include The Plans and Analysis Integration Office, The Fort Monmouth Army Corps Engineer Research and Development Center, the Army War College’s Strategic Studies Institute, and the Missile Defense Agency (Fowler, 2016).
The above hacking instances are not complete. More than 600 successful attacks were targeted on government agencies during the period. Despite the vulnerability issues that are evident in the government agencies’ systems, there has been laxity in addressing them (Pacifici, 2015). Further, there have been consistent faulty security measures that are only curative as opposed to preventive. In other words, the government’s response to the attacks has been majorly responsive, only waiting for new hacking to take place to implement new corrective measures (Fowler, 2016). Therefore, it is important for the government to take a more proactive role in preventing the hackings by investing more on improved computer systems and technologies to secure the systems.
Political Attacks
Possible Corruption in the Government
Cybercrimes are undertaken for many reasons, including political or financial gains. In most cases, attacks on government agencies are mainly political as is the case with the OPM Data Breaches (Finklea et al., 2015). The attacks that were perpetrated by Chinese Hackers are part of an increasing trend where governments are financing cyber-attacks against each other to access important espionage advantage over each other. The United States has very many enemies such as China and Iran among other countries that are unhappy with the former country’s actions across the world (Fowler, 2016). As such, such attacks may increasingly show political intolerance by other countries and their sympathizers towards the US’s policy on a myriad of activities on the global arena.
Another important area that needs to be investigated is the possible corruption in the government that has derailed the adoption of better security systems. For instance, it many cases, it is difficult for hackers to access the system’s data without the help from insiders (Fowler, 2016). If such a theory is proved, then it will mean that there is a need for more investigations to be undertaken to decentralize the control of information from one or few individuals who can be compromised to leak confidential information that can be used to gain access to databases in the federal agencies’ systems.
Controversial Decisions
The recent major data breach on the OPM is the culmination of many controversial decisions that have been made with each attack that has been successfully committed on the agency (Fowler, 2016). For instance, since 2007, the Inspector General has warned the OPM of the loopholes that were evident on its system when they needed to be rectified, yet no action was undertaken to correct the weakness.
Such lack of action or poor decisions on the part of the agencies’ leadership shows how the stage was set for the explosive data security breach facing the agency (Government Accountability Office, 2015). In addition, the chief executive officer of the organization further refuted the blame and instead transferred the problem to the whole government. Such a decision to deny liability is classic case of ensuring that no one within the agency can be accountable to the actions of commission and omission by those in leadership at the institution.
Alternative Solutions
High Standards that Pave the Way for the Highest Levels of Data Security
It is without doubt that there is the need for new standards to guide how the handling of data in government institutions is undertaken. From the evidence provided above, the federal agencies have been very slow in taking proactive measures in protecting data and information from confidentiality (Federal Bureau of Investigation, 2015). As such, for the government to ensure high standards of data security, it must adopt high standards of contacting its activities.
Firstly, one of the major weaknesses and hindrances to the protection of data in the government relates to legislation. In other words, although the Privacy Act of 1974 mandates the government with the role of protecting data and information from unauthorized access, it does not cover cyber threats and attacks. In this case, there is the need for the government to champion for the adoption of new legislations that push for the federal institutions to take more actions in ensuring data security in the 21st century at a time when there are more threats from the cyber technology (Pacifici, 2015).
Although the US Computer Fraud and Abuse Act (CFAA) is very ruthless when it comes to handling and punishing cyber criminals, its mandate is unfortunately reactive. It offers very little incident of deterring criminals. Indeed, since most attacks are carried from overseas locations, such individuals are not aware of the provisions of the Act (Fowler, 2016). Further, since the attacks are carried anonymously, sometimes without leaving a trail, it becomes very difficult for the criminals to be apprehended.
Secondly, to have high standards of handling confidential data, there is the need for the federal agencies to invest more on data security technologies. It is unfortunate that the OPM did not have IT personnel until 2013 (Pacifici, 2015). Such recent recognition of the importance of IT at the federal agency reflects the low value placed on Information Technology in many government agencies.
In this case, there is immediate need not only to have IT personnel but also to have adequate resources dedicated to the development of data security in the organizations. To achieve the above goals, there is the need for the government to engage both local and international private organizations and governments to adopt the best practices that will ensure high standards of data security (Fowler, 2016).
Once the above measures are adopted, the federal agencies will have high standards of data security to guarantee confidence on the respective computer systems (Pacifici, 2015). The legislation will guarantee more accountability and hence the will and desire for the government to take an active role in protecting confidential information.
Change Management
One of the most challenging areas towards ensuring better data security in government bodies touches on the resistance to change that characterizes such institutions. For example, the fact the OPM employed the first IT personnel in 2013, despite the more than decade existence and recognition of its importance provides evidence of such resistance (Fowler, 2016).
The institutions are characterized by the desire to retain the status quo by doing things the way they have always been done. Any changes are faced with major resistance and unwillingness of people to implement them (Finklea et al., 2015). It is important for the government to recognize the role of change management to ensure smooth transitions in the process of adopting new standards of data security management.
Firstly, it is important for the government to take stern measures that will lead to accountability. Such measures will lead to the adoption of security approaches that will reduce the risk of data breaches in the agencies (Pacifici, 2015). Secondly, there is the need for an audit of the personnel to guarantee that the right and qualified people are employed to guide the adoption of better security standards (Finklea et al., 2015). Without qualified personnel, it is difficult to ensure the adoption of security measures that can protect agencies from hackers who are highly skilled in computer technologies.
It is important to note that such changes cannot be successful without the correct legislation to give legal mandate on the IT department to protect confidential data from cyber threats (Fowler, 2016). In addition, the change should be dedicated to protective effects as opposed to corrective approaches that have been put in place in the current faulty data security measures (Pacifici, 2015). Adopting a preventive approach will ensure that IT departments are always on the lookout for trends in IT security while adopting such measures to stay ahead of hackers.
Conclusion
The Office of Personnel Management (OPM) data breach revealed major weaknesses in government’s resolution towards the protection of confidential data of employees and citizens. The data breach revealed many challenges faced by the agency in securing confidential information of its employees among other people in the population. For instance, there was an evident weakness in internal controls concerning monetary reporting. In addition, the lack of proper strategy to protect computers from cyber-attacks is another weakness that made it easy for OPM to be attacked. The slow response time on cyber-attacks is a major weakness on the part of the IT weakness at the agency. For instance, the attack lasted for more than four months before it was detected.
Reference List
Federal Bureau of Investigation. (2015). Cyber Criminal Forum Taken Down: Members Arrested in 20 Countries. Web.
Finklea, K, Christensen, M., Fischer, E., Lawrence, S., & Theohary, C. (2015). Cyber Intrusion into U.S. Office of Personnel Management: In Brief. Web.
Fowler, K. (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is not. Philadelphia, CA: Elsevier Science.
Government Accountability Office. (2014). Critical Infrastructure Protection: More Comprehensive Planning Would Enhance the Cyber security of Public Safety Entities’ Emerging Technology. Web.
Government Accountability Office. (2015). CYBERSECURITY: Actions Needed to Address Challenges Facing Federal Systems. Web.
Pacifici, S. (2015). Handing Over the Keys to the Castle. Web.