Unfortunately for Office of Personnel Management Director Katherine Archuleta, she was at the switch when one of the biggest hacks to hit the federal government occurred late last year and early this year. It surprised no one when she resigned July 10.

One breach made off with the personnel records of 4.2 million federal employees; the other affected the background information of 21.5 million people.

Federal officials have pointed fingers at China as the culprit, making this a serious national security concern.

Hopefully, Archuleta's public trial by fire, leading to her resignation just a day after declaring she would not resign, made all federal agency leaders squirm.

If federal managers and leaders didn't realize it before, they must surely understand now that cybersecurity is not an esoteric matter that can simply be delegated to their agency CIOs and CISOs and forgotten about.

Most federal agencies possess information that could be exploited in harmful ways by an adversary or criminal. Federal leaders, and not just their CIOs, must be aware of what sensitive information they possess, how it might be exploited by adversary nation-states, how much of it is Internet-facing and how well it is protected. They must build a respectable plan to protect that sensitive information and make a convincing case to the Office of Management and Budget and to Congress to secure the necessary budget to make it happen.

Ultimately, the solution often does comes down to money. None of this is cheap, but that can't be an excuse for inaction or insufficient action. The stakes are too high, as we see at OPM.

The recently passed Federal Information Security Modernization Act of 2014 empowers the Department of Homeland Security, the overseer of cybersecurity across the dot-gov domain, to compel agencies, through "binding operational directives," to take specific cybersecurity steps in the face of known or suspected security threats. Key questions will be how these directives will be used and how will the needed budgetary resources be freed up to execute these directives.

Congress has held several hearings on the OPM breach. A good next step by lawmakers would be to examine where other major vulnerabilities exist. They should demand an agency-by-agency accounting of the government's most sensitive information, the protections in place for those networks and databases, and the price tags needed to get them to an appropriate level of security. This risk-management-based approach should help ensure that the pockets holding the most sensitive government information are prioritized and afforded adequate levels of modern cybersecurity features and protections.

Meanwhile, Archuleta — and her predecessor John Berry — have much to explain about OPM's latest breaches. They were not the first. Nor even the second.

Yet, OPM's leadership has clearly failed over the years to take cybersecurity seriously.

How else can one explain the fact that OPM does not have a capable continuous monitoring system in place? Or that it has failed until now to install encryption features, two-factor authentication access and other cybersecurity features that have previously been recommended? Or that 11 out of 47 of OPM's major IT systems are not approved, as required, as meeting applicable security standards?

OPM Inspector General Patrick McFarland said at one recent hearing that some of the problems affecting OPM's cybersecurity posture today were identified as far back as 2007. "We believe this long history of systemic failures to properly manage its IT infrastructure may have ultimately led to the breaches we are discussing today," he said.

Top leaders of all federal agencies, OPM included, must understand the strategic imperative of ensuring robust security of their critical information assets ... before it's too late.

Steve Watkins is a contributing editor.

Share:
In Other News
Load More