Americans will become even more reluctant to entrust themselves to the government’s electronic records because of the widening scandal of successful cyber attacks on the federal personnel agency, an expert in digital customer satisfaction says.
It will take time and vigorous marketing by the Obama administration and its successor to overcome the erosion of public trust in government websites such as HealthCare.gov, private sector analyst Rick Parrish told The Daily Signal.
“It raises the spectre that federal networks may very well be completely wide open and we don’t even know it,” Parrish said, adding:
I don’t know if that’s true. I don’t know if anybody knows that’s true. But people are talking about it in a way they weren’t talking about it two or three weeks ago. … Who would have thought that federal cybersecurity would be a barbecue conversation topic?
Ongoing congressional probes, ABC and CNN reported, show the most sensitive information on millions of federal employees who underwent security clearances was compromised by the hacking of records on 18 million or more individuals kept by the Office of Personnel Management.
“It’s going to continue to erode public trust in the security of their information on federal websites,” @forrester’s @RickParrishGCX says.
Analysts tend to agree the cyber assaults originated in China, though the Obama administration has not specified a suspect.
“This OPM attack is by far the worst we’ve seen so far and it’s certainly going to continue to erode the public’s trust in the security of their personal information on federal websites,” Parrish, a senior analyst at Forrester Research who is a former CIA analyst, said in an interview Wednesday with The Daily Signal.
“Even before this happened,” he added, “less than a third of people trusted the federal government with their personally identifiable information.”
Some estimates put the number of affected current, former, and prospective federal workers as high as 30 million, Fox News reported.
What astounded lawmakers and ordinary Americans alike is that the foreign-based hackers were able to steal not only employees’ Social Security numbers, addresses, and dates of birth but also delicate personal information collected in the process of granting security clearances.
“The situation was just waiting to happen,” @Heritage’s @SBucci says.
Espionage agents from China, Russia, North Korea or Iran would find details of a drug addiction, financial distress, psychiatric treatment or extramarital affair quite useful in approaching a federal worker in a sensitive post with the goal of obtaining details of government programs or policies, national security experts say.
One such expert scrutinizing the OPM hack is Steven Bucci, who oversees defense and foreign policy at The Heritage Foundation.
“The situation was just waiting to happen,” Bucci, an authority in cybersecurity who once was a top Pentagon official, told The Daily Signal:
Getting in is not too sophisticated, but the exploitation of it was very sophisticated. A very capable and determined adversary is very difficult to stop. China is both, and additional security measures should have been taken.
Even something as simple as an employee or family member’s favorite sports team or hobby could be used by a foreign spy as leverage to establish a relationship.
It’s not that the government doesn’t already know aspects of the lives of employees in sensitive posts, it’s that the information can be used as a weapon when the employee’s family and friends—not to mention the media—don’t know.
A Forrester paper on the OPM hack, co-authored by Parrish, noted the government’s “pattern of downplaying the attacks on its agencies and departments” and warned:
If China truly acquires security clearance personnel data, this creates an enormous counterintelligence challenge for the United States. … Imagine how much more effectively an adversary can solicit U.S. intelligence officers for recruitment when the hostile power knows their vulnerabilities—such as financial or marital problems, medical issues, and psychological traits.
In testimony Tuesday before a Senate subcommittee, OPM Director Katherine Archuleta answered a question about the agency’s failure to stop hostile breaches by saying, “I don’t believe anyone is personally responsible.”
Archuleta then assured senators, “I’m [as] angry as you are.”
Sens. James Lankford, R-Okla., and Jerry Moran, R-Kan., were among lawmakers pushing the OPM director for assurances that she understood and was on top of the crisis. Publicly, the agency has estimated the number of affected employees as at least 4.2 million.
“It is the consequence of poor management and basic cybersecurity practices,” @SenatorLankford says.
Lankford, chairman of another subcommittee responsible for federal personnel, complained that Archuleta’s staff had missed a Monday deadline to answer questions he posed in a June 10 letter.
Lankford is not one of those demanding that Archuleta resign or be fired by President Obama. However, in an email to The Daily Signal following the hearing, the Oklahoma Republican suggested his patience is wearing thin.
“It’s the largest breach of federal employee data in recent years, and with each passing day, it appears the extent of it grows wider,” Lankford said, adding:
The data breach is not a product of old equipment, it is the consequence of poor management and basic cybersecurity practices. In a nation as advanced and as powerful as the United States, it is unacceptable that our government has been compromised. In the days ahead, our subcommittee will continue to closely investigate the breach and oversee OPM’s response.
Rep. Jason Chaffetz, R-Utah, chairman of the House Oversight and Government Reform Committee, last week scolded the OPM director at length, summing up: “You failed utterly and totally.” Afterward, Chaffetz told reporters Archuleta and her chief information officer, Donna Seymour, should resign.
Parrish, however, said cybersecurity rapidly has become a complex systemic issue like education or poverty.
“That quote should have been ‘We’ve failed’ because Congress has been a part of this failure as well,” Parrish said, as have OPM and the rest of the executive branch.
This sort of hack shows this is a systemic problem. Now, systems are made up of individuals making decisions. But the complexities are such that it doesn’t come down to any one person’s single decision.
“Calls for the government to ‘fix this’ is the wrong course of action, as is government trying to vilify companies who have been breached,” Heritage’s Bucci said. “This will take a real private sector-public sector cooperative effort.”
The government, however, has its work cut out for it if it wants to expand digital delivery of services, Parrish said.
“It doesn’t matter objectively how secure your public-facing digital channel is,” the Forrester analyst said. “It only matters how secure people think it is. If people don’t think it’s secure, they’re going to be less likely to use it.”
That doesn’t mean the answer is stop going digital. … The thing to do is pause, regain people’s trust and then move forward strategically from there. This is not business as usual.