The recent hack at OPM is unprecedented, and unbelievable. Until one really starts to wrap their heads around the root of the problem. There are some highly skilled security professionals working for the Federal government, I know several of them, and security spending has increased dramatically. So why is our data not safe with Uncle Sam?
No amount of spending, technology, policies or Congressional inquiries are going to solve the problem until we can address the weakest link. The solutions ride on the three legged stool of people, process, and technology and people continue to be the problem.
While these statistics released by the Whitehouse are old news, they are worth repeating here:
- Half of all government security breaches can be blamed on employees or contractors
- 21 % of federal workers violating policy
- 12% of Federal employees mishandled information printed from computers
- 8% of Federal employees ran or installed malicious software
- 6% of Federal employees are enticed to share private information
Can we clearly see the problem? In the private sector, there would be disciplinary action up to and including termination. This is nearly impossible in world of Federal employment as even the most egregious policy violations often permit early retirement on the taxpayer dime. Technology and policies will always fail unless people implement them, and if people cannot be held accountable, management is powerless to implement cybersecurity.
This is such a serious problem, that new and radical thinking is needed. Department and agency managers need an appropriate stick to use when Federal workers cause security breaches; there needs to be consequences and at present, there are no meaningful consequences that will change behavior. In much the same way as the US military has the Uniform Code of Military Justice, Congress should enact legislation establishing a civilian parallel for the Federal workforce such as a “Federal Agency Code of Justice.”
Under such a scheme, violators could be tried and if guilty of causing these serious breaches, face penalties such as reduction in grade, forfeiture of pay, and even dismissal. These would implement real consequences for disregarding the security of the nation and the privacy and security of the citizens.
When will our elected leaders take this matter seriously? People are the real problem with Federal Cybersecurity.