Just over a week ago, the Office of Personnel Management (OPM) revealed what is possibly the largest federal personnel data breach of all time. Specific details about the attack have yet to be released. Government representatives are now looking for a way to reassure concerned parties that the government is able to protect the personal information of its employees. They also have an arguably more difficult task before them: explaining that, when it comes to cybersecurity, there is no silver bullet.
The Department of Homeland Security (DHS) is in charge of cybersecurity for all non-defense-related federal agencies. Through its Computer Emergency Readiness Team, it monitors the information coming in, going out, and moving among federal agencies’ networks—tracking origin, destination, and any possible malicious code that might accompany this information through the use of its Einstein systems.
Since its introduction in 2004, the Einstein system has been updated and DHS is considering expanding the Einstein 3 system before 2018—though Einstein itself is not perfect for stopping all cyber threats. Meanwhile, DHS’s Continuous Diagnostics and Mitigation (CDM) program allows the use of commercial tools to help agencies ensure modernization of technology. Reportedly, it was during a private company’s sales pitch for a new cybersecurity system that the OPM cyber hack was originally noticed.
With cyber attacks on the rise, the government has a newfound interest in cybersecurity. Earlier this year, the Government Accountability Office (GAO) updated its biennial list of what it deems high-risk areas for the federal government, expanding the cyber section to include “protecting the privacy of personally identifiable information.”
Many questions need to be answered about this recent hack, starting with this one: what now? Until reports on the investigation are publically released, answers to who, what, when, why, and how will be mere speculation. The government has a responsibility to secure the information in its possession, but just like cybersecurity, there is no perfect solution. Cyber attacks will evolve, as should cyber policy and cybersecurity procurement by the federal government.
Whether it be an increased reliance on private vendors for cybersecurity, legislation that allows an increase in cyber information sharing, or allowing more actions to be taken against cyber aggressors—just to name a few—there is no silver bullet. What this current hack has shown (again) is that the government may not be the best at cybersecurity.
For more information on federal cyber attacks, see:
The Heritage Foundation report on federal cyber breaches in 2014