Blame For OPM Hack Belongs To Obama

Blame For The Massive OPM Hack Belongs To Obama

49 Comments

07/10/2015  

Cybersecurity: "When I am president," said Barack Obama back in 2008, "the days of dysfunction and cronyism in Washington will be over." Tell that to the 22 million government workers whose personal data are now in the hands of Chinese hackers.

It's hard to top the Office of Personnel Management when it comes to government incompetence. The agency — which houses data on millions of current and former government workers, including security clearance files — had been repeatedly warned that its network was vulnerable and that it was not in compliance with federal information security requirements. And it did next to nothing.

In May 2009, OPM's inspector general issued a "flash audit alert" noting its "security policies and procedures continue to remain severely outdated" and this was "compromising the confidentiality, integrity and/or availability of information."

By 2012, the IG was still complaining that OPM "does not have the ability to detect unauthorized devices connected to the OPM network."

Last year, it said OPM lacked "a comprehensive inventory of servers, databases and network devices," didn't do routine scans of its network for trouble and had substandard authentication requirements.

In the weeks since OPM revealed the latest attacks, it has managed to look even more incompetent. First, it downplayed the attack, then repeatedly revised the numbers upward, and even now laughably calls the attack an "incident" that involved "data exfiltration."

The National Journal reports that OPM still hasn't put out a request for bids to handle the massive job of providing identity theft protection to the multitudes.

Now it faces lawsuits from the American Federation of Government Employees and the National Treasury Employees Union, which say OPM is guilty of "reckless failure to safeguard personal information."

Obama's crony appointment to OPM — Katherine Archuleta, whose prior job was national political director for Obama's re-election campaign — has resigned in disgrace.

And yet Obama has remained almost entirely silent on the issue, despite the national security implications.

All this under a politician who said at almost every campaign stop he'd bring forth "better government, smarter government, a more competent government" if given the keys to the White House.

You have to pity all those government workers who signed up with Obama believing government could do great things, only to learn that it's being run by incompetent, unaccountable hacks who left the door to their highly confidential personal information wide open.

_______________________________________________________________________________

Just Like OPM, Healthcare.gov Is Blowing Off Cyber Security Warnings

4 Comments

BY JOHN MERLINE

07/10/2015 

Could a data breach on the scale suffered by the Office of Personnel Management happen to Healthcare.gov?

In the case of OPM, they had been repeatedly warned that their networks were vulnerable to cyberattacks, yet did little to improve security. As a result, private data on more than 21 million people, some of whom were applying for federal security clearances, are in the hands of hackers believed to be from China.

At least all of these people were current or former employees of the federal government.

Healthcare.gov, on the other hand, now collects information on millions of private citizens who apply for ObamaCare coverage at this federal exchange, and operates a data hub that connects a multitude of other government databases.

It, too, appears to suffer from the same indifference to cybersecurity as OPM.

In its rush to get Healthcare.gov launched, the administration ran roughshod over security standards. And while some work has been done since, a Government Accountability Office report last fall warned that "weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls."

Among the problems cited by the GAO: The federal exchange hasn't "always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches, and properly configured an administrative network."

Eight months later, the Obama administration still hasn't conducted the risk assessments it recommended, according to Gregory Wilshusen, an information security expert at GAO

In a letter to Health and Human Services Secretary Sylvia Burwell, Rep. Diane Black, R-Tenn., says that "Americans should not be put at risk because of the administration's inability to construct a secure website and respond to repeated warnings from both the GAO and Congress."

She's certainly right about that.

Follow John Merline on Twitter: @IBD_JMerline.